【摘要】：網(wǎng)絡(luò)功能虛擬化(NFV)是一種利用虛擬化技術(shù)來減少硬件依賴的更靈活簡單的網(wǎng)絡(luò)發(fā)展模式。NFV的最終目標(biāo)是,通過基于行業(yè)標(biāo)準(zhǔn)的x86服務(wù)器、存儲(chǔ)和交換設(shè)備,來取代通信網(wǎng)的那些私有專用的網(wǎng)元設(shè)備。然而,NFV利用云計(jì)算和虛擬化技術(shù)為新一代網(wǎng)絡(luò)業(yè)務(wù)提供更好的伸縮性和自動(dòng)化能力的同時(shí),也面臨著虛擬化和網(wǎng)絡(luò)基礎(chǔ)設(shè)施帶來的一些重大安全威脅。針對NFV目前面臨的一個(gè)主要的問題,就是如何為虛擬網(wǎng)絡(luò)功能(VNF)構(gòu)建一個(gè)可信的執(zhí)行環(huán)境,確保虛擬網(wǎng)絡(luò)功能實(shí)例運(yùn)行的安全。我們提出一種基于Intel SGX技術(shù)的虛擬網(wǎng)絡(luò)功能安全保護(hù)機(jī)制。該機(jī)制利用了 SGX技術(shù)的內(nèi)存隔離、安全認(rèn)證等特性,通過多個(gè)安全模塊的整合來保障NFV平臺(tái)上VNF實(shí)例的安全。該保護(hù)機(jī)制中利用SGX內(nèi)存隔離及密封特性對虛擬機(jī)上獨(dú)立運(yùn)行的VNF實(shí)例進(jìn)行隔離保護(hù),確保它啟動(dòng)及運(yùn)行時(shí)的安全,同時(shí)支持VNF實(shí)例的恢復(fù);基于SGX安全遠(yuǎn)程認(rèn)證特性,對虛擬機(jī)上運(yùn)行的VNF實(shí)例進(jìn)行統(tǒng)一的安全認(rèn)證和密鑰管理,并擴(kuò)展虛擬網(wǎng)絡(luò)功能之間的安全通信,以及平臺(tái)的信息采集和規(guī)則策略安全下發(fā)的功能。最后,基于QEMU-KVM架構(gòu)實(shí)現(xiàn)了該安全保護(hù)模型,并對該框架中的關(guān)鍵技術(shù)進(jìn)行了詳細(xì)的設(shè)計(jì)和描述。實(shí)驗(yàn)及分析表明,該安全保護(hù)框架能夠?yàn)閂NF實(shí)例提供一個(gè)安全運(yùn)行,認(rèn)證以及管理的可信保護(hù)環(huán)境。同時(shí),SGX技術(shù)引入為VNF實(shí)例的運(yùn)行、安全認(rèn)證及安全通信帶來較小的開銷。
[Abstract]:Network functional virtualization (NFV) is a more flexible and simple network development mode which uses virtualization technology to reduce hardware dependency. The ultimate goal of (NFV) is to replace the private network element devices of communication networks through industry-standard x86 servers, storage and switching devices. However, while NFV uses cloud computing and virtualization technology to provide better scalability and automation for the next generation of network services, it is also facing some major security threats posed by virtualization and network infrastructure. One of the main problems faced by NFV at present is how to build a trusted execution environment for virtual network function (VNF) to ensure the security of virtual network function instances. We propose a virtual network functional security protection mechanism based on Intel SGX technology. This mechanism makes use of the memory isolation and security authentication of SGX technology to ensure the security of VNF instances on NFV platform through the integration of multiple security modules. In this protection mechanism, the SGX memory isolation and sealing characteristics are used to isolate and protect the VNF instance running independently on the virtual machine to ensure the security of its startup and run, and to support the recovery of the VNF instance at the same time. Based on the SGX security remote authentication characteristic, the VNF instance running on the virtual machine is unified security authentication and key management, and the security communication between the virtual network functions, as well as the function of information collection and rule policy security distribution of the platform are extended. Finally, the security protection model is implemented based on QEMU-KVM architecture, and the key technologies in the framework are designed and described in detail. Experiments and analysis show that the security protection framework can provide a trusted protection environment for VNF instances to operate, authenticate and manage safely. At the same time, the introduction of SGX technology brings less overhead for the operation of VNF instance, security authentication and secure communication.
【學(xué)位授予單位】：武漢大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2017
【分類號】：TP309

【參考文獻(xiàn)】

相關(guān)期刊論文 前3條

1 郭志斌;陳揚(yáng)帆;劉露;;NFV安全需術(shù)及應(yīng)對策略[J];電信科學(xué);2016年03期

2 余秦勇;童斌;陳林;;虛擬化安全綜述[J];信息安全與通信保密;2012年11期

3 甘宏;潘丹;;虛擬化系統(tǒng)安全的研究與分析[J];信息網(wǎng)絡(luò)安全;2012年05期

，

本文編號：2501163