检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
名 称:
注 释:
机构地区:[1]中国电子科技集团公司第三十研究所,四川成都610041
出 处:《信息安全与通信保密》2014年第4期89-92,95,共5页Information Security and Communications Privacy
摘 要:云计算通过使用虚拟化技术,将大规模数据中心的设备分成独立的小型资源按需租用给用户。这种多租户环境建立的前提是虚拟化平台是安全可靠的,以确保位于同一台物理主机上的不同用户之间的独立性不被破坏。然而现有虚拟机控制器都拥有一个规模较大的可信计算基,使得其管理的虚拟机存在较大安全风险。文中提出一种方法,将传统的控制虚拟机分解为各个组件组成,每个组件执行单一的功能。这样可以带来一些好处:客户共享的服务组件是可配置和可审计的;限制每个组件以所需的最小权限接入Hypervisor,这使得风险明确化;通过配置组件的微重置的频率,可减小单个组件的时间攻击面。Cloud computing uses virtualization to lease small slices of large scale data center facilities to individual customers. These multi-tenant environments are founded on the belief that the virtualization platform is sufficiently secure to prevent breaches of isolation between different users who are co-located on the same host. Hypervisors have a large aggregate trusted computing base(TCB) that makes the system exposure to risk. This paper proposes an approach of separating the controlling VM into single-purpose components called service VMs. This componentized abstraction brings a number of benefits : the sharing service components is configurable and auditable; making exposure to risk explicitly, as having access to the hypervisor is restricted to the least privilege required for each component; micro rebooting components at configurable frequency could reduce the temporal attack surface of individual components.
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.15