A kind of secure virtual machine migratory systemTechnical field
The present invention relates to virtual cloud security fields, and in particular to a kind of secure virtual machine migratory system.
Background technique
Cloud computing technology is grown rapidly now, has become the research hotspot of domestic and international internet industry.As a kind of newType calculates mode, it is using resource rental, application hosting, service outsourcing as core, using IT resource, data, using logical as serviceIt crosses internet and is supplied to cloud tenant.
Most worthy is dynamic migration of virtual machine technology in cloud computing.Dynamic migration of virtual machine technology can keep emptyWhile quasi- machine operation, it is moved to purpose physical machine from a source physical machine, and resume operation in purpose physical machine, fromAnd guaranteeing transition process is transparent to user.Moreover, the dynamic load of server may be implemented in dynamic migration of virtual machine technologyBalanced and on-line maintenance, and provide a kind of perspective fault-tolerant networks.Currently, the research for dynamic migration of virtual machine technology is bigMostly it is the research to transport efficiency, such as shortens transit time, fast transferring, reduces the amount of migration, to exists in transition processStudy on Safety Problem is less.And in actual cloud computing environment, often there is a large amount of security threat and needs to further investigate simultaneouslyIt is proposed reasonable solution.Its problem specifically includes that the fragility of data transmission channel, i.e., migrating data is in no any guarantorIn the case where shield, the attack of passive listening and active control may be subjected to;For the attack of VMM, attacker may be usedThe attack patterns such as network cheating and Replay Attack, when lacking access control, attacker can kidnap the control of VMM, arbitrarilyIt initiates virtual machine (vm) migration and controls Client OS;For the attack of transferring module, moving for virtual machine (vm) migration is realized in VMMLoophole in shifting formwork block will lead to VMM and client computer OS by the destruction of attacker.
Summary of the invention
For the above-mentioned problems in the prior art, the invention proposes a kind of secure virtual machine migratory systems, meetPlatform authentication, data transmission protection, the protection of virtual credible root atomicity and VM- virtual TPCM security association four safety needIt asks.
The invention proposes a kind of secure virtual machine migratory systems characterized by comprising
Cloud Server hardware environment, the Cloud Server hardware environment include hardware TPCM chip;
Host machine system includes local security migration engine in the host machine system;
Virtual machine monitor includes virtual TPCM backend driver in the virtual machine monitor, loads virtual TPCMExample executes actively monitoring to virtual machine and actively measures;
One or more virtual machine instances, one or more of virtual machine instances are managed by the virtual machine monitor is unifiedIt manages, includes a trusted software base in each virtual machine instance, measurement, control are executed to virtual machine by the trusted software baseAnd decision.
Preferably, the system also includes:
The hardware TPCM chip and host machine system constitute dual system architecture, preferentially power on before system operationStarting carries out active safety measurement to system.
Preferably, the local security migration engine includes:
Key negotiation module, remote proving module, Confidentiality protection module, integrity protection module and virtual TPCM lifeCycle management module.
Preferably, the system also includes:
The key negotiation module uses friendship by tls handshake protocol in the handshake procedure of source node and destination nodeChange information and calculate separately and obtain two symmetric keys --- Kenc and Kmac.
Preferably, the system also includes:
The remote proving module proves the integrality of target platform.
Preferably, the system also includes:
Kenc that the Confidentiality protection module and the integrity protection module call key negotiation module to obtain andKmac key carries out encryption and decryption and completeness check to the data flow of transmission.
Preferably, the system also includes:
If completeness check success, the completeness check module of target platform can return to ATT_SUCCESS notice, failureATT_FAILED is then returned, session is interrupted.
Preferably, the system also includes:
For the virtual machine TPCM life cycle management module during virtual machine (vm) migration, the TPCM deleted in source node is realExample creates the TPCM example of duplicate plate according to the TPCM example in source node in destination node.
Preferably, the system also includes:
The virtual machine TPCM life cycle management module is packaged the virtual TPCM example in source node;
Destination node is sent by the virtual TPCM example after encapsulation;
The destination node regenerates new virtual TPCM example according to the virtual TPCM example.
