基于TrustZone的可信移动终端云服务安全接入方案

doi:10.13328/j.cnki.jos.005000

微信服务号

微信订阅号

2025年4月10日 22:43 星期四

首页 > 过刊浏览>2016年第27卷第6期 >1366-1383. DOI:10.13328/j.cnki.jos.005000

PDF HTML阅读 XML下载导出引用引用提醒

基于TrustZone的可信移动终端云服务安全接入方案
DOI:
                        10.13328/j.cnki.jos.005000
                    
CSTR:
                        
                    
作者:
                        杨波杨波
中国科学院 软件研究所 可信计算与信息保障实验室, 北京 100190;中国科学院大学, 北京 100049
在期刊界中查找
在百度中查找
在本站中查找
冯登国冯登国
中国科学院 软件研究所 可信计算与信息保障实验室, 北京 100190;计算机科学国家重点实验室(中国科学院 软件研究所), 北京 100190
在期刊界中查找
在百度中查找
在本站中查找
秦宇秦宇
中国科学院 软件研究所 可信计算与信息保障实验室, 北京 100190
在期刊界中查找
在百度中查找
在本站中查找
张英骏张英骏
中国科学院 软件研究所 可信计算与信息保障实验室, 北京 100190;中国科学院大学, 北京 100049
在期刊界中查找
在百度中查找
在本站中查找

                    
作者单位:
作者简介:
通讯作者:
中图分类号:
基金项目:国家自然科学基金(91118006,61202414,61402455);国家重点基础研究发展计划(973)(2013CB338003)

Secure Access Scheme of Cloud Services for Trusted Mobile Terminals using TrustZone

Author:

YANG Bo
YANG Bo
Trusted Computing and Information Assurance Laboratory, Institute of Software, The Chinese Academy of Sciences, Beijing 100190, China;University of Chinese Academy of Sciences, Beijing 100049, China
在期刊界中查找
在百度中查找
在本站中查找
FENG Deng-Guo
FENG Deng-Guo
Trusted Computing and Information Assurance Laboratory, Institute of Software, The Chinese Academy of Sciences, Beijing 100190, China;State Key Laboratory of Computer Science (Institute of Software, The Chinese Academy of Sciences), Beijing 100190, China
在期刊界中查找
在百度中查找
在本站中查找
QIN Yu
QIN Yu
Trusted Computing and Information Assurance Laboratory, Institute of Software, The Chinese Academy of Sciences, Beijing 100190, China
在期刊界中查找
在百度中查找
在本站中查找
ZHANG Ying-Jun
ZHANG Ying-Jun
Trusted Computing and Information Assurance Laboratory, Institute of Software, The Chinese Academy of Sciences, Beijing 100190, China;University of Chinese Academy of Sciences, Beijing 100049, China
在期刊界中查找
在百度中查找
在本站中查找

Affiliation:

Fund Project:

National Natural Science Foundation of China (91118006, 61202414, 61402455); National Program on Key Basic Research Project of China (973) (2013CB338003)

摘要

图/表

访问统计

参考文献 [48]

相似文献 [20]

引证文献

资源附件

文章评论

摘要:

可信云架构为云计算用户提供了安全可信的云服务执行环境,保护了用户私有数据的计算与存储安全.然而在移动云计算高速发展的今天,仍然没有移动终端接入可信云服务的安全解决方案.针对上述问题,提出了一种可信移动终端云服务安全接入方案.方案充分考虑了移动云计算应用背景,利用ARM TrustZone硬件隔离技术构建可信移动终端,保护云服务客户端及安全敏感操作在移动终端的安全执行.结合物理不可克隆函数技术,给出了移动终端密钥与敏感数据管理机制.在此基础上,借鉴可信计算技术思想设计了云服务安全接入协议.协议兼容可信云架构,提供云服务端与移动客户端间的端到端认证.分析了方案具备的6种安全属性,给出了基于方案的移动云存储应用实例,实现了方案的原型系统.实验结果表明:可信移动终端TCB较小,方案具有良好的可扩展性和安全可控性,整体运行效率较高.

