Skip to main content
main-content
Top

Hint

Swipe to navigate through the chapters of this book

2020 | OriginalPaper | Chapter

Secure Attestation of Virtualized Environments

Authors: Michael Eckel, Andreas Fuchs, Jürgen Repp, Markus Springer

Published in: ICT Systems Security and Privacy Protection

Publisher: Springer International Publishing

share
SHARE

Abstract

Securing the integrity of virtualized environments like clouds is challenging yet feasible. Operators have discovered the advantages of virtualization technology in terms of flexibility, scalability, cost-effectiveness, and availability. Applications range from network and embedded devices to big data centers and cloud computing. Trusted Computing technology can be employed to protect the integrity of a system by leveraging a Trusted Platform Module (TPM) and remote attestation.
Existing research on remote attestation of virtualized environments differs in scalability, resource consumption, and provided security guarantees. While some approaches scale at large and use the TPM efficiently, they are way more intrusive, requiring changes to hypervisor and Virtual Machine (VMs). Others render entirely impractical with an increasing number of VMs, caused by the TPM being the bottleneck.
In this paper we analyze existing work on remote attestation for virtualized environments and discuss benefits as well as shortcomings. We identify an approach that provides adequate security and is easy to implement but is prone to relay attacks. We improve that approach by developing countermeasures, while maintaining existing security guarantees. Our contribution requires only minimal changes to the hypervisor system, keeping existing attestation protocols intact. We implement and evaluate on production-grade hardware, and compare our improved attestation approach with the most sophisticated alternative approach.
With performance measurements and further evaluations we show that our solution outperforms the other approach for a small number of VMs, as used in network devices and embedded systems.
Literature
1.
go back to reference Azab, A.M., Ning, P., Sezer, E.C., Zhang, X.: Hima: a hypervisor-based integrity measurement agent. In: Computer Security Applications Conference, ACSAC 2009, Annual, pp. 461–470, December 2009 Azab, A.M., Ning, P., Sezer, E.C., Zhang, X.: Hima: a hypervisor-based integrity measurement agent. In: Computer Security Applications Conference, ACSAC 2009, Annual, pp. 461–470, December 2009
2.
go back to reference Berger, S., Cáceres, R., Goldman, K.A., Perez, R., Sailer, R., van Doorn, L.: vTPM: Virtualizing the trusted platform module. In: Proceedings of the 15th Conference on USENIX Security Symposium, USENIX-SS 2006, vol. 15. USENIX Association (2006) Berger, S., Cáceres, R., Goldman, K.A., Perez, R., Sailer, R., van Doorn, L.: vTPM: Virtualizing the trusted platform module. In: Proceedings of the 15th Conference on USENIX Security Symposium, USENIX-SS 2006, vol. 15. USENIX Association (2006)
3.
go back to reference Berger, S., Goldman, K.A., Pendarakis, D., Safford, D., Valdez, E., Zohar, M.: Scalable attestation: a step toward secure and trusted clouds. In: 2015 IEEE International Conference on Cloud Engineering (IC2E), pp. 185–194, March 2015 Berger, S., Goldman, K.A., Pendarakis, D., Safford, D., Valdez, E., Zohar, M.: Scalable attestation: a step toward secure and trusted clouds. In: 2015 IEEE International Conference on Cloud Engineering (IC2E), pp. 185–194, March 2015
4.
go back to reference Celesti, A., Fazio, M., Villari, M., Puliafito, A., Mulfari, D.: Remote and deep attestations to mitigate threats in cloud mash-up services. In: 2013 World Congress on Computer and Information Technology (WCCIT), pp. 1–6, June 2013 Celesti, A., Fazio, M., Villari, M., Puliafito, A., Mulfari, D.: Remote and deep attestations to mitigate threats in cloud mash-up services. In: 2013 World Congress on Computer and Information Technology (WCCIT), pp. 1–6, June 2013
5.
go back to reference Champagne, D., Lee, R.B.: Processor-based tailored attestation. Princeton University Department of Electrical Engineering, Technical Report (2010) Champagne, D., Lee, R.B.: Processor-based tailored attestation. Princeton University Department of Electrical Engineering, Technical Report (2010)
6.
