基于VMI的虚拟机远程证明方案

可信计算组织（TCG，trusted computing group）提出的虚拟机远程证明方案可以为云计算平台提供虚拟机完整性验证服务，而直接使用 TCG 提出的方案性能较低，并且会受到布谷鸟攻击的威胁。利用虚拟机自省技术（VMI，virtual machine introspection）设计了新的虚拟机远程证明方案。通过在虚拟机监视器（VMM，virtual machine monitor）中获取虚拟机远程验证证据的方法消除在虚拟机内执行布谷鸟攻击的路径，利用物理可信平台模块（TPM，trusted platform module）保证虚拟机远程验证证据的完整性，减少了身份证明密钥（AIK，attestation identity key）证书的产生数量，降低了私有证书颁发机构的负载。实验表明，方案可以有效验证虚拟机的完整性状态，在虚拟机数量较多的情况下，性能优于TCG提出的虚拟机远程证明方案。

VMI-based virtual machine remote attestation scheme

The virtual machine attestation scheme proposed by trusted computing group (TCG) can provide attestation service of virtual machine for cloud computing.However,the service using the scheme proposed by the TCG directly would be threatened by the cuckoo attack and its performance would be lower.Therefore,a new virtual machine remote attestation scheme based on virtual machine introspection (VMI) was proposed.Firstly,it eliminated the path to perform cuckoo attacks in virtual machines via obtaining virtual machines′ remote attestation evidence in virtual machine monitor (VMM).Secondly,it used physical trusted platform module (TPM) to ensure the integrity of virtual machines’ remote attestation evidence and reduced the number of attestation identity key (AIK) certificates required during remote attestation to balance the load of private CA.Experiments show that the proposed scheme can verify the status of virtual machines correctly and increase the performance of bulk virtual machines’ remote attestation significantly.