关键词:移动云计算;可信计算;可信移动终端;安全接入;TrustZone;物理不可克隆函数(PUF)

Abstract:

Trusted cloud architecture provides isolated execution environment for trusted and secure cloud services, which protects the security of cloud users' data computation and storage. However, with the rapid development of mobile cloud computing, there is currently no secure solution for mobile terminals accessing trusted cloud architecture. To address this issue, this research proposes a secure access scheme of cloud services for trusted mobile terminals. By fully considering the background of mobile cloud computing, an architecture of trusted mobile terminal is constructed using ARM TrustZone hardware-based isolation technology that can prevent the cloud service client and security-sensitive operations on the terminal from malicious attacks. Leveraging physical unclonable function (PUF), the key and sensitive data management mechanism is presented. Based on the trusted mobile terminal and by employing trusted computing technology, the secure access protocol is designed. The protocol is compatible with trusted cloud architecture and establishes an end-to-end authenticated channel between mobile cloud client and cloud server. Six security properties of the scheme are analyzed and an instance of mobile cloud storage is provided. Finally a prototype system is implement. The experimental results indicate that the proposed scheme has good expandability and secure controllability. Moreover, the scheme achieves small TCB for mobile terminal and high operating efficiency for cloud users.

Key words:mobile cloud computing;trusted computing;trusted mobile terminal;secure access;TrustZone;PUF

参考文献

[1] Dinh HT, Lee C, Niyato D, Wang P. A survey of mobile cloud computing: Architecture, applications, and approaches. Wireless Communications & Mobile Computing, 2013,13(18):1587-1611. [doi: 10.1002/wcm.1203]

[2] Alzahrani A, Alalwan N, Sarrab M. Mobile cloud computing: advantage, disadvantage and open challenge. In: Proc. of the 7th Euro American Conf. on Telematics and Information Systems. ACM Press, 2014. [doi: 10.1145/2590651.2590670]

[3] Preston AC. Mobile cloud computing: Devices, trends, issues, and the enabling technologies. IBM Developer Works, 2011.

[4] Fernando N, Seng WL, Rahayu W. Mobile cloud computing: A survey. Future Generation Computer Systems, 2013,29(1):84-106. [doi: 10.1016/j.future.2012.05.023]

[5] Visiongain. Mobile cloud computing industry outlook report. 2011-2016. Report, 2011. 1-153. https://www.visiongain.com/ Report/737/Mobile-Cloud-Computing-Industry-Outlook-Report-2011-2016

[6] Feng DG, Zhang M, Zhang Y, Xu Z. Study on cloud computing security. Ruan Jian Xue Bao/Journal of Software, 2011,22(1): 71-83 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/3958.htm [doi: 10.3724/ SP.J.1001.2011.03958]

[7] Wang YD, Yang JH, Xu C, Ling X, Yang Y. Survey on access control technologies for cloud computing. Ruan Jian Xue Bao/ Journal of Software, 2015,26(5):1129-1150 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/4820.htm [doi: 10.13328/j.cnki.jos.004820]

[8] Chris H, Paul S. Security guidance for critical areas of focus in cloud computing V3.0. Technique Guidance, Cloud Security Alliance, 2011.

[9] Proudler G, Chen LQ, Dalton C. Trusted Computing Platforms. Berlin, Heidelberg: Springer-Verlag, 2014. 1-393. [doi: 10.1007/ 978-3-319-08744-3]

[10] Nicolae P. Trusted computing and secure virtualization in cloud computing [MS. Thesis]. Swedish Institute of Computer Science, 2012.

[11] Zhao B, Yan F, Zhang LQ, Wang J. Build trusted cloud computing environment. Communications of CCF (China Computer Federation), 2012,8(7):28-34 (in Chinese with English abstract).

[12] Santos N, Gummadi KP, Rodrigues R. Towards trusted cloud computing. 2009. https://www.usenix.org/legacy/event/hotcloud09/ tech/full_papers/santos.pdf

[13] John M, Tom R, Fred S. The CloudProxy Tao for trusted vomputing. Technical Report, No.UCB/EECS-2013-135, University of California at Berkeley, 2013. http://www.eecs.berkeley.edu/Pubs/TechRpts/2013/EECS-2013-135.html

[14] Ko RKL, Jagadpramana P, Mowbray M, Pearson S, Kirchberg M, Liang Q, Lee BS. TrustCloud: A framework for accountability and trust in cloud computing. In: Proc. of the 2011 IEEE World Congress on Services. IEEE Computer Society, 2011. 584-588. [doi: 10.1109/SERVICES.2011.91]

[15] Martignon, L, Poosankam P, Zaharia M, Han J, Mccamant S, Song D, Paxson V, Perrig A, Shenker S, Stoica I. Cloud terminal: Secure access to sensitive applications from untrusted systems. In: Proc. of the 2012 USENIX Conf. on Annual Technical Conf. 2012. 14-14.

