Skip to main content
main-content

Tipp

Weitere Kapitel dieses Buchs durch Wischen aufrufen

2020 | OriginalPaper | Buchkapitel

Secure Attestation of Virtualized Environments

verfasst von: Michael Eckel, Andreas Fuchs, Jürgen Repp, Markus Springer

Erschienen in: ICT Systems Security and Privacy Protection

Verlag: Springer International Publishing

share
TEILEN

Abstract

Securing the integrity of virtualized environments like clouds is challenging yet feasible. Operators have discovered the advantages of virtualization technology in terms of flexibility, scalability, cost-effectiveness, and availability. Applications range from network and embedded devices to big data centers and cloud computing. Trusted Computing technology can be employed to protect the integrity of a system by leveraging a Trusted Platform Module (TPM) and remote attestation.
Existing research on remote attestation of virtualized environments differs in scalability, resource consumption, and provided security guarantees. While some approaches scale at large and use the TPM efficiently, they are way more intrusive, requiring changes to hypervisor and Virtual Machine (VMs). Others render entirely impractical with an increasing number of VMs, caused by the TPM being the bottleneck.
In this paper we analyze existing work on remote attestation for virtualized environments and discuss benefits as well as shortcomings. We identify an approach that provides adequate security and is easy to implement but is prone to relay attacks. We improve that approach by developing countermeasures, while maintaining existing security guarantees. Our contribution requires only minimal changes to the hypervisor system, keeping existing attestation protocols intact. We implement and evaluate on production-grade hardware, and compare our improved attestation approach with the most sophisticated alternative approach.
With performance measurements and further evaluations we show that our solution outperforms the other approach for a small number of VMs, as used in network devices and embedded systems.
Literatur
1.
Zurück zum Zitat Azab, A.M., Ning, P., Sezer, E.C., Zhang, X.: Hima: a hypervisor-based integrity measurement agent. In: Computer Security Applications Conference, ACSAC 2009, Annual, pp. 461–470, December 2009 Azab, A.M., Ning, P., Sezer, E.C., Zhang, X.: Hima: a hypervisor-based integrity measurement agent. In: Computer Security Applications Conference, ACSAC 2009, Annual, pp. 461–470, December 2009
2.
Zurück zum Zitat Berger, S., Cáceres, R., Goldman, K.A., Perez, R., Sailer, R., van Doorn, L.: vTPM: Virtualizing the trusted platform module. In: Proceedings of the 15th Conference on USENIX Security Symposium, USENIX-SS 2006, vol. 15. USENIX Association (2006) Berger, S., Cáceres, R., Goldman, K.A., Perez, R., Sailer, R., van Doorn, L.: vTPM: Virtualizing the trusted platform module. In: Proceedings of the 15th Conference on USENIX Security Symposium, USENIX-SS 2006, vol. 15. USENIX Association (2006)
3.
Zurück zum Zitat Berger, S., Goldman, K.A., Pendarakis, D., Safford, D., Valdez, E., Zohar, M.: Scalable attestation: a step toward secure and trusted clouds. In: 2015 IEEE International Conference on Cloud Engineering (IC2E), pp. 185–194, March 2015 Berger, S., Goldman, K.A., Pendarakis, D., Safford, D., Valdez, E., Zohar, M.: Scalable attestation: a step toward secure and trusted clouds. In: 2015 IEEE International Conference on Cloud Engineering (IC2E), pp. 185–194, March 2015
4.
Zurück zum Zitat Celesti, A., Fazio, M., Villari, M., Puliafito, A., Mulfari, D.: Remote and deep attestations to mitigate threats in cloud mash-up services. In: 2013 World Congress on Computer and Information Technology (WCCIT), pp. 1–6, June 2013 Celesti, A., Fazio, M., Villari, M., Puliafito, A., Mulfari, D.: Remote and deep attestations to mitigate threats in cloud mash-up services. In: 2013 World Congress on Computer and Information Technology (WCCIT), pp. 1–6, June 2013
5.
Zurück zum Zitat Champagne, D., Lee, R.B.: Processor-based tailored attestation. Princeton University Department of Electrical Engineering, Technical Report (2010) Champagne, D., Lee, R.B.: Processor-based tailored attestation. Princeton University Department of Electrical Engineering, Technical Report (2010)
6.
