一种基于完整性保护的终端计算机安全防护方法

终端计算机是网络空间活动的基本单元,其安全性直接关系着网络环境和信息系统的安全.提出了一种基于完整性保护的终端计算机安全防护方法,它将完整性度量和实时监控技术相结合,保证终端计算机运行过程的安全可信.建立了以TPM为硬件可信基、虚拟监控器为核心的防护框架,采用完整性度量方法建立从硬件平台到操作系统的基础可信链;在系统运行过程中监控内核代码、数据结构、关键寄存器和系统状态数据等完整性相关对象,发现并阻止恶意篡改行为,以保证系统的完整、安全和可靠.利用Intel VT硬件辅助虚拟化技术,采用半穿透结构设计实现了轻量级虚拟监控器,构建了原型系统.测试表明,该方法能够对终端计算机实施有效的保护,且对其性能的影响较小.

Integrity Based Security Protection Method for Terminal Computer

Terminal computer is the basic unit of network activities,which is directly related to the security of network environment and information systems.An integrity based security protection method for terminal computer was proposed,which integrates integrity measurement and real-time monitoring technology to ensure the security and credibility of terminal computer.A protection framework was established,which uses TPM as hardware trusted base and virtual monitor as the core unit.Integrity measurement is used to establish the basic trusted chain from the hardware platform to operating system.And integrity related objects,such as kernel code,data structures,key registers and system status data,are monitored when the system is running to detect and prevent from malicious tampering in order to ensure system integrity,security and reliability.A lightweight virtual machine monitor was designed using Intel VT hardware-assisted virtualization technology and a prototype system was realized.Tests show that the method is effective and has less impact on the performance of terminal computer.