The invention proposes a kind of secure virtual machine migratory systems, guarantee virtual machine in source node by quadruple security mechanismSafety transfer between destination node: first, key agreement and remote proving module realize the flat of virtual machine (vm) migration processIt is authenticated between platform;Second, the session key that Confidentiality protection module and integrity protection module are obtained using key negotiation module,Transmission data are carried out adding solution and completeness check, ensure that and construct safe communication channel between source platform and target platform;Third, virtual TPCM life cycle management module learn virtual machine (vm) migration to target platform, the starting of schedule virtual TPCM managerVirtual TPCM example carries out actively monitoring to virtual machine and actively measures, and completes the bindings of the virtual TPCM of VM-, ensure thatThe security association of the virtual TPCM of VM-;4th, the virtual virtual TPCM manager of TPCM life cycle management module schedules is completed virtualThe operation such as creation, deletion of TPCM example, ensure that in transition process will not lose virtual TPCM example because of migration failure,It will not be completed because of migration, occur old not deleted virtual TPCM example copy in source platform, virtually may be used to ensure thatBelieve the atomicity of root.
Detailed description of the invention
Present invention will be further explained below with reference to the attached drawings and examples, in attached drawing:
Fig. 1 is XEN virtual machine (vm) migration system architecture diagram in the prior art;
Fig. 2 is one of the embodiment of the present invention one secure virtual machine migratory system architecture diagram;
Fig. 3 is the local security migration engine comprising modules figure in the embodiment of the present invention two;
Fig. 4 is one of the embodiment of the present invention three secure virtual machine moving method flow chart.
Specific embodiment
Now in conjunction with attached drawing, elaborate to presently preferred embodiments of the present invention.
XEN dynamic migration of virtual machine system is as shown in Figure 1, it includes four basic modules in the prior art: migration is monitoredModule runs transferring module, freezes module and target platform wake-up module.The major functions of each module are as follows:
Monitor transferring module: monitor transferring module major function be determination to carry out virtual machine (vm) migration virtual machine it is realThe problems such as example, transit time, the target platform moved to.
Operation transferring module: operation transferring module mainly monitors and the entire virtual machine (vm) migration process of control.The module is wholeThe key of a virtual machine (vm) migration will have a direct impact on migration elapsed time and downtime.It receives the signal from transferring module,If necessary to migrate, collects source platform and relevant operation information and package information is labeled as domain.Then and freeze module progressCommunication, and then source platform execution is freezed to instruct, freeze source platform.When target platform obtains the shape of virtual machine operation in source platformAfter state information, which initiates wake-up signal, the virtual machine instance of wake up target server.
Freeze module: freezing module for the virtual machine to source platform and target platform and execute freeze operation, i.e. virtual machineIt shuts down.Integrality, consistency and the continuity of service, downtime in order to guarantee data is very of short duration.
Wake-up module: target platform obtains in source platform after the status information of virtual machine operation, so that it may by source platformOn virtual machine delete, while the virtual machine instance on wake up target platform guarantees the integrality of migration.
Embodiment one
Existing virtual machine (vm) migration system does not have the platform authentication of virtual machine (vm) migration, it cannot be guaranteed that the source of virtual machine (vm) migration is flatThe status safety of platform and target platform is credible.Lack data transmission protection simultaneously, appearance during virtual machine (vm) migration can not be handledMan-in-the-middle attack etc. threaten.
For defect existing for existing virtual machine (vm) migration system, present embodiment discloses a kind of migrations of secure virtual machine to beSystem, system framework figure is as shown in Fig. 2, include that Cloud Server hardware environment, host machine system, virtual machine monitor and virtual machine are realExample:
Wherein, the hardware TPCM chip of bottom hardware environment provides the cryptographic service of trust computing for system, andTPCM and host machine system constitute the credible 3.0 dual system architectures proposed, provide actively monitoring for system and actively measureMechanism is powered up starting, supervisory control system running environment, the safety of safeguards system prior to system.
Wherein, host machine system includes trusted software base (TSB).It is all local to placed offer management in trusted software baseCore --- the local security migration engine of virtual the TPCM manager and secure virtual machine shift function of virtual TPCM example, twoPerson can call the trust computing resource of bottom TPCM to complete corresponding migration or virtual credible root management function.Virtual TPCMManager manages access of the upper layer to virtual TPCM example, the access according to upper layer to virtual TPCM as a service routineSituation dispatches the trust computing resource of the TPCM of bottom hardware environment, manages importing and exporting for virtual TPCM context, and provideNew virtual TPCM example creation and virtual TPCM shift function.
Wherein, the upper layer of host machine system is virtual machine monitor VMM, includes virtual TPCM backend driver in VMM,The virtual TPCM context instance provided for loading virtual TPCM manager, to corresponding virtual machine offer active monitoring and activelyThe functions such as measurement.
Wherein, the top layer of system is the virtual machine instance being managed collectively by VMM, includes one in each virtual machine instanceThe trusted software base of a virtual machine, provides tolerance mechanism, controlling mechanism and decision mechanism of virtual machine etc..
