860 research outputs found
Benchmarking the Security Protocol and Data Model (SPDM) for component authentication
Efforts to secure computing systems via software traditionally focus on the
operating system and application levels. In contrast, the Security Protocol and
Data Model (SPDM) tackles firmware level security challenges, which are much
harder (if at all possible) to detect with regular protection software. SPDM
includes key features like enabling peripheral authentication, authenticated
hardware measurements retrieval, and secure session establishment. Since SPDM
is a relatively recent proposal, there is a lack of studies evaluating its
performance impact on real-world applications. In this article, we address this
gap by: (1) implementing the protocol on a simple virtual device, and then
investigating the overhead introduced by each SDPM message; and (2) creating an
SPDM-capable virtual hard drive based on VirtIO, and comparing the resulting
read/write performance with a regular, unsecured implementation. Our results
suggest that SPDM bootstrap time takes the order of tens of milliseconds, while
the toll of introducing SPDM on hard drive communication highly depends on
specific workload patterns. For example, for mixed random read/write
operations, the slowdown is negligible in comparison to the baseline unsecured
setup. Conversely, for sequential read or write operations, the data encryption
process becomes the bottleneck, reducing the performance indicators by several
orders of magnitude.Comment: 10 pages, 8 figure
HIL: designing an exokernel for the data center
We propose a new Exokernel-like layer to allow mutually untrusting physically deployed services to efficiently share the resources of a data center. We believe that such a layer offers not only efficiency gains, but may also enable new economic models, new applications, and new security-sensitive uses. A prototype (currently in active use) demonstrates that the proposed layer is viable, and can support a variety of existing provisioning tools and use cases.Partial support for this work was provided by the MassTech Collaborative Research Matching Grant Program, National Science Foundation awards 1347525 and 1149232 as well as the several commercial partners of the Massachusetts Open Cloud who may be found at http://www.massopencloud.or
M2: Malleable Metal as a Service
Existing bare-metal cloud services that provide users with physical nodes
have a number of serious disadvantage over their virtual alternatives,
including slow provisioning times, difficulty for users to release nodes and
then reuse them to handle changes in demand, and poor tolerance to failures. We
introduce M2, a bare-metal cloud service that uses network-mounted boot drives
to overcome these disadvantages. We describe the architecture and
implementation of M2 and compare its agility, scalability, and performance to
existing systems. We show that M2 can reduce provisioning time by over 50%
while offering richer functionality, and comparable run-time performance with
respect to tools that provision images into local disks. M2 is open source and
available at https://github.com/CCI-MOC/ims.Comment: IEEE International Conference on Cloud Engineering 201
Agent-Based Cloud Resource Management for Secure Cloud Infrastructures
The cloud offers clear benefits for computations as well as for storage for diverse application areas. Security concerns are by far the greatest barriers to the wider uptake of cloud computing, particularly for privacy-sensitive applications. The aim of this article is to propose an approach for establishing trust between users and providers of cloud infrastructures (IaaS model) based on certified trusted agents. Such approach would remove barriers that prevent security sensitive applications being moved to the cloud. The core technology encompasses a secure agent platform for providing the execution environment for agents and the secure attested software base which ensures the integrity of the host platform. In this article we describe the motivation, concept, design and initial implementation of these technologies
MaldOS: a Moderately Abstracted Layer for Developing Operating Systems
Anche se pochi studenti affronteranno la sfida di sviluppare software al di sotto del sistema operativo, la comprensione dei suoi principi di funzionamento è essenziale. In sè, la teoria dietro ai sistemi operativi non è particolarmente complessa: concetti come scheduling, livelli di esecuzione e semafori sono intuitivamente comprensibili; tuttavia appropriarsi pienamente di queste nozioni soltanto tramite lo studio teorico è quasi impossibile: serve un esempio pratico per assimilare i dettagli.
Sviluppare un sistema operativo come progetto accademico è però diversi ordini di grandezza più difficile che creare un software in ambiente di lavoro già esistente. La complessità aggiunta dell'hardware va spesso oltre a quello che ci si aspetta dagli studenti, il che rende difficile anche soltanto la ricerca di un'architettura su cui lavorare.
Questo studio è fortemente ispirato da precedenti soluzioni a questo problema come uMPS, un emulatore per il processore MIPS.
Lavorando su una virtualizzazione semplificata gli studenti si possono concentrare sui concetti chiave dello sviluppo di un SO.
Anche se ispirato a un'architettura reale, uMPS rimane comunque un ambiente astratto, e nel corso del lavoro potrebbe sorgere una sensazione di distacco dalla realtà . In questo studio si sostiene che un progetto simile possa essere sviluppato su hardware reale senza che questo diventi troppo complicato. L'architettura scelta è ARMv8, più moderna e diffusa rispetto a MIPS, nella forma della board educativa Raspberry Pi.
Il risultato del lavoro è duplice: da una parte è stato portato avanti uno studio dettagliato su come sviluppare un sistema operativo minimale sul Raspberry Pi, dall'altra è stato creato un
layer di astrazione che si occupa di semplificare l'approccio alle periferiche, permettendo agli utenti di costruirci sopra un piccolo sistema operativo.
Pur facendo riferimento a un dispositivo reale, la possibilità di lavorare su un emulatore rimane grazie al supporto di Qemu
SoK: Confidential Quartet - Comparison of Platforms for Virtualization-Based Confidential Computing
Confidential computing allows processing sensitive workloads in securely isolated spaces. Following earlier adop- tion of process-based approaches to isolation, vendors are now enabling hardware and firmware support for virtualization-based confidential computing on several server platforms. Due to variations in the technology stack, threat model, implemen-tation and functionality, the available solutions offer somewhat different capabilities, trade-offs and security guarantees. In this paper we review, compare and contextualize four virtualization-based confidential computing technologies for enterprise server platforms - AMD SEV, ARM CCA, IBM PEF and Intel TDX
- …