Zurück zum Zitat Chen, W.Z., Zhang, Z.P., Yang, J.H., He, Q.M.: Cerberus: a novel hypervisor to provide trusted and isolated code execution. In: 2010 International Conference of Information Science and Management Engineering (ISME), vol. 1, pp. 330–333, August 2010 Chen, W.Z., Zhang, Z.P., Yang, J.H., He, Q.M.: Cerberus: a novel hypervisor to provide trusted and isolated code execution. In: 2010 International Conference of Information Science and Management Engineering (ISME), vol. 1, pp. 330–333, August 2010
9.
Zurück zum Zitat Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983) MathSciNetCrossRef Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983) MathSciNetCrossRef
10.
Zurück zum Zitat Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: a virtual machine-based platform for trusted computing. In: Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, SOSP 2003, pp. 193–206. ACM, New York (2003) Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: a virtual machine-based platform for trusted computing. In: Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, SOSP 2003, pp. 193–206. ACM, New York (2003)
11.
Zurück zum Zitat Ghosh, A., Sapello, A., Poylisher, A., Chiang, C.J., Kubota, A., Matsunaka, T.: On the feasibility of deploying software attestation in cloud environments. In: 2014 IEEE 7th International Conference on Cloud Computing, pp. 128–135, June 2014 Ghosh, A., Sapello, A., Poylisher, A., Chiang, C.J., Kubota, A., Matsunaka, T.: On the feasibility of deploying software attestation in cloud environments. In: 2014 IEEE 7th International Conference on Cloud Computing, pp. 128–135, June 2014
12.
Zurück zum Zitat Lauer, H., Kuntze, N.: Hypervisor-based attestation of virtual environments. In: The 13th IEEE International Conference on Advanced and Trusted Computing, July 2016 Lauer, H., Kuntze, N.: Hypervisor-based attestation of virtual environments. In: The 13th IEEE International Conference on Advanced and Trusted Computing, July 2016
13.
Zurück zum Zitat McCune, J.M., et al.: Trustvisor: efficient TCB reduction and attestation. In: 2010 IEEE Symposium on Security and Privacy, pp. 143–158, May 2010 McCune, J.M., et al.: Trustvisor: efficient TCB reduction and attestation. In: 2010 IEEE Symposium on Security and Privacy, pp. 143–158, May 2010
14.
Zurück zum Zitat Stumpf, F., Eckert, C.: Enhancing trusted platform modules with hardware-based virtualization techniques. In: 2008 Second International Conference on Emerging Security Information, Systems and Technologies, pp. 1–9, August 2008 Stumpf, F., Eckert, C.: Enhancing trusted platform modules with hardware-based virtualization techniques. In: 2008 Second International Conference on Emerging Security Information, Systems and Technologies, pp. 1–9, August 2008
15.
Zurück zum Zitat Szefer, J., Lee, R.B.: Architectural support for hypervisor-secure virtualization. In: Proceedings of the Seventeenth International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 437–450. ACM, New York (2012) Szefer, J., Lee, R.B.: Architectural support for hypervisor-secure virtualization. In: Proceedings of the Seventeenth International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 437–450. ACM, New York (2012)
16.
Zurück zum Zitat Trusted Computing Group: Virtualized Trusted Platform Architecture Specification, specification version 1.0, revision 0.26 edn., September 2011 Trusted Computing Group: Virtualized Trusted Platform Architecture Specification, specification version 1.0, revision 0.26 edn., September 2011
17.
Zurück zum Zitat Yu, A., Qin, Y., Wang, D.: Obtaining the integrity of your virtual machine in the cloud. In: 2011 IEEE Third International Conference on Cloud Computing Technology and Science (CloudCom), pp. 213–222, November 2011 Yu, A., Qin, Y., Wang, D.: Obtaining the integrity of your virtual machine in the cloud. In: 2011 IEEE Third International Conference on Cloud Computing Technology and Science (CloudCom), pp. 213–222, November 2011
18.
Zurück zum Zitat Zhang, T., Szefer, J., Lee, R.B.: Security verification of hardware-enabled attestation protocols. In: 2012 45th Annual IEEE/ACM International Symposium on Microarchitecture Workshops (MICROW), pp. 47–54, December 2012 Zhang, T., Szefer, J., Lee, R.B.: Security verification of hardware-enabled attestation protocols. In: 2012 45th Annual IEEE/ACM International Symposium on Microarchitecture Workshops (MICROW), pp. 47–54, December 2012
Metadaten
Titel
Secure Attestation of Virtualized Environments
verfasst von
Michael Eckel
Andreas Fuchs
Jürgen Repp
Markus Springer
Copyright-Jahr
2020
DOI
https://doi.org/10.1007/978-3-030-58201-2_14

Premium Partner