67 research outputs found
Recent trends in applying TPM to cloud computing
Trusted platform modules (TPM) have become important safeâguards against
variety of softwareâbased attacks. By providing a limited set of
cryptographic services through a wellâdefined interface, separated from
the software itself, TPM can serve as a root of trust and as a building
block for higherâlevel security measures. This article surveys the
literature for applications of TPM in the cloudâcomputing environment,
with publication dates comprised between 2013 and 2018. It identifies
the current trends and objectives of this technology in the cloud, and
the type of threats that it mitigates. Toward the end, the main research
gaps are pinpointed and discussed. Since integrity measurement is one
of the main usages of TPM, special attention is paid to the assessment
of run time phases and software layers it is applied to.</p
A novel architecture to virtualise a hardware-bound trusted platform module
Security and trust are particularly relevant in modern softwarised infrastructures, such as cloud environments, as applications are deployed on platforms owned by third parties, are publicly accessible on the Internet and can share the hardware with other tenants. Traditionally, operating systems and applications have leveraged hardware tamper-proof chips, such as the Trusted Platform Modules (TPMs) to implement security workflows, such as remote attestation, and to protect sensitive data against software attacks. This approach does not easily translate to the cloud environment, wherein the isolation provided by the hypervisor makes it impractical to leverage the hardware root of trust in the virtual domains. Moreover, the scalability needs of the cloud often collide with the scarce hardware resources and inherent limitations of TPMs. For this reason, existing implementations of virtual TPMs (vTPMs) are based on TPM emulators. Although more flexible and scalable, this approach is less secure. In fact, each vTPM is vulnerable to software attacks both at the virtualised and hypervisor levels. In this work, we propose a novel design for vTPMs that provides a binding to an underlying physical TPM; the new design, akin to a virtualisation extension for TPMs, extends the latest TPM 2.0 specification. We minimise the number of required additions to the TPM data structures and commands so that they do not require a new, non-backwards compatible version of the specification. Moreover, we support migration of vTPMs among TPM-equipped hosts, as this is considered a key feature in a highly virtualised environment. Finally, we propose a flexible approach to vTPM object creation that protects vTPM secrets either in hardware or software, depending on the required level of assurance
Exploring the Integration of Memory Management and Trusted Computing
This thesis addresses vulnerabilities in current Trusted Computing architecture by exploring a design for a better Trusted Platform Module (TPM); one that integrates more closely with the CPU\u27s Memory Management Unit (MMU). We establish that software-based attacks on trusted memory can be carried out undetectably by an adversary on current TCG/TPM implementations. We demonstrate that an attacker with sufficient privileges can compromise the integrity of a TPM-protected system by modifying critical loaded code and static data after measurement has taken place. More specifically, these attacks illustrate the Time Of Check vs. Time of Use (TOCTOU) class of attacks. We propose to enhance the MMU, enabling it to detect when memory containing trusted code or data is being maliciously modified at run-time. On detection, it should be able to notify the TPM of these modifications. We seek to use the concepts of selective memory immutability as a security tool to harden the MMU, which will result in a more robust TCG/TPM implementation. To substantiate our ideas for this proposed hardware feature, we designed and implemented a software prototype system, which employs the monitoring capabilities of the Xen virtual machine monitor. We performed a security evaluation of our prototype and validated that it can detect all our software-based TOCTOU attacks. We applied our prototype to verify the integrity of data associated with an application, as well as suggested and implemented ways to prevent unauthorized use of data by associating it with its owner process. Our performance evaluation reveals minimal overhead
Trust based Privacy Policy Enforcement in Cloud Computing
Cloud computing offers opportunities for organizations to reduce IT costs by using the computation and storage of a remote provider. Despite the benefits offered by cloud computing paradigm, organizations are still wary of delegating their computation and storage to a cloud service provider due to trust concerns. The trust issues with the cloud can be addressed by a combination of regulatory frameworks and supporting technologies. Privacy Enhancing Technologies (PET) and remote attestation provide the technologies for addressing the trust concerns. PET provides proactive measures through cryptography and selective dissemination of data to the client. Remote attestation mechanisms provides reactive measures by enabling the client to remotely verify if a provider is compromised. The contributions of this work are three fold. This thesis explores the PET landscape by studying in detail the implications of using PET in cloud architectures. The practicality of remote attestation in Software as a Service (SaaS) and Infrastructure as a Service (IaaS) scenarios is also analyzed and improvements have been proposed to the state of the art. This thesis also propose a fresh look at trust relationships in cloud computing, where a single provider changes its configuration for each client based on the subjective and dynamic trust assessments of clients. We conclude by proposing a plan for expanding on the completed work
Demystifying Internet of Things Security
