Using trusted platform module for securing virtual environment access in cloud

With the increasing usage of Cloud and the Virtualization technology, there comes also an increasing demand to ensure the security levels of all computing environments and components associated and accordingly in this work we propose a new machine authentication mechanism using Trusted Platform Module that can be used to provide a secure access to virtual environments in the cloud. The proposed authentication module is aiming to contribute in providing a solution to Poor machine identity, Multi-tenancy as well as Malicious insiders known security problems in the cloud. It is targeting the access security to graphical user interface of virtual machines hosted on VirtualBox hypervisor in a Linux based environment through authenticating clients trying to connect using the client\u27s Trusted Platform Module Public Endorsement key as a pre-authorized signature to the virtual environment in addition to the normal user name and password authentication of the connecting user. Results obtained from the output of this work indicates that it is possible to authenticate the machines based on their Trusted Platform Module signatures and provide them access to VirtualBox environment only based on a pre-defined Access Control List with minimal one time overhead upon establishing the initial connection

Buffer overflow attack mitigation via Trusted Platform Module (TPM)

As of the date of writing of this paper, we found no effort whatsoever in the employment of Trusted Computing (TC)'s Trusted Platform Module (TPM) security features in Buffer Overflow Attack (BOA) mitigation. Such is despite the extensive application of TPM in providing security based solutions, especially in key exchange protocols deemed to be an integral part of cryptographic solutions. In this paper we propose the use of TPM's Platform Configuration Register (PCR) in the detection and prevention of stack based buffer overflow attacks. Detection is achieved via the integrity validation (of SHA1 hashses) of both return address and call instruction opcodes. Prevention is achieved via encrypting the memory location addresses of both the return and call instruction above using RSA encryption. An exception is raised should integrity violations occur. Based on effectiveness tests conducted, our proposed solution has successfully detected 6 major variants of buffer overflow attacks attempted in conventional application codes, while incurring overheads that pose no major obstacles in the normal, continued operation of conventional application codes

Towards a Formal Verification of the Trusted Platform Module

The Trusted Platform Module (TPM) serves as the root-of-trust in a trusted computing environment, and therefore warrants formal specification and verification. This thesis presents results of an effort to specify and verify an abstract TPM 1.2 model using PVS that is useful for understanding the TPM and verifying protocols that use it. TPM commands are specified as state transformations and sequenced to represent protocols using a state monad. Preconditions, postconditions, and invariants are specified for individual commands and validated. All specifications are written and verified automatically using the PVS decision procedures and rewriting system

A Practical Guide to TPM 2.0: Using the New Trusted Platform Module in the New Age of Security

A Practical Guide to TPM 2.0: Using the Trusted Platform Module in the New Age of Security is a straight-forward primer for developers. It shows security and TPM concepts, demonstrating their use in real applications that the reader can try out. Simply put, this book is designed to empower and excite the programming community to go out and do cool things with the TPM. The approach is to ramp the reader up quickly and keep their interest.A Practical Guide to TPM 2.0: Using the Trusted Platform Module in the New Age of Security explains security concepts, describes the TPM 2.0 architecture, and provides code and pseudo-code examples in parallel, from very simple concepts and code to highly complex concepts and pseudo-code. The book includes instructions for the available execution environments and real code examples to get readers up and talking to the TPM quickly. The authors then help the users expand on that with pseudo-code descriptions of useful applications using the TPM

Assessment of VLSI resources requirement for a sliced trusted platform module

Recent increases in cybercrime suggest questions such as: How can one trust a secure system? How can one protect private information from being stolen and maintain security? Trust in any system requires a foundation or root of trust. A root of trust is necessary to establish confidence that a machine is clean and that a software execution environment is secure. A root of trust can be implemented using the Trusted Platform Module (TPM), which is promising for enhancing security of general-purpose computing systems. In cloud computing, one of the proposed approaches is to use homomorphic encryption to create k program slices to be executed on k different cloud nodes. The TPM at the cloud node can then also be distributed or sliced along the lines presented in this thesis. In this work, we propose to increase TPM efficiency by distributing the TPM into multiple shares using Residue Number Systems (RNS). We then perform an evaluation of the silicon area, and execution time required for a sliced-TPM implementation and compares it to a single TPM. We characterize the execution time required by each TPM command using measurements obtained on ModelSim simulator. Finally, we show that the proposed scheme improves TPM efficiency and that execution time of TPM commands was noticeably improved. In the case of 4 shares the required execution time of the TPM commands that involving RSA operation in each slice was decreased by 93%, and the area of each slice was decreased by 2.93% while the total area was increased by 74%. In the case of 10 shares the required execution time of the TPM commands that involving RSA operations in each slice was decreased by 99%, and the area of each slice was decreased by 3.3% while the total area was increased by 85%