Embodiment two
The local security migration engine in above-mentioned secure virtual machine migratory system will be described in detail in the present embodiment,As shown in figure 3, the safety transfer engine includes key agreement, remote proving, Confidentiality protection, integrity protection and virtualFive modules of TPCM life cycle management, are described in detail below the function of each module:
(1) key negotiation module
Key negotiation module is used for source platform and target platform mutual identity authentication, and negotiates for protecting subsequent numberAccording to the key of the confidentiality and integrity of exchange, that is, provide the Confidentiality protection module and integrity protection mould of local migration engineThe key of block.Key negotiation module generates two symmetric keys --- Kenc and Kmac, the two keys by tls handshake protocolIt is to calculate separately out using the information of exchange during the handshake process by source and target platform.
(2) remote proving module
Remote proving module is used to verify the integrity certification of target platform.Remote proving module uses key negotiation moduleObtained encryption key Kenc and integrity check key Kmac.
Remote proving module main working process is as follows:
A) source platform generates random number N s, is sent to target platform together with remote proving request ATT_REQ
B) target platform carries out completeness check to information, and calls the authentication key A IK of bottom TPCM to PCR valueIt signs with the Ns received, information after signature is sent to source platform together with metrics logs SML
C) contents such as integrality of source platform verifying target platform determine that migration continues or issue to interrupt sessionInstruction.
(3) Confidentiality protection module and integrity protection module
Confidentiality protection module and integrity protection module are used to the safety of transmission data during virtual machine (vm) migrationProtection, protection data include two parts: the relevant information of source platform virtual machine information and corresponding virtual TPCM example.ConfidentialityKenc the and Kmac key that protective module and integrity protection module can call key negotiation module to obtain, to the data flow of transmissionCarry out encryption and decryption and completeness check work.Completeness check success, then the completeness check module of target platform can returnATT_SUCCESS notice, failure then return to ATT_FAILED, interrupt session.
(4) virtual TPCM life cycle management module
Virtual TPCM life cycle management module is for initiating the virtual TPCM example of source platform during virtual machine (vm) migrationThe creation of delete operation and the virtual TPCM example of target platform operates, and guarantees the atom of virtual TPCM example in transition processProperty.
Once initiating migration operation, need transportable key being sent to target platform, by the virtual TPCM of target platformThe creation that life cycle management module calls virtual TPCM manager to carry out virtual TPCM example operates.Complete virtual TPCM exampleCreation after, it is real that the virtual TPCM manager of virtual TPCM life cycle management module invocation target platform starts virtual TPCMExample.When virtual machine (vm) migration to target platform, active monitoring and active are carried out to virtual machine by the virtual TPCM example of target platformMeasurement, measurement results are correct, and virtual TPCM and virtual machine are bound, and guarantee the security association of virtual TPCM-VM, and notify voidQuasi- TPCM life cycle management module deletes the virtual TPCM example of source platform.
If migration failure, virtual TPCM life cycle management module are called on virtual TPCM manager delete target platformVirtual TPCM.Guarantee the fault recovery of virtual TPCM and prevents to repeat to copy.
A kind of secure virtual machine migratory system proposed in through this embodiment guarantees virtual machine by quadruple security mechanismSafety transfer between source node and destination node: first, key agreement and remote proving module realize virtual machine (vm) migrationIt is authenticated between the platform of process;Second, what Confidentiality protection module and integrity protection module were obtained using key negotiation moduleSession key, to transmission data carry out plus solution and completeness check, ensure that constructed between source platform and target platform it is safeCommunication channel;Third, virtual TPCM life cycle management module learn virtual machine (vm) migration to target platform, schedule virtual TPCM pipeThe virtual TPCM example of device starting is managed to virtual machine progress active monitoring and active measurement, and the binding for completing the virtual TPCM of VM- is graspedMake, ensure that the security association of the virtual TPCM of VM-;4th, the virtual virtual TPCM management of TPCM life cycle management module schedulesDevice completes the operation such as creation, deletion of virtual TPCM example, and ensure that in transition process will not lose empty because of migration failureQuasi- TPCM example will not be completed because of migration, occur old not deleted virtual TPCM example copy in source platform, to protectThe atomicity of virtual credible root is demonstrate,proved.
Embodiment three
Based on the secure virtual machine migratory system in above-mentioned two embodiment, the present embodiment proposes a kind of secure virtual machineMoving method, as shown in figure 4, it migrates process are as follows:
(1) after source platform receives migration signal, target platform address is determined, source platform and target platform are held using TLSHandball Association's view carries out key agreement, obtains two symmetric keys --- Kenc and Kmac.
