针对大多数现有技术主要依据可信硬件来保护虚拟机(VM,virtual machine)运行平台的安全,而缺乏对VM安全存储和可信启动保护的问题,提出了一种解决在云平台基础设施服务策略(IaaS,Infrastructure as a Service)下VM的安全存储和可信启动(SSTL,secure storage and trusted launch)方案.根据可信平台模块(TPM,trusted platform module)的一些核心功能,分别从VM镜像加解密、VM宿主平台信息的远程证明和VM度量机制来保证VM存储安全、VM运行环境的安全以及VM可信启动.实验测试与分析表明该系统能够防止非授权启动VM,并能检测针对VM的系统服务描述符表(SSDT,system services descriptor table)以及Kernel Module等系统核心模块攻击.并且对原有系统的性能损耗在允许范围之内,不影响用户的正常使用.
In this paper,we propose a trusted mobile payment environment(TMPE)based on trusted computing and virtualization technology.There are a normal operating system(OS)and a trusted OS(TOS)in TMPE.We store the image of TOS in a memory card to hinder tampering.The integrity of TOS is protected by means of a trusted platform module(TPM).TOS can only be updated through a trusted third party.In addition,virtualization technology is applied to isolate TOS from normal OS.Users complete ordinary affairs in normal OS and security-sensitive affairs in TOS.TMPE can offer users a highly protected environment for mobile payment.Moreover,TMPE has good compatibility in different hardware architectures of mobile platforms.As the evaluation shows,TMPE satisfies the requirement of mobile payment well.
WANG JuanLIN WutaoLI HaoyuDU BianxiaMENG KeWANG Jiang
To prevent malicious virtual machine from harming the security of vTPM-VM live migration process, we propose an improved vTPM-VM live migration protocol which uses a TPM-based integrity verification policy and a specific encryption scheme to enhance security. The TPM-based integrity verification policy is presented to ensure that all participating entities in this process are trustworthy. In data transfer phase, the specific encryption scheme is designed to associate the decipher process with one certain platform status so that only the destination platform can gain the key data of the migrated VM and vTPM instance. The security of this new protocol is analyzed. The results show that this protocol can effectively resist most of the attacks in the process of vTPM-VM live migration.
In this paper,in order to increase the amount of hiding information,we choose MPEG sequences as carriers and present a practical method focus on the steganographic method in MPEG compressed video sequences.Generally,there are many B-frames in each GOP.We utilize the B-frames to hide information so that we can increase the amount of hiding information and decrease the tamper of the carriers.Hiding and extracting are performed in compressed video sequences without requiring original video.The experimental results show that the proposed method has the characteristics of less tampering on the visual effect and larger hiding capacity without increasing the volume of the carrier file.
Virtual trusted platform module(vTPM) is an important part in building trusted cloud environment. Aiming at the remediation of lack of effective security assurances of vTPM instances in the existing virtual TPM architecture, this paper presents a security-improved scheme for virtual TPM based on kernel-based virtual machine(KVM). By realizing the TPM 2.0 specification in hardware and software, we add protection for vTPM's secrets using the asymmetric encryption algorithm of TPM. This scheme supports the safety migration of a TPM key during VM-vTPM migration and the security association for different virtual machines(VMs) with vTPM instances. We implement a virtual trusted platform with higher security based on KVM virtual infrastructure. The experiments show that the proposed scheme can enhance the security of virtual trusted platform and has fewer additional performance loss for the VM migration with vTPM.