go back to reference Chen, W.Z., Zhang, Z.P., Yang, J.H., He, Q.M.: Cerberus: a novel hypervisor to provide trusted and isolated code execution. In: 2010 International Conference of Information Science and Management Engineering (ISME), vol. 1, pp. 330–333, August 2010 Chen, W.Z., Zhang, Z.P., Yang, J.H., He, Q.M.: Cerberus: a novel hypervisor to provide trusted and isolated code execution. In: 2010 International Conference of Information Science and Management Engineering (ISME), vol. 1, pp. 330–333, August 2010
9.
10.
go back to reference Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: a virtual machine-based platform for trusted computing. In: Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, SOSP 2003, pp. 193–206. ACM, New York (2003) Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: a virtual machine-based platform for trusted computing. In: Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, SOSP 2003, pp. 193–206. ACM, New York (2003)
11.
go back to reference Ghosh, A., Sapello, A., Poylisher, A., Chiang, C.J., Kubota, A., Matsunaka, T.: On the feasibility of deploying software attestation in cloud environments. In: 2014 IEEE 7th International Conference on Cloud Computing, pp. 128–135, June 2014 Ghosh, A., Sapello, A., Poylisher, A., Chiang, C.J., Kubota, A., Matsunaka, T.: On the feasibility of deploying software attestation in cloud environments. In: 2014 IEEE 7th International Conference on Cloud Computing, pp. 128–135, June 2014
12.
go back to reference Lauer, H., Kuntze, N.: Hypervisor-based attestation of virtual environments. In: The 13th IEEE International Conference on Advanced and Trusted Computing, July 2016 Lauer, H., Kuntze, N.: Hypervisor-based attestation of virtual environments. In: The 13th IEEE International Conference on Advanced and Trusted Computing, July 2016
13.
go back to reference McCune, J.M., et al.: Trustvisor: efficient TCB reduction and attestation. In: 2010 IEEE Symposium on Security and Privacy, pp. 143–158, May 2010 McCune, J.M., et al.: Trustvisor: efficient TCB reduction and attestation. In: 2010 IEEE Symposium on Security and Privacy, pp. 143–158, May 2010
14.
go back to reference Stumpf, F., Eckert, C.: Enhancing trusted platform modules with hardware-based virtualization techniques. In: 2008 Second International Conference on Emerging Security Information, Systems and Technologies, pp. 1–9, August 2008 Stumpf, F., Eckert, C.: Enhancing trusted platform modules with hardware-based virtualization techniques. In: 2008 Second International Conference on Emerging Security Information, Systems and Technologies, pp. 1–9, August 2008
15.
go back to reference Szefer, J., Lee, R.B.: Architectural support for hypervisor-secure virtualization. In: Proceedings of the Seventeenth International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 437–450. ACM, New York (2012) Szefer, J., Lee, R.B.: Architectural support for hypervisor-secure virtualization. In: Proceedings of the Seventeenth International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 437–450. ACM, New York (2012)
16.
go back to reference Trusted Computing Group: Virtualized Trusted Platform Architecture Specification, specification version 1.0, revision 0.26 edn., September 2011 Trusted Computing Group: Virtualized Trusted Platform Architecture Specification, specification version 1.0, revision 0.26 edn., September 2011
17.
go back to reference Yu, A., Qin, Y., Wang, D.: Obtaining the integrity of your virtual machine in the cloud. In: 2011 IEEE Third International Conference on Cloud Computing Technology and Science (CloudCom), pp. 213–222, November 2011 Yu, A., Qin, Y., Wang, D.: Obtaining the integrity of your virtual machine in the cloud. In: 2011 IEEE Third International Conference on Cloud Computing Technology and Science (CloudCom), pp. 213–222, November 2011
18.
go back to reference Zhang, T., Szefer, J., Lee, R.B.: Security verification of hardware-enabled attestation protocols. In: 2012 45th Annual IEEE/ACM International Symposium on Microarchitecture Workshops (MICROW), pp. 47–54, December 2012 Zhang, T., Szefer, J., Lee, R.B.: Security verification of hardware-enabled attestation protocols. In: 2012 45th Annual IEEE/ACM International Symposium on Microarchitecture Workshops (MICROW), pp. 47–54, December 2012
Metadata
Title
Secure Attestation of Virtualized Environments
Authors
Michael Eckel
Andreas Fuchs
Jürgen Repp
Markus Springer
Copyright Year
2020
DOI
https://doi.org/10.1007/978-3-030-58201-2_14

Premium Partner