15,226 research outputs found
TCG based approach for secure management of virtualized platforms: state-of-the-art
There is a strong trend shift in the favor of adopting virtualization to get business benefits. The provisioning of virtualized enterprise resources is one kind of many possible scenarios. Where virtualization promises clear advantages it also poses new security challenges which need to be addressed to gain stakeholders confidence in the dynamics of new environment. One important facet of these challenges is establishing 'Trust' which is a basic primitive for any viable business model. The Trusted computing group (TCG) offers technologies and mechanisms required to establish this trust in the target platforms. Moreover, TCG technologies enable protecting of sensitive data in rest and transit. This report explores the applicability of relevant TCG concepts to virtualize enterprise resources securely for provisioning, establish trust in the target platforms and securely manage these virtualized Trusted Platforms
CamFlow: Managed Data-sharing for Cloud Services
A model of cloud services is emerging whereby a few trusted providers manage
the underlying hardware and communications whereas many companies build on this
infrastructure to offer higher level, cloud-hosted PaaS services and/or SaaS
applications. From the start, strong isolation between cloud tenants was seen
to be of paramount importance, provided first by virtual machines (VM) and
later by containers, which share the operating system (OS) kernel. Increasingly
it is the case that applications also require facilities to effect isolation
and protection of data managed by those applications. They also require
flexible data sharing with other applications, often across the traditional
cloud-isolation boundaries; for example, when government provides many related
services for its citizens on a common platform. Similar considerations apply to
the end-users of applications. But in particular, the incorporation of cloud
services within `Internet of Things' architectures is driving the requirements
for both protection and cross-application data sharing.
These concerns relate to the management of data. Traditional access control
is application and principal/role specific, applied at policy enforcement
points, after which there is no subsequent control over where data flows; a
crucial issue once data has left its owner's control by cloud-hosted
applications and within cloud-services. Information Flow Control (IFC), in
addition, offers system-wide, end-to-end, flow control based on the properties
of the data. We discuss the potential of cloud-deployed IFC for enforcing
owners' dataflow policy with regard to protection and sharing, as well as
safeguarding against malicious or buggy software. In addition, the audit log
associated with IFC provides transparency, giving configurable system-wide
visibility over data flows. [...]Comment: 14 pages, 8 figure
TREDIS ā A Trusted Full-Fledged SGX-Enabled REDIS Solution
Currently, offloading storage and processing capacity to cloud servers is a growing
trend among web-enabled services managing big datasets. This happens because high
storage capacity and powerful processors are expensive, whilst cloud services provide
cheaper, ongoing, elastic, and reliable solutions. The problem with this cloud-based out sourced solutions are that they are highly accessible through the Internet, which is good,
but therefore can be considerably exposed to attacks, out of usersā control. By exploring
subtle vulnerabilities present in cloud-enabled applications, management functions, op erating systems and hypervisors, an attacker may compromise the supported systems,
thus compromising the privacy of sensitive user data hosted and managed in it. These
attacks can be motivated by malicious purposes such as espionage, blackmail, identity
theft, or harassment. A solution to this problem is processing data without exposing it to
untrusted components, such as vulnerable OS components, which might be compromised
by an attacker.
In this thesis, we do a research on existent technologies capable of enabling appli cations to trusted environments, in order to adopt such approaches to our solution as a
way to help deploy unmodified applications on top of Intel-SGX, with overheads com parable to applications designed to use this kind of technology, and also conducting an
experimental evaluation to better understand how they impact our system. Thus, we
present TREDIS - a Trusted Full-Fledged REDIS Key-Value Store solution, implemented
as a full-fledged solution to be offered as a Trusted Cloud-enabled Platform as a Service,
which includes the possibility to support a secure REDIS-cluster architecture supported
by docker-virtualized services running in SGX-enabled instances, with operations run ning on always-encrypted in-memory datasets.A transiĆ§Ć£o de suporte de aplicaƧƵes com armazenamento e processamento em servidores
cloud Ć© uma tendĆŖncia que tem vindo a aumentar, principalmente quando se precisam
de gerir grandes conjuntos de dados. Comparativamente a soluƧƵes com licenciamento
privado, as soluƧƵes de computaĆ§Ć£o e armazenamento de dados em nuvens de serviƧos
sĆ£o capazes de oferecer opƧƵes mais baratas, de alta disponibilidade, elĆ”sticas e relativa mente confiĆ”veis. Estas soluƧƵes fornecidas por terceiros sĆ£o facilmente acessĆveis atravĆ©s
da Internet, sendo operadas em regime de outsourcing da sua operaĆ§Ć£o, o que Ć© bom, mas
que por isso ficam consideravelmente expostos a ataques e fora do controle dos utiliza dores em relaĆ§Ć£o Ć s reais condiƧƵes de confiabilidade, seguranƧa e privacidade de dados.
Ao explorar subtilmente vulnerabilidades presentes nas aplicaƧƵes, funƧƵes de sistemas
operativos (SOs), bibliotecas de virtualizaĆ§Ć£o de serviƧos de SOs ou hipervisores, um ata cante pode comprometer os sistemas e quebrar a privacidade de dados sensĆveis. Estes
ataques podem ser motivados por fins maliciosos como espionagem, chantagem, roubo
de identidade ou assƩdio e podem ser desencadeados por intrusƵes (a partir de atacantes
externos) ou por aƧƵes maliciosas ou incorretas de atacantes internos (podendo estes atuar
com privilĆ©gios de administradores de sistemas). Uma soluĆ§Ć£o para este problema passa
por armazenar e processar a informaĆ§Ć£o sem que existam exposiƧƵes face a componentes
nĆ£o confiĆ”veis.
Nesta dissertaĆ§Ć£o estudamos e avaliamos experimentalmente diversas tecnologias que
permitem a execuĆ§Ć£o de aplicaƧƵes com isolamento em ambientes de execuĆ§Ć£o confiĆ” vel suportados em hardware Intel-SGX, de modo a perceber melhor como funcionam e
como adaptĆ”-las Ć nossa soluĆ§Ć£o. Para isso, realizĆ”mos uma avaliaĆ§Ć£o focada na utilizaĆ§Ć£o
dessas tecnologias com virtualizaĆ§Ć£o em contentores isolados executando em hardware
confiĆ”vel, que usĆ”mos na concepĆ§Ć£o da nossa soluĆ§Ć£o. Posto isto, apresentamos a nossa
soluĆ§Ć£o TREDIS - um sistema Key-Value Store confiĆ”vel baseado em tecnologia REDIS,
com garantias de integridade da execuĆ§Ć£o e de privacidade de dados, concebida para
ser usada como uma "Plataforma como ServiƧo"para gestĆ£o e armazenamento resiliente
de dados na nuvem. Isto inclui a possibilidade de suportar uma arquitetura segura com
garantias de resiliĆŖncia semelhantes Ć arquitetura de replicaĆ§Ć£o em cluster na soluĆ§Ć£o
original REDIS, mas em que os motores de execuĆ§Ć£o de nĆ³s e a proteĆ§Ć£o de memĆ³ria
do cluster Ć© baseado em contentores docker isolados e virtualizados em instĆ¢ncias SGX, sendo os dados mantidos sempre cifrados em memĆ³ria
- ā¦