(2) source platform and target platform verify mesh using the session key that key agreement obtains by remote proving moduleMark the integrality of platform.
(3) the virtual TPCM life cycle management module of source platform calls virtual TPCM manager to carry out virtual TPCM exampleData encapsulation, virtual TPCM manager call the trust computing resource of bottom TPCM to the virtual TPCM example of virtual machine to be migratedData complete encapsulation.
(4) source platform sends the virtual TPCM instance data after encapsulation to target platform.
(5) the virtual TPCM life cycle management module of target platform calls virtual TPCM manager to unseal dataDress, and virtual TPCM example is regenerated in target platform using the data, complete the migration of virtual credible root.
(6) target platform, which is sent, confirms signal that virtual TPCM creation is completed to source platform.
(7) source platform receives the signal that virtual TPCM migration is completed, and virtual TPCM life cycle management module notice is virtualTPCM manager deletes local virtual TPCM example copy, and starts virtual machine (vm) migration.
(8) target platform carries out actively monitoring to virtual machine (vm) migration process and actively measures.
(9) when virtual machine (vm) migration is completed and source platform sends virtual TPCM example and deletes notice, virtual TPCM Life CyclePeriod management module notifies virtual TPCM manager to enable local vTCPM example, carries out active measurement to virtual machine, if measurement knotFruit is correct, completes the virtual TPCM binding of VM-, and entire transition process terminates.
One of through this embodiment secure virtual machine moving method, it can be achieved that virtual machine in source node and destination nodeBetween safety transfer, wherein key agreement and remote proving module realize and recognize between the platform of virtual machine (vm) migration processCard;The session key that Confidentiality protection module and integrity protection module are obtained using key negotiation module, to transmission data intoRow plus solution and completeness check, ensure that and construct safe communication channel between source platform and target platform;Virtual TPCM lifeCycle management module learns virtual machine (vm) migration to target platform, and the virtual TPCM example of schedule virtual TPCM manager starting is to virtualMachine carries out actively monitoring and actively measures, and completes the bindings of the virtual TPCM of VM-, ensure that the safety of the virtual TPCM of VM-Association;The virtual virtual TPCM manager of TPCM life cycle management module schedules completes creation, the deletion etc. of virtual TPCM exampleOperation, ensure that in transition process will not lose virtual TPCM example because of migration failure, will not complete because of migration,There is old not deleted virtual TPCM example copy in source platform, to ensure that the atomicity and safety of virtual credible root.
In several embodiments provided by the present invention, it should be understood that disclosed method and terminal can pass through itIts mode is realized.For example, the apparatus embodiments described above are merely exemplary, for example, the division of the module, onlyOnly a kind of logical function partition, there may be another division manner in actual implementation.
In addition, the technical solution in above-mentioned several embodiments can be combined with each other and replace in the case where not conflictingIt changes.
The module as illustrated by the separation member may or may not be physically separated, aobvious as moduleThe component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multipleIn network unit.Some or all of the modules therein can be selected to realize the mesh of this embodiment scheme according to the actual needs's.
It, can also be in addition, each functional module in each embodiment of the present invention can integrate in one processing unitIt is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated listMember both can take the form of hardware realization, can also realize in the form of hardware adds software function module.
It is obvious to a person skilled in the art that invention is not limited to the details of the above exemplary embodiments, Er QieIn the case where without departing substantially from spirit or essential attributes of the invention, the present invention can be realized in other specific forms.Therefore, no matterFrom the point of view of which point, the present embodiments are to be considered as illustrative and not restrictive, and the scope of the present invention is by appended powerBenefit requires rather than above description limits, it is intended that all by what is fallen within the meaning and scope of the equivalent elements of the claimsVariation is included in the present invention.Any attached associated diagram label in claim should not be considered as right involved in limitation to wantIt asks.Furthermore, it is to be understood that one word of " comprising " does not exclude other units or steps, odd number is not excluded for plural number.It is stated in system claimsMultiple modules or device can also be implemented through software or hardware by a module or device.The first, the second equal wordsIt is used to indicate names, and does not indicate any particular order.
Finally it should be noted that the above examples are only used to illustrate the technical scheme of the present invention and are not limiting, although referencePreferred embodiment describes the invention in detail, those skilled in the art should understand that, it can be to of the inventionTechnical solution is modified or equivalent replacement, without departing from the spirit and scope of the technical solution of the present invention.