【摘要】：網(wǎng)絡(luò)功能虛擬化(NFV)是一種利用虛擬化技術(shù)來減少硬件依賴的更靈活簡單的網(wǎng)絡(luò)發(fā)展模式。NFV的最終目標是,通過基于行業(yè)標準的x86服務(wù)器、存儲和交換設(shè)備,來取代通信網(wǎng)的那些私有專用的網(wǎng)元設(shè)備。然而,NFV利用云計算和虛擬化技術(shù)為新一代網(wǎng)絡(luò)業(yè)務(wù)提供更好的伸縮性和自動化能力的同時,也面臨著虛擬化和網(wǎng)絡(luò)基礎(chǔ)設(shè)施帶來的一些重大安全威脅。針對NFV目前面臨的一個主要的問題,就是如何為虛擬網(wǎng)絡(luò)功能(VNF)構(gòu)建一個可信的執(zhí)行環(huán)境,確保虛擬網(wǎng)絡(luò)功能實例運行的安全。我們提出一種基于Intel SGX技術(shù)的虛擬網(wǎng)絡(luò)功能安全保護機制。該機制利用了 SGX技術(shù)的內(nèi)存隔離、安全認證等特性,通過多個安全模塊的整合來保障NFV平臺上VNF實例的安全。該保護機制中利用SGX內(nèi)存隔離及密封特性對虛擬機上獨立運行的VNF實例進行隔離保護,確保它啟動及運行時的安全,同時支持VNF實例的恢復(fù);基于SGX安全遠程認證特性,對虛擬機上運行的VNF實例進行統(tǒng)一的安全認證和密鑰管理,并擴展虛擬網(wǎng)絡(luò)功能之間的安全通信,以及平臺的信息采集和規(guī)則策略安全下發(fā)的功能。最后,基于QEMU-KVM架構(gòu)實現(xiàn)了該安全保護模型,并對該框架中的關(guān)鍵技術(shù)進行了詳細的設(shè)計和描述。實驗及分析表明,該安全保護框架能夠為VNF實例提供一個安全運行,認證以及管理的可信保護環(huán)境。同時,SGX技術(shù)引入為VNF實例的運行、安全認證及安全通信帶來較小的開銷。
[Abstract]:Network functional virtualization (NFV) is a more flexible and simple network development mode which uses virtualization technology to reduce hardware dependency. The ultimate goal of (NFV) is to replace the private network element devices of communication networks through industry-standard x86 servers, storage and switching devices. However, while NFV uses cloud computing and virtualization technology to provide better scalability and automation for the next generation of network services, it is also facing some major security threats posed by virtualization and network infrastructure. One of the main problems faced by NFV at present is how to build a trusted execution environment for virtual network function (VNF) to ensure the security of virtual network function instances. We propose a virtual network functional security protection mechanism based on Intel SGX technology. This mechanism makes use of the memory isolation and security authentication of SGX technology to ensure the security of VNF instances on NFV platform through the integration of multiple security modules. In this protection mechanism, the SGX memory isolation and sealing characteristics are used to isolate and protect the VNF instance running independently on the virtual machine to ensure the security of its startup and run, and to support the recovery of the VNF instance at the same time. Based on the SGX security remote authentication characteristic, the VNF instance running on the virtual machine is unified security authentication and key management, and the security communication between the virtual network functions, as well as the function of information collection and rule policy security distribution of the platform are extended. Finally, the security protection model is implemented based on QEMU-KVM architecture, and the key technologies in the framework are designed and described in detail. Experiments and analysis show that the security protection framework can provide a trusted protection environment for VNF instances to operate, authenticate and manage safely. At the same time, the introduction of SGX technology brings less overhead for the operation of VNF instance, security authentication and secure communication.
【學(xué)位授予單位】：武漢大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2017
【分類號】：TP309

【參考文獻】

相關(guān)期刊論文 前3條

1 郭志斌;陳揚帆;劉露;;NFV安全需術(shù)及應(yīng)對策略[J];電信科學(xué);2016年03期

2 余秦勇;童斌;陳林;;虛擬化安全綜述[J];信息安全與通信保密;2012年11期

3 甘宏;潘丹;;虛擬化系統(tǒng)安全的研究與分析[J];信息網(wǎng)絡(luò)安全;2012年05期

，

本文編號：2501163