[16] Trusted Computing Group. TPM MOBILE with trusted execution environment for comprehensive mobile device security. White Paper, Trusted Computing Group, Incorporated, 2012. http://www.trustedcomputinggroup.org

[17] ARM. ARM security technology: Building a secure system using TrustZone technology. ARM Limited, 2009. http://infocenter.arm. com/help/topic/com.arm.doc.prd29-genc-009492c/PRD29-GENC-009492C_trustzone_security_whitepaper.pdf

[18] Zhao SJ, Zhang QY, Hu GY, Qin Y, Feng DG. Providing root of trust for ARM TrustZone using on-chip SRAM. In: Proc. of the 4th Int'l Workshop on Trustworthy Embedded Devices. ACM Press, 2014. [doi: 10.1145/2666141.2666145]

[19] Trusted Computing Group. TPM main specification, version1.2, revision 116. Trusted Computing Group, Incorporated, 2011. http://www.trustedcomputinggroup.org

[20] Trusted Computing Group. Trusted platform module library, family 2.0, revision 01.16. Trusted Computing Group, Incorporated, 2014. http://www.trustedcomputinggroup.org

[21] Wu QX, Yang XW, Zou H, Yu FJ, Ning XK, Wang Z. Technic specification of cryptography supporting platform for trusted computing. China State Password Administration Committee, 2007 (in Chinese). http://www.oscca.gov.cn

[22] Berger S, Caceres R, Goldman KA, Perez R, Sailer R, Doorn L. vTPM: Virtualizing the trusted platform module. In: Proc. of the 15th USENIX Security, 2006. 305-320.

[23] Mccune JM, Li Y, Qu N, Zhou Z, Datta A, Gligor V, Perrig A. TrustVisor: Efficient TCB reduction and attestation. In: Proc. of the IEEE Symp. on Security and Privacy (S&P), IEEE, 2010. 143-158. [doi: 10.1109/SP.2010.17]

[24] Klein A, Mannweiler C, Schneider J. Access schemes for mobile cloud computing. In: Proc. of the 11th Int'l Conf. on Mobile Data Management. IEEE, 2010. 387-392. [doi: 10.1109/MDM.2010.79]

[25] Khana AN, Kiaha MLM, Khanb SU, Madanic SA. Towards secure mobile cloud computing: A survey. Future Generation Computer Systems, 2013,29(5):1278-1299. [doi: 10.1016/j.future.2012.08.003]

[26] Wu C, Zhou YJ, Patel K, Liang ZK, Jiang XX. AirBag: Boosting smartphone resistance to malware infection. In: Proc. of the 2014 Network and Distributed System Security Symp. (NDSS 2014). Internet Society, 2014.

[27] Trusted Computing Group. TCG mobile trusted module specification, version1.0, revision 7.02. Trusted Computing Group, Incorporated, 2010. http://www.trustedcomputinggroup.org

[28] Samuel AB, Don F, Virginie G, Franz H, Janne H, Milas F. The trusted execution environment: Delivering enhanced security at a lower cost to the mobile market. White Paper, GlobalPlatform, 2011.

[29] Atul V. Get into the zone: Building secure systems with ARM TrustZone technology. White Paper, Texas Instruments, 2013.

[30] Santos N, Raj H, Saroiu S, Wolman A. Using ARM TrustZone to build a trusted language runtime for mobile applications. In: Proc. of the ASPLOS 2014. ACM Sigplan Notices, 2014,49(1):67-80. [doi: 10.1145/2541940.2541949]

[31] Yang B, Feng DG, Qin Y. A lightweight anonymous mobile shopping scheme based on DAA for trusted mobile platform. In: Proc. of the IEEE 13th Int'l Conf. on Trust, Security and Privacy in Computing and Communications (TrustCom 2014). IEEE, 2014. 9-17. [doi: 10.1109/TrustCom.2014.6]

[32] Samsung. An overview of Samsung KNOX. White Paper, Samsung Electronics Co., Ltd, 2013.