Break down the misconceptions of the Internet of Things by examining the different security building blocks available in Intel Architecture (IA) based IoT platforms. This open access book reviews the threat pyramid, secure boot, chain of trust, and the SW stack leading up to defense-in-depth. The IoT presents unique challenges in implementing security and Intel has both CPU and Isolated Security Engine capabilities to simplify it. This book explores the challenges to secure these devices to make them immune to different threats originating from within and outside the network. The requirements and robustness rules to protect the assets vary greatly and there is no single blanket solution approach to implement security. Demystifying Internet of Things Security provides clarity to industry professionals and provides and overview of different security solutions What You'll Learn Secure devices, immunizing them against different threats originating from inside and outside the network Gather an overview of the different security building blocks available in Intel Architecture (IA) based IoT platforms Understand the threat pyramid, secure boot, chain of trust, and the software stack leading up to defense-in-depth Who This Book Is For Strategists, developers, architects, and managers in the embedded and Internet of Things (IoT) space trying to understand and implement the security in the IoT devices/platforms
Insider threat : memory confidentiality and integrity in the cloud
PhD ThesisThe advantages of always available services, such as remote device backup or data storage,
have helped the widespread adoption of cloud computing. However, cloud computing services
challenge the traditional boundary between trusted inside and untrusted outside. A
consumerâs data and applications are no longer in premises, fundamentally changing the
scope of an insider threat.
This thesis looks at the security risks associated with an insider threat. Specifically, we
look into the critical challenge of assuring data confidentiality and integrity for the execution
of arbitrary software in a consumerâs virtual machine. The problem arises from having
multiple virtual machines sharing hardware resources in the same physical host, while an
administrator is granted elevated privileges over such host.
We used an empirical approach to collect evidence of the existence of this security problem
and implemented a prototype of a novel prevention mechanism for such a problem.
Finally, we propose a trustworthy cloud architecture which uses the security properties our
prevention mechanism guarantees as a building block.
To collect the evidence required to demonstrate how an insider threat can become a
security problem to a cloud computing infrastructure, we performed a set of attacks targeting
the three most commonly used virtualization software solutions. These attacks attempt to
compromise data confidentiality and integrity of cloud consumersâ data. The prototype to
evaluate our novel prevention mechanism was implemented in the Xen hypervisor and tested
against known attacks.
The prototype we implemented focuses on applying restrictions to the permissive memory
access model currently in use in the most relevant virtualization software solutions. We
envision the use of a mandatory memory access control model in the virtualization software.
This model enforces the principle of least privilege to memory access, which means
cloud administrators are assigned with only enough privileges to successfully perform their
administrative tasks.
Although the changes we suggest to the virtualization layer make it more restrictive, our
solution is versatile enough to port all the functionality available in current virtualization
viii
solutions. Therefore, our trustworthy cloud architecture guarantees data confidentiality and
integrity and achieves a more transparent trustworthy cloud ecosystem while preserving
functionality.
Our results show that a malicious insider can compromise security sensitive data in the
three most important commercial virtualization software solutions. These virtualization solutions
are publicly available and the number of cloud servers using these solutions accounts
for the majority of the virtualization market. The prevention mechanism prototype we designed
and implemented guarantees data confidentiality and integrity against such attacks
and reduces the trusted computing base of the virtualization layer. These results indicate
how current virtualization solutions need to reconsider their view on insider threats
Securing unikernels in cloud infrastructures
PhD ThesisCloud computing adoption has seen an increase during the last few years.
However, cloud tenants are still concerned about the security that the Cloud
Service Provider (CSP) offers. Recent security incidents in cloud infrastructures that exploit vulnerabilities in the software layer highlight
the need to develop new protection mechanisms. A recent direction in
cloud computing is toward massive consolidation of resources by using
lightweight Virtual Machines (VMs) called unikernels. Unikernels are
specialised VMs that eliminate the Operating System (OS) layer and include the advantages of small footprint, minimal attack surface, nearinstant boot times and multi-platform deployment. Even though using
unikernels has certain advantages, unikernels employ a number of shortcomings. First, unikernels do not employ context switching from user to
kernel mode. A malicious user could exploit this shortcoming to escape
the isolation boundaries that the hypervisor provides. Second, having a
large number of unikernels in a single virtualised host creates complex security policies that are difficult to manage and can introduce exploitable
misconfigurations. Third, malicious insiders, such as disgruntled system
administrators can use privileged software to exfiltrate data from unikernels. In this thesis, we divide our research into two parts, concerning the
development of software and hardware-based protection mechanisms for
cloud infrastructures that focus on unikernels. In each part, we propose
a new protection mechanism for cloud infrastructures, where tenants develop their workloads using unikernels.