A novel architecture to virtualise a hardware-bound trusted platform module

Security and trust are particularly relevant in modern softwarised infrastructures, such as cloud environments, as applications are deployed on platforms owned by third parties, are publicly accessible on the Internet and can share the hardware with other tenants. Traditionally, operating systems and applications have leveraged hardware tamper-proof chips, such as the Trusted Platform Modules (TPMs) to implement security workflows, such as remote attestation, and to protect sensitive data against software attacks. This approach does not easily translate to the cloud environment, wherein the isolation provided by the hypervisor makes it impractical to leverage the hardware root of trust in the virtual domains. Moreover, the scalability needs of the cloud often collide with the scarce hardware resources and inherent limitations of TPMs. For this reason, existing implementations of virtual TPMs (vTPMs) are based on TPM emulators. Although more flexible and scalable, this approach is less secure. In fact, each vTPM is vulnerable to software attacks both at the virtualised and hypervisor levels. In this work, we propose a novel design for vTPMs that provides a binding to an underlying physical TPM; the new design, akin to a virtualisation extension for TPMs, extends the latest TPM 2.0 specification. We minimise the number of required additions to the TPM data structures and commands so that they do not require a new, non-backwards compatible version of the specification. Moreover, we support migration of vTPMs among TPM-equipped hosts, as this is considered a key feature in a highly virtualised environment. Finally, we propose a flexible approach to vTPM object creation that protects vTPM secrets either in hardware or software, depending on the required level of assurance

Design of Reusable Trusted Platform Module IP core

由于计算机和通信网络的广泛应用，信息安全得到了广泛的重视，从政治军事到金融业商业，各个领域对敏感信息的保护都提出了迫切要求。为了解决信息安全与保密问题，多种技术被提出；其中，可信计算技术是当前研究热点。有别于传统的安全技术，可信计算技术通过可信平台模块保证网络的信息安全。 随着半导体制造技术的快速发展，芯片集成规模按照摩尔定律飞速提高，集成电路设计已经进入了片上系统时代；但集成电路市场竞争日趋激烈和产品寿命周期的日益缩短要求芯片的设计周期必须缩短。目前，IP重用技术是解决设计复杂度与设计周期短这一矛盾的有效手段。论文采用了IP重用技术进行可信平台模块设计；同时，所设计的可信平台模块满足IP重...Because of a wide range of computer and communication network applications, information security shows more and more significance not only in political or military businesses but also in financial and commercial settings. And there are kinds of technology raised to make important information security; among them, trusted computing has become the hotspot. Trusted computing, different from tradition...学位：工学硕士院系专业：信息科学与技术学院电子工程系_电路与系统学号：2312008115317

Trusted Launch of Virtual Machine Instances in Public IaaS Environments

Cloud computing and Infrastructure-as-a-Service (IaaS) are emerging and promising technologies, however their adoption is hampered by data security concerns. At the same time, Trusted Computing (TC) is experiencing an increasing interest as a security mechanism for IaaS. In this paper we present a protocol to ensure the launch of a virtual machine (VM) instance on a trusted remote compute host. Relying on Trusted Platform Module operations such as binding and sealing to provide integrity guarantees for clients that require a trusted VM launch, we have designed a trusted launch protocol for VM instances in public IaaS environments. We also present a proof-of-concept implementation of the protocol based on OpenStack, an open-source IaaS platform. The results provide a basis for the use of TC mechanisms within IaaS platforms and pave the way for a wider applicability of TC to IaaS security