【摘要】：云計(jì)算時(shí)代云安全重要性日益凸顯。一方面,云計(jì)算模式的本質(zhì)是數(shù)據(jù)所有權(quán)與管理權(quán)的分離。在客觀上云管理員可濫用特權(quán)竊取用戶隱私數(shù)據(jù)。另一方面,IaaS云平臺(tái)是整個(gè)云計(jì)算的基礎(chǔ)層,在IaaS層每個(gè)組件的配置及系統(tǒng)構(gòu)建的漏洞都可能影響整個(gè)云環(huán)境的安全運(yùn)行。首先,本文梳理國(guó)內(nèi)外相關(guān)研究工作中的主要技術(shù)路線,其中包括云平臺(tái)權(quán)限細(xì)粒度劃分、云平臺(tái)執(zhí)行時(shí)仲裁、云模式下追溯與問(wèn)責(zé)、IaaS云平臺(tái)安全配置四個(gè)方面。之后,為揭示IaaS云計(jì)算模式下管理權(quán)限劃分模糊、特權(quán)行為濫用誤用、IaaS云平臺(tái)配置漏洞等問(wèn)題,通過(guò)對(duì)當(dāng)前主流云平臺(tái)(如OpenStack、VMwarevSphere、QEMU+KVM、XEN)的體系結(jié)構(gòu)、權(quán)限劃分、日志審計(jì)等方面梳理與分析,本文真實(shí)實(shí)現(xiàn)了五例惡意云管理員從IaaS云平臺(tái)中竊取用戶數(shù)據(jù)的攻擊實(shí)例。本論文針對(duì)IaaS云平臺(tái)安全加固的研究與實(shí)現(xiàn)工作分為兩部分,一方面,進(jìn)行IaaS云平臺(tái)特權(quán)行為的管控與審計(jì),即基于IaaS云平臺(tái)API,進(jìn)行細(xì)粒度權(quán)限劃分、角色定義、特權(quán)操作攔截復(fù)核與審計(jì)。另一方面,進(jìn)行IaaS云平臺(tái)安全配置檢查與加固,即基于IaaS云平臺(tái)配置,進(jìn)行IaaS云平臺(tái)的安全配置檢查與加固修復(fù)。實(shí)驗(yàn)表明,針對(duì)OpenStack、VMwarevSphere云平臺(tái),基于IaaS云平臺(tái)API的特權(quán)行為管控與審計(jì)系統(tǒng)實(shí)現(xiàn)了對(duì)以上兩類云平臺(tái)細(xì)粒度權(quán)限劃分、無(wú)縫適配、特權(quán)管控與日志審計(jì)功能,并在性能上保證用戶的正常操作響應(yīng)時(shí)間;對(duì)OpenStack、VMwarevSphere云平臺(tái)安全配置加固減少了受攻擊面,保證IaaS云平臺(tái)安全運(yùn)行。
[Abstract]:Cloud security is becoming more and more important in cloud computing era. On the one hand, the essence of cloud computing mode is the separation of data ownership and management. Objectively, cloud administrators can abuse their privileges to steal user privacy data. On the other hand, the IaaS cloud platform is the basic layer of the whole cloud computing. The configuration of each component and the vulnerability of system construction in the IaaS layer may affect the security of the whole cloud environment. First of all, this paper combs the main technical routes of related research work at home and abroad, including fine granularity partition of cloud platform authority, cloud platform execution arbitration, traceability and accountability under cloud mode, and IaaS cloud platform security configuration. Then, in order to reveal the fuzzy division of management authority in IaaS cloud computing mode, misuse of privilege behavior, configuration vulnerabilities of IaaS cloud platform and so on, through the current mainstream cloud platform (such as OpenStack,VMwarevSphere,QEMU KVM,XEN) system structure, privilege division, In this paper five instances of malicious cloud administrator stealing user data from IaaS cloud platform are implemented. In this paper, the research and implementation of IaaS cloud platform security reinforcement is divided into two parts. On the one hand, the privilege behavior of IaaS cloud platform is controlled and audited, that is, fine-grained privilege division and role definition based on IaaS cloud platform API,. Privileged operation intercept review and audit. On the other hand, the IaaS cloud platform security configuration inspection and reinforcement, that is, based on the IaaS cloud platform configuration, IaaS cloud platform security configuration inspection and reinforcement repair. The experiment shows that the privilege behavior control and audit system based on API of IaaS cloud platform realizes the fine granularity privilege partition, seamless adaptation, privilege control and log audit function for OpenStack,VMwarevSphere cloud platform. And in the performance to ensure the user's normal operation response time; The security configuration of OpenStack,VMwarevSphere cloud platform can reduce the attack surface and ensure the safe operation of IaaS cloud platform.
【學(xué)位授予單位】：北京郵電大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2017
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前1條

1 劉川意;王國(guó)峰;林杰;方濱興;;可信的云計(jì)算運(yùn)行環(huán)境構(gòu)建和審計(jì)[J];計(jì)算機(jī)學(xué)報(bào);2016年02期

，

本文編號(hào)：2425038