[33] Dodis Y, Reyzin L. Fuzzy extractors: How to generate strong keys from biometrics and other Noisy data. In: Proc. of the Advances in Cryptology (EUROCRYPT 2004). Berlin, Heidelberg: Springer-Verlag, 2004. 523-540. [doi: 10.1007/978-3-540-24676-3_31]

[34] Guajardo J, Kumar SS. FPGA intrinsic PUFs and their use for IP protection. In: Proc. of the 9th Int'l Workshop on Cryptographic Hardware and Embedded Systems. Berlin, Heidelberg: Springer-Verlag, 2007. 63-80. [doi: 10.1007/978-3-540-74735-2_5]

[35] GlobalPlatform Device Technology. TEE client API specification version 1.0. GlobalPlatform, 2010. http://globalplatform.org

[36] Zhang YJ, Feng DG, Qin Y, Yang B. A TrustZone based trusted code execution with strong security requirements. Journal of Computer Research and Development, 2015,52(10):2224-2238 (in Chinese with English abstract).

[37] Jang J, Kong S, Kim M, Kim D, Kang BB. SeCReT: Secure channel between rich execution environment and trusted execution environment. In: Proc. of the 2015 Network and Distributed System Security Symp. (NDSS 2015). Internet Society, 2015. [doi: 10.14722/ndss.2015.23189]

[38] Xilinx. Zynq-7000 all programmable SoC ZC702 evaluation kit. http://www.xilinx.com/products/boards-and-kits/ek-z7-zc702- g.html

[39] Integrated Silicon Solution, Inc. IS61LV6416-10TL. http://www.alldatasheet.com/datasheet-pdf/pdf/505020/ISSI/IS61LV6416- 10TL.html

[40] Morelos-Zaragoza R. Encoder/decoder for binary BCH codes in C (Version 3.1). http://www.rajivchakravorty.com/source-code/ uncertainty/multimedia-sim/html/bch_8c-source.html

[41] Li WH, Li HB, Chen HB, Xia YB. AdAttester: Secure online mobile advertisement attestation using TrustZone. In: Proc. of the 13th Annual Int'l Conf. on Mobile Systems, Applications, and Services (MobiSys 2015). ACM Press, 2015. 75-88. [doi: 10.1145/ 2742647.2742676]

[42] Yang B, Yang K, Qin Y, Zhang ZF, Feng DG. DAA-TZ: An efficient DAA scheme for mobile devices using ARM TrustZone. In: Proc. of the 8th Int'l Conf. on Trust and Trustworthy Computing (TRUST 2015). LNCS 9229, Springer Int'l Publishing, 2015. 209-227. [doi: 10.1007/978-3-319-22846-4_13]

附中文参考文献:

[6] 冯登国,张敏,张妍,徐震.云计算安全研究.软件学报,2011,22(1):71-83. http://www.jos.org.cn/1000-9825/3958.htm [doi: 10.3724/ SP.J.1001.2011.03958]

[7] 王于丁,杨家海,徐聪,凌晓,杨洋.云计算访问控制技术研究综述.软件学报,2015,26(5):1129-1150. http://www.jos.org.cn/1000- 9825/4820.htm [doi: 10.13328/j.cnki.jos.004820]

[11] 赵波,严飞,张立强,王鹃.可信云计算环境的构建.中国计算机学会通讯,2012,8(7):28-34.

[21] 吴秋新,杨贤伟,邹浩,余发江,宁晓魁,王梓.可信密码支撑平台技术规范.国家密码管理局,2007. http://www.oscca.gov.cn

[36] 张英骏,冯登国,秦宇,杨波.基于TrustZone的强安全需求环境下可信代码执行方案.计算机研究与发展,2015,52(10):2224-2238.

引用本文

杨波,冯登国,秦宇,张英骏.基于TrustZone的可信移动终端云服务安全接入方案.软件学报,2016,27(6):1366-1383

复制

文章指标

点击次数:
下载次数:
HTML阅读次数:
引用次数:

历史

收稿日期:2015-08-15
最后修改日期:2015-10-09
录用日期:
在线发布日期: 2016-01-22
出版日期:

微信服务号

微信订阅号

引用本文

分享

文章指标

历史

文章二维码

微信服务号

微信订阅号

引用本文

分享

微信扫一扫：分享

文章指标

历史

文章二维码