298 research outputs found
Provably Secure Virus Detection: Using The Observer Effect Against Malware
Protecting software from malware injection is one of the biggest challenges of modern computer science. Despite intensive efforts by the scientific and engineering community, the number of successful attacks continues to increase.
This work sets first footsteps towards a provably secure investigation of malware detection. We provide a formal model and cryptographic security definitions of attestation for systems with dynamic memory, and suggest novel provably secure attestation schemes. The key idea underlying our schemes is to use the very insertion of the malware itself to allow for the systems to detect it. This is, in our opinion, close in spirit to the quantum Observer Effect. The attackers, no matter how clever, no matter when they insert their malware, change the state of the system they are attacking. This fundamental idea can be a game changer. And our system does not rely on heuristics; instead, our scheme enjoys the unique property that it is proved secure in a formal and precise mathematical sense and with minimal and realistic CPU modification achieves strong provable security guarantees. We envision such systems with a formal mathematical security treatment as a venue for new directions in software protection
Trusted Launch of Virtual Machine Instances in Public IaaS Environments
Cloud computing and Infrastructure-as-a-Service (IaaS) are emerging
and promising technologies, however their adoption is hampered by data security
concerns. At the same time, Trusted Computing (TC) is experiencing an increasing
interest as a security mechanism for IaaS. In this paper we present a protocol
to ensure the launch of a virtual machine (VM) instance on a trusted remote
compute host. Relying on Trusted Platform Module operations such as binding
and sealing to provide integrity guarantees for clients that require a trusted VM
launch, we have designed a trusted launch protocol for VM instances in public IaaS
environments. We also present a proof-of-concept implementation of the protocol
based on OpenStack, an open-source IaaS platform. The results provide a basis
for the use of TC mechanisms within IaaS platforms and pave the way for a wider
applicability of TC to IaaS security
Keys in the Clouds: Auditable Multi-device Access to Cryptographic Credentials
Personal cryptographic keys are the foundation of many secure services, but
storing these keys securely is a challenge, especially if they are used from
multiple devices. Storing keys in a centralized location, like an
Internet-accessible server, raises serious security concerns (e.g. server
compromise). Hardware-based Trusted Execution Environments (TEEs) are a
well-known solution for protecting sensitive data in untrusted environments,
and are now becoming available on commodity server platforms.
Although the idea of protecting keys using a server-side TEE is
straight-forward, in this paper we validate this approach and show that it
enables new desirable functionality. We describe the design, implementation,
and evaluation of a TEE-based Cloud Key Store (CKS), an online service for
securely generating, storing, and using personal cryptographic keys. Using
remote attestation, users receive strong assurance about the behaviour of the
CKS, and can authenticate themselves using passwords while avoiding typical
risks of password-based authentication like password theft or phishing. In
addition, this design allows users to i) define policy-based access controls
for keys; ii) delegate keys to other CKS users for a specified time and/or a
limited number of uses; and iii) audit all key usages via a secure audit log.
We have implemented a proof of concept CKS using Intel SGX and integrated this
into GnuPG on Linux and OpenKeychain on Android. Our CKS implementation
performs approximately 6,000 signature operations per second on a single
desktop PC. The latency is in the same order of magnitude as using
locally-stored keys, and 20x faster than smart cards.Comment: Extended version of a paper to appear in the 3rd Workshop on
Security, Privacy, and Identity Management in the Cloud (SECPID) 201
Trusted Launch of Generic Virtual Machine Images in Public IaaS Environments
Cloud computing and Infrastructure-as-a-Service (IaaS) are emerging and promising technologies, however their faster-pased adoption is hampered by data security concerns. In the same time, Trusted Computing (TC) is experiencing a revived interest as a security mechanism for IaaS. We address the lack of an implementable mechanism to ensure the launch of a virtual machine (VM) instance on a trusted remote host. Relying on Trusted Platform Modules operations such as binding and sealing to provide integrity guarantees for clients that require a trusted VM launch, we have designed a trusted launch protocol for generic VM images in public IaaS environments. We also present a proof-of-concept implemen-
tation of the protocol based on OpenStack, an open-source IaaS platform. The results provide a basis for use of TC mechanisms within IaaS platforms and pave the way for a wider applicability of TC to IaaS security
Trusted Launch of Virtual Machine Instances in Public IaaS Environments
Cloud computing and Infrastructure-as-a-Service (IaaS) are emerging
and promising technologies, however their adoption is hampered by data security
concerns. At the same time, Trusted Computing (TC) is experiencing an increasing
interest as a security mechanism for IaaS. In this paper we present a protocol
to ensure the launch of a virtual machine (VM) instance on a trusted remote
compute host. Relying on Trusted Platform Module operations such as binding
and sealing to provide integrity guarantees for clients that require a trusted VM
launch, we have designed a trusted launch protocol for VM instances in public IaaS
environments. We also present a proof-of-concept implementation of the protocol
based on OpenStack, an open-source IaaS platform. The results provide a basis
for the use of TC mechanisms within IaaS platforms and pave the way for a wider
applicability of TC to IaaS security
Trusted Launch of Virtual Machine Instances in Public IaaS Environments
Cloud computing and Infrastructure-as-a-Service (IaaS) are emerging
and promising technologies, however their adoption is hampered by data security
concerns. At the same time, Trusted Computing (TC) is experiencing an increasing
interest as a security mechanism for IaaS. In this paper we present a protocol
to ensure the launch of a virtual machine (VM) instance on a trusted remote
compute host. Relying on Trusted Platform Module operations such as binding
and sealing to provide integrity guarantees for clients that require a trusted VM
launch, we have designed a trusted launch protocol for VM instances in public IaaS
environments. We also present a proof-of-concept implementation of the protocol
based on OpenStack, an open-source IaaS platform. The results provide a basis
for the use of TC mechanisms within IaaS platforms and pave the way for a wider
applicability of TC to IaaS security
State of The Art and Hot Aspects in Cloud Data Storage Security
Along with the evolution of cloud computing and cloud storage towards matu-
rity, researchers have analyzed an increasing range of cloud computing security
aspects, data security being an important topic in this area. In this paper, we
examine the state of the art in cloud storage security through an overview of
selected peer reviewed publications. We address the question of defining cloud
storage security and its different aspects, as well as enumerate the main vec-
tors of attack on cloud storage. The reviewed papers present techniques for key
management and controlled disclosure of encrypted data in cloud storage, while
novel ideas regarding secure operations on encrypted data and methods for pro-
tection of data in fully virtualized environments provide a glimpse of the toolbox
available for securing cloud storage. Finally, new challenges such as emergent
government regulation call for solutions to problems that did not receive enough
attention in earlier stages of cloud computing, such as for example geographical
location of data. The methods presented in the papers selected for this review
represent only a small fraction of the wide research effort within cloud storage
security. Nevertheless, they serve as an indication of the diversity of problems
that are being addressed
- …