可信终端动态运行环境的可信证据收集代理

可信计算的链式度量机制不容易扩展到终端所有应用程序,因而可信终端要始终保证其动态运行环境的可信仍然较为困难.为了提供可信终端动态运行环境客观、真实、全面的可信证据,设计并实现了一个基于可信平台模块(trusted platform model,简称TPM)的终端动态运行环境可信证据收集代理.该代理的主要功能是收集可信终端内存、进程、磁盘文件、网络端口、策略数据等关键对象的状态信息和操作信息.首先,通过扩展TPM信任传递过程及其度量功能保证该代理的静态可信,利用可信虚拟机监视器(trusted virtual machine monitor,简称TVMM)提供的隔离技术保证该代理动态可信；然后,利用TPM的加密和签名功能保证收集的证据的来源和传输可信；最后,在Windows平台中实现了一个可信证据收集代理原型,并以一个开放的局域网为实验环境来分析可信证据收集代理所获取的终端动态运行环境可信证据以及可信证据收集代理在该应用实例中的性能开销.该应用实例验证了该方案的可行性.

Trusted Agent for Collecting Trustworthiness Evidence in Terminal Dynamical Running Environment

The chain measurement mechanism of trusted computing doesn’t easily extend to all applications in the terminal,so it is difficult for the terminal to always maintain the trust of the dynamic running environment of the terminal.To collect trustworthiness evidence in an objective,genuine,and comprehensive way,a trusted evidence collection agent based on TPM is designed and developed.Its main function is collecting the critical objects in the dynamic environment of the terminal,such as memory,process,disk files,network ports,policy data,and so on. First,the static and dynamic creditability of the agent is assured by the measurement function of trusted platform module(TPM) and isolation mechanism of trusted virtual machine monitor(TVMM),and then the creditability of original and transmit of the collecting evidences is assured by the encryption and signature function.This paper also implements a prototype of the agent in Windows platform.Based on the prototype,the paper examines the trustworthiness evaluation for executing the agent program in a local area network distributed computing environment.In this application,the performance of prototype is studied,and the feasibility of this approach is demonstrated.