Results 1 -
6 of
6
Seeding clouds with trust anchors
- In Proc. of CCSW
, 2010
"... Customers with security-critical data processing needs are beginning to push back strongly against using cloud computing. Cloud vendors run their computations upon cloud provided VM systems, but customers are worried such host systems may not be able to protect themselves from attack, ensure isolati ..."
Abstract
-
Cited by 17 (0 self)
- Add to MetaCart
(Show Context)
Customers with security-critical data processing needs are beginning to push back strongly against using cloud computing. Cloud vendors run their computations upon cloud provided VM systems, but customers are worried such host systems may not be able to protect themselves from attack, ensure isolation of customer processing, or load customer processing correctly. To provide assurance of data processing protection in clouds to customers, we advocate methods to improve cloud transparency using hardware-based attestation mechanisms. We find that the centralized management of cloud data centers is ideal for attestation frameworks, enabling the development of a practical approach for customers to trust in the cloud platform. Specifically, we propose a cloud verifier service that generates integrity proofs for customers to verify the integrity and access control enforcement abilities of the cloud platform that protect the integrity of customer’s application VMs in IaaS clouds. While a cloud-wide verifier service could present a significant system bottleneck, we demonstrate that aggregating proofs enables significant overhead reductions. As a result, transparency of data security protection can be verified at cloud-scale.
Implementing trust in cloud infrastructures
- in Proc. of the 2011 11th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID’11), Los Alamitos
, 2011
"... Abstract—Today’s cloud computing infrastructures usually require customers who transfer data into the cloud to trust the providers of the cloud infrastructure. Not every customer is willing to grant this trust without justification. It should be possible to detect that at least the configuration of ..."
Abstract
-
Cited by 14 (4 self)
- Add to MetaCart
(Show Context)
Abstract—Today’s cloud computing infrastructures usually require customers who transfer data into the cloud to trust the providers of the cloud infrastructure. Not every customer is willing to grant this trust without justification. It should be possible to detect that at least the configuration of the cloud infrastructure—as provided in the form of a hypervisor and administrative domain software—has not been changed without the customer’s consent. We present a system that enables peri-odical and necessity-driven integrity measurements and remote attestations of vital parts of cloud computing infrastructures. Building on the analysis of several relevant attack scenarios, our system is implemented on top of the Xen Cloud Platform and makes use of trusted computing technology to provide security guarantees. We evaluate both security and performance of this system. We show how our system attests the integrity of a cloud infrastructure and detects all changes performed by system administrators in a typical software configuration, even in the presence of a simulated denial-of-service attack. I.
Credo: Trusted Computing for Guest VMs with a Commodity Hypervisor
, 2011
"... This paper presents the Credo architecture to enable trustworthy virtualization based cloud computing platforms. A key feature of Credo is a small platform Trusted Computing Base (TCB) for a customer VM that consists only of a securely launched hypervisor and minimal hardware components, without any ..."
Abstract
-
Cited by 8 (6 self)
- Add to MetaCart
(Show Context)
This paper presents the Credo architecture to enable trustworthy virtualization based cloud computing platforms. A key feature of Credo is a small platform Trusted Computing Base (TCB) for a customer VM that consists only of a securely launched hypervisor and minimal hardware components, without any privileged partitions and their administrators. Credo achieves this reduction in TCB via emancipation, a mechanism that provides VMs enhanced secrecy and integrity protection guarantees from privileged partitions. Trust in an emancipated VM is established via its measured launch by the hypervisor and an attestation of a dynamically established trust chain rooted in the Trusted Platform Module (TPM). Experimental results from a prototype implementation based on Hyper-V demonstrate that Credo provides enhanced security guarantees to emancipated VMs at a modest cost, most of which is a one-time startup cost from a VM’s perspective, while adding only a small amount of code to a VM’s TCB. 1
Verifying system integrity by proxy
- In TRUST
, 2012
"... Abstract. Users are increasingly turning to online services, but are concerned for the safety of their personal data and critical business tasks. While secure communication protocols like TLS authenticate and protect connections to these services, they cannot guarantee the correctness of the endpoin ..."
Abstract
-
Cited by 4 (2 self)
- Add to MetaCart
(Show Context)
Abstract. Users are increasingly turning to online services, but are concerned for the safety of their personal data and critical business tasks. While secure communication protocols like TLS authenticate and protect connections to these services, they cannot guarantee the correctness of the endpoint system. Users would like assurance that all the remote data they receive is from systems that satisfy the users’ integrity requirements. Hardware-based integrity measurement (IM) protocols have long promised such guarantees, but have failed to deliver them in practice. Their reliance on non-performant devices to generate timely attestations and ad hoc measurement frameworks limits the efficiency and completeness of remote integrity verification. In this paper, we introduce the integrity verification proxy (IVP), a service that enforces integrity requirements over connections to remote systems. The IVP monitors changes to the unmodified system and immediately terminates connections to clients whose specific integrity requirements are not satisfied while eliminating the attestation reporting bottleneck imposed by current IM protocols. We implemented a proof-of-concept IVP that detects several classes of integrity violations on a Linux KVM system, while imposing less than 1.5 % overhead on two application benchmarks and no more than 8 % on I/O-bound micro-benchmarks. 1
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. IEEE TRANSACTIONS ON COMPUTERS 1 Scalable Web Content Attestation
"... Abstract—The web is a primary means of information sharing for most organizations and people. Currently, a recipient of web content knows nothing about the environment in which that information was generated other than the specific server from whence it came (and even that information can be unrelia ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract—The web is a primary means of information sharing for most organizations and people. Currently, a recipient of web content knows nothing about the environment in which that information was generated other than the specific server from whence it came (and even that information can be unreliable). In this paper, we develop and evaluate the Spork system that uses the Trusted Platform Module (TPM) to tie the web server integrity state to the web content delivered to browsers, thus allowing a client to verify that the origin of the content was functioning properly when the received content was generated and/or delivered. We discuss the design and implementation of the Spork service and its browser-side Firefox validation extension. In particular, we explore the challenges and solutions of scaling the delivery of mixed static and dynamic content to a large number of clients using exceptionally slow TPM hardware. We perform an in-depth empirical analysis of the Spork system within Apache web servers. This analysis shows Spork can deliver nearly 8, 000 static or over 6, 500 dynamic integrity-measured web objects per-second. More broadly, we identify how TPMbased content web services can scale to large client loads with manageable overheads and deliver integrity-measured content with manageable overhead. Index Terms—Trusted computing, integrity measurement, web system, scalable attestation 1
Configuring Cloud Deployments for Integrity
"... Abstract. Many cloud vendors now provide pre-configured OS distributions and network firewall poli-cies to simplify deployment for customers. However, even with this help, customers have little insight into the possible attack paths that adversaries may use to compromise the integrity of their compu ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract. Many cloud vendors now provide pre-configured OS distributions and network firewall poli-cies to simplify deployment for customers. However, even with this help, customers have little insight into the possible attack paths that adversaries may use to compromise the integrity of their computa-tions on the cloud. In this paper, we leverage the pre-configured security policies for cloud instances to compute the integrity protection required to protect cloud deployments. In particular, we show that it is possible to compute security configurations for cloud instance deployments that can prevent informa-tion flow integrity errors and that these configurations can be measured into attestations using trusted computing hardware. We apply these proposed methods to the OpenStack cloud platform, showing how web server application instance can be configured to protect their integrity in the cloud and how integrity measurement can be used to validate such configurations for approximately 3 % overhead. 1
