Trusted Launch of Generic Virtual Machine Images in Public IaaS Environments


Published on

Slides from the article presentation at the 15th International Conference of Information Security and Cryptology -- ICISC2012 held on November 28 - November 30, 2012 in Seoul, South Korea

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Trusted Launch of Generic Virtual Machine Images in Public IaaS Environments

  1. 1. Trusted Launchof Generic Virtual Machine Images in Public IaaS Environments Nicolae Paladi1*, Christian Gehrmann1, Mudassar Aslam1, Fredric Morenius2 1 Swedish Institute of Computer Science 2 Ericsson Research
  2. 2. 2Contents 1. Infrastructure-as-a-Service 2. Problem Setting 3. Attacker Model 4. Related Work 5. Protocol Description 6. Protocol Implementation 7. Conclusion - u re ct ru - st a fra as- vice In r Se
  3. 3. 3Infrastructure-as-a-Service• A cloud computing service model (NIST:2011): Provision processing, storage, networks. Deploy and run arbitrary software No control over underlying cloud infrastructure Control over OS, storage, deployed applications. Limited control of select networking components. rio e na d s Sc an tion i in def
  4. 4. 4Scenario and Definitions Scheduler (S) Compute Compute Compute Host Host Host (CH) (CH) (CH) Hardware Hardware HardwareClient (C) f rie te B o M N TP on
  5. 5. 5 A Brief Note on TPM• Trusted platform module v1.2 as specified by TCG• v2.0 is currently under review• Tamper-evident• 16+ PCRs as volatile or non-volatile storageFour operations: Signing / Binding / Sealing / Sealed-sign em o bl ng Pr etti S
  6. 6. 6Problem Setting• “Consumer is able to deploy and run arbitrary software, which can include operating systems and applications.”• Client can launch VMs for sensitive computations.• Trusted VM launch – the correct VM is launched in a IaaS platform on a host with a known software stack verified to not have been modified by malicious actors.• How do we ensure a trusted VM launch in an untrusted IaaS environment? er ta c k el At od M
  7. 7. 7Attacker Model• (Ar) has root access to IaaS hosts.• (Ar) has no physical access.• (Ar) has no access to CHs memory.• (Ar) can act maliciously or in good faith. ck tta ario A n e Sc 1• (A ) can be a person/malicious software/code bug.
  8. 8. 8Attack scenario 1 Remote Attacker Scheduler Ar (S) Trusted Compute Compute Host Host (CH) (CH) Hardware Hardware HardwareClient (C) ck tta ario A n e Sc 2
  9. 9. 9Attack scenario 2 Remote Attacker Ar Compute Compute Host Host (CH) (CH) Hardware Hardware HardwareClient (C) ed lat rk Re o W
  10. 10. 10Related Work d u ste d Tr hir ty T ar P
  11. 11. 11Trusted VM Launch Protocol:Trusted Third Party• Trusted Third Party (TTP) – trusted by C and IaaS, able to assess the SP of CH according to predefined guidelines.• Security profile (SP) – verified setup of an VM, trusted by the Participants.• Currently no fine-grained scale of SP available.• Limited to only matching the measurements with reference values. g Bi e e r Th ictu P
  12. 12. The big picture 3. (S) 1. 4. 5. 2. CH CH CH 6. HW HW HW + TPM lClient (C) c o ion to t ro crip P s 1) e ( D
  13. 13. 13Trusted VM Launch Protocol:Protocol Details (1) l c o ion to t ro crip P s 2) e ( D
  14. 14. 14Trusted VM Launch Protocol:Protocol Details (2) l co ion to t ro rip P sc 3) e ( D
  15. 15. 15Trusted VM Launch Protocol:Protocol Details (3) l c o ion to t ro crip P s 4) e ( D
  16. 16. 16Trusted VM Launch Protocol:Protocol Details (4) k S tac n pe O
  17. 17. 18Trusted VM Launch Protocol:OpenStack• Protocol was implemented in OpenStack• Open Source IaaS deployment and management platform.• Large user base and multiple industry contributors• “Essex” release as baseline.• Aimed to have a minimal footprint in terms of code modifications.• Implementation changed 4 componentsinvolved in the launch process (presented next). l n co atio to t r o en P m ) e pl (1 Im
  18. 18. 19Trusted VM Launch Protocol:Protocol Implementation (1)Affected components:• Nova SQL db – global security profile per compute host.• Dashboard – request compute host attestation, minimumSP, TTP’s URL and Token upload.• Scheduler – SimpleScheduler to schedule VM launches ontrusted CH with the requested–or stricter–SP.• Nova compute – support communication with TPM throughTSS, encryption/decryption and VM image integrityassessment. l n co tatio to ro en P e m 2) pl ( Im
  19. 19. 20Trusted VM Launch Protocol:Protocol Implementation (2)• TrustedComputingPools (currently in blueprints) will introduce TPM support in OpenStack• Trusted IaaS provider with untrusted nodes.• Node attestation offered as “premium service”.• Node attestation performed by IaaS provider itself. n u si o n cl Co
  20. 20. 21Conclusion• A trusted VM launch protocol available assuming an untrusted IaaS platform + TPM + physical security of the hosts.• Fairly close to ongoing industrial implementation but offers stricter security guarantees.• Fine-grained attestation process on the TTP side still a research challenge.