nach oben

Tipp

Weitere Kapitel dieses Buchs durch Wischen aufrufen

Erschienen in:

Kapitel lesen Erstes Kapitel lesen

2020 | OriginalPaper | Buchkapitel

Secure Attestation of Virtualized Environments

verfasst von : Michael Eckel, Andreas Fuchs, Jürgen Repp, Markus Springer

Erschienen in: ICT Systems Security and Privacy Protection

Verlag: Springer International Publishing

Einloggen

Abstract

Securing the integrity of virtualized environments like clouds is challenging yet feasible. Operators have discovered the advantages of virtualization technology in terms of flexibility, scalability, cost-effectiveness, and availability. Applications range from network and embedded devices to big data centers and cloud computing. Trusted Computing technology can be employed to protect the integrity of a system by leveraging a Trusted Platform Module (TPM) and remote attestation.

Existing research on remote attestation of virtualized environments differs in scalability, resource consumption, and provided security guarantees. While some approaches scale at large and use the TPM efficiently, they are way more intrusive, requiring changes to hypervisor and Virtual Machine (VMs). Others render entirely impractical with an increasing number of VMs, caused by the TPM being the bottleneck.

In this paper we analyze existing work on remote attestation for virtualized environments and discuss benefits as well as shortcomings. We identify an approach that provides adequate security and is easy to implement but is prone to relay attacks. We improve that approach by developing countermeasures, while maintaining existing security guarantees. Our contribution requires only minimal changes to the hypervisor system, keeping existing attestation protocols intact. We implement and evaluate on production-grade hardware, and compare our improved attestation approach with the most sophisticated alternative approach.

With performance measurements and further evaluations we show that our solution outperforms the other approach for a small number of VMs, as used in network devices and embedded systems.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel IMShell-Dec: Pay More Attention to External Links in PowerShell

Nächstes Kapitel Security and Performance Implications of BGP Rerouting-Resistant Guard Selection Algorithms for Tor

Azab, A.M., Ning, P., Sezer, E.C., Zhang, X.: Hima: a hypervisor-based integrity measurement agent. In: Computer Security Applications Conference, ACSAC 2009, Annual, pp. 461–470, December 2009

Berger, S., Cáceres, R., Goldman, K.A., Perez, R., Sailer, R., van Doorn, L.: vTPM: Virtualizing the trusted platform module. In: Proceedings of the 15th Conference on USENIX Security Symposium, USENIX-SS 2006, vol. 15. USENIX Association (2006)

Berger, S., Goldman, K.A., Pendarakis, D., Safford, D., Valdez, E., Zohar, M.: Scalable attestation: a step toward secure and trusted clouds. In: 2015 IEEE International Conference on Cloud Engineering (IC2E), pp. 185–194, March 2015

Celesti, A., Fazio, M., Villari, M., Puliafito, A., Mulfari, D.: Remote and deep attestations to mitigate threats in cloud mash-up services. In: 2013 World Congress on Computer and Information Technology (WCCIT), pp. 1–6, June 2013

Champagne, D., Lee, R.B.: Processor-based tailored attestation. Princeton University Department of Electrical Engineering, Technical Report (2010)

Chen, W.Z., Zhang, Z.P., Yang, J.H., He, Q.M.: Cerberus: a novel hypervisor to provide trusted and isolated code execution. In: 2010 International Conference of Information Science and Management Engineering (ISME), vol. 1, pp. 330–333, August 2010

Coker, G., et al.: Principles of remote attestation. Int. J. Inf. Secur. 10(2), 63–81 (2011). https://doi.org/10.1007/s10207-011-0124-7 CrossRef

Cooperation, I.: Building trust and compliance in the cloud with intel trusted execution technology - the Taiwan Stock Exchange Corporation Develops a Secure Cloud Infrastructure. Technical report, Intel Cooperaion (2013). https://www.hytrust.com/uploads/2015/08/intel_txt.pdf

Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983) MathSciNetCrossRef

10.

Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: a virtual machine-based platform for trusted computing. In: Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, SOSP 2003, pp. 193–206. ACM, New York (2003)

11.

Ghosh, A., Sapello, A., Poylisher, A., Chiang, C.J., Kubota, A., Matsunaka, T.: On the feasibility of deploying software attestation in cloud environments. In: 2014 IEEE 7th International Conference on Cloud Computing, pp. 128–135, June 2014

12.

Lauer, H., Kuntze, N.: Hypervisor-based attestation of virtual environments. In: The 13th IEEE International Conference on Advanced and Trusted Computing, July 2016

13.

McCune, J.M., et al.: Trustvisor: efficient TCB reduction and attestation. In: 2010 IEEE Symposium on Security and Privacy, pp. 143–158, May 2010

14.

Stumpf, F., Eckert, C.: Enhancing trusted platform modules with hardware-based virtualization techniques. In: 2008 Second International Conference on Emerging Security Information, Systems and Technologies, pp. 1–9, August 2008

15.

Szefer, J., Lee, R.B.: Architectural support for hypervisor-secure virtualization. In: Proceedings of the Seventeenth International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 437–450. ACM, New York (2012)

16.

Trusted Computing Group: Virtualized Trusted Platform Architecture Specification, specification version 1.0, revision 0.26 edn., September 2011

17.

Yu, A., Qin, Y., Wang, D.: Obtaining the integrity of your virtual machine in the cloud. In: 2011 IEEE Third International Conference on Cloud Computing Technology and Science (CloudCom), pp. 213–222, November 2011

18.

Zhang, T., Szefer, J., Lee, R.B.: Security verification of hardware-enabled attestation protocols. In: 2012 45th Annual IEEE/ACM International Symposium on Microarchitecture Workshops (MICROW), pp. 47–54, December 2012

Titel: Secure Attestation of Virtualized Environments
verfasst von: Michael Eckel
Andreas Fuchs
Jürgen Repp
Markus Springer
Verlag: Springer International Publishing
Buch: ICT Systems Security and Privacy Protection
Print ISBN: 978-3-030-58200-5

Electronic ISBN: 978-3-030-58201-2

Copyright-Jahr: 2020
DOI: https://doi.org/10.1007/978-3-030-58201-2_14

Springer Professional

Tipp

Weitere Kapitel dieses Buchs durch Wischen aufrufen

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"