In the first part, we propose a software-based protection mechanism that
controls access to resources, which results on creating least-privileged
unikernels. Current access-control mechanisms that reside in hypervisors
do not confine unikernels to accepted behaviour and are susceptible to
privilege escalation and Virtual Machine escapes attacks. Therefore, current hypervisors need to take into account the possibility of having one or
more malicious unikernels and rethink their access-control mechanisms.
We designed and implemented VirtusCap, a capability-based access control mechanism that acts as a lower layer of regulating access to resources
in cloud infrastructures. Consequently, unikernels are only assigned the
privileges required to perform their task. This ensures that the accesscontrol mechanism that resides in the hypervisor will only grant access to
resources specified with capabilities. In addition, capabilities are easier to
delegate to other unikernels when they need to and the security policies are
less complex. Our performance evaluation shows that up to request rate of
7000 (req/sec) our prototypeâs response time is identical to XSM-Flask.
In the second part, we address the following problem: how to guarantee
the confidentiality and integrity of computations executing in a unikernel
even in the presence of privileged software used by malicious insiders?
A research prototype was designed and implemented called UniGuard,
which aims to protect unikernels from an untrusted cloud, by executing
the sensitive computations inside secure enclaves. This approach provides
confidentiality and integrity guarantees for unikernels against software and
certain physical attacks. We show how we integrated Intel SGX with
unikernels and added the ability to spawn enclaves that execute the sensitive computations. We conduct experiments to evaluate the performance
of UniGuard, which show that UniGuard exhibits acceptable performance
overhead in comparison to when the sensitive computations are not executed inside a enclave. To the best of our knowledge, UniGuard is the first
solution that protects the confidentiality and integrity of computations that
execute inside unikernels using Intel SGX.
Currently, unikernels drive the next generation of virtualisation software
and especially the cooperation with other virtualisation technologies, such
as containers to form hybrid virtualisation workloads. Thus, it is paramount
to scrutinise the security of unikernels in cloud infrastructures and propose
novel protection mechanisms that will drive the next cloud evolution
Systems Support for Trusted Execution Environments
Cloud computing has become a default choice for data processing by both large corporations and individuals due to its economy of scale and ease of system management. However, the question of trust and trustoworthy computing inside the Cloud environments has been long neglected in practice and further exacerbated by the proliferation of AI and its use for processing of sensitive user data. Attempts to implement the mechanisms for trustworthy computing in the cloud have previously remained theoretical due to lack of hardware primitives in the commodity CPUs, while a combination of Secure Boot, TPMs, and virtualization has seen only limited adoption. The situation has changed in 2016, when Intel introduced the Software Guard Extensions (SGX) and its enclaves to the x86 ISA CPUs: for the first time, it became possible to build trustworthy applications relying on a commonly available technology. However, Intel SGX posed challenges to the practitioners who discovered the limitations of this technology, from the limited support of legacy applications and integration of SGX enclaves into the existing system, to the performance bottlenecks on communication, startup, and memory utilization. In this thesis, our goal is enable trustworthy computing in the cloud by relying on the imperfect SGX promitives. To this end, we develop and evaluate solutions to issues stemming from limited systems support of Intel SGX: we investigate the mechanisms for runtime support of POSIX applications with SCONE, an efficient SGX runtime library developed with performance limitations of SGX in mind. We further develop this topic with FFQ, which is a concurrent queue for SCONE's asynchronous system call interface. ShieldBox is our study of interplay of kernel bypass and trusted execution technologies for NFV, which also tackles the problem of low-latency clocks inside enclave. The two last systems, Clemmys and T-Lease are built on a more recent SGXv2 ISA extension. In Clemmys, SGXv2 allows us to significantly reduce the startup time of SGX-enabled functions inside a Function-as-a-Service platform. Finally, in T-Lease we solve the problem of trusted time by introducing a trusted lease primitive for distributed systems. We perform evaluation of all of these systems and prove that they can be practically utilized in existing systems with minimal overhead, and can be combined with both legacy systems and other SGX-based solutions. In the course of the thesis, we enable trusted computing for individual applications, high-performance network functions, and distributed computing framework, making a <vision of trusted cloud computing a reality
- âŠ