论文部分内容阅读
为了解决在同一平台不同虚拟机间,通过探测缓存信息实施隐蔽信道攻击的问题,提出了一种利用Xen虚拟机调度策略减弱基于缓存的隐蔽信道攻击的防御构想.首先分析了基于缓存的云平台上跨虚拟机的隐蔽信道攻击的原理及步骤,对Xen虚拟机默认的Credit调度算法进行了分析,针对侧通道攻击的特殊需求对Credit调度策略进行了改进:改正后的调度策略一方面通过标记处理目标进程的VCPU,使得该VCPU优先调度,进而躲避攻击进程的缓存探测;另一方面,对攻击进程的VCPU运行也做出了限制,当目标进程没有运行结束时,攻击进程的VCPU总是调度在VCPU队列的末尾,从而在时间上最大限度地与目标进程进行隔离,达到防御侧通道攻击的目的.最后,对调度策略在模拟器中进行了模拟实验,实验结果表明改进的调度策略可以有效减弱基于缓存的隐蔽信道攻击.,In order to mitigate cache-based side-channel attack on virtual machines of the same platform,a Xen-based virtual machines scheduling strategy is present in this paper.First,cache-based side channel attacks and the default scheduling algorithm ‘Credit’in Xen are analyzed.Then the Credit scheduling algorithm is improved to mitigate cache-based side channel attack in two ways.One is that the VCPU of the targeted process is scheduled prior to other VCPUs by using a mark.On the other hand,we put the VCPU of attack process at the end of scheduling queue until the targeted process is ended.The attack process and the target process are isolated by these two ways.Finally,the modified scheduling strategy is simulated which shows that the scheduling strategy can mitigate the cache-based side channel attack.