TEE: A virtual DRTM based execution environment for secure cloud-end computing

Abstract The Internet of Things (IoT) is the incoming generation of information technology. However, the huge amount of data collected by wireless sensors in IoT will impose a big challenge that can only be met by cloud computing. In particular, ensuring security in the cloud-end is necessary. Previous studies have mainly focused on secure cloud-end storage, whereas secure cloud-end computing is much less investigated. The current practice is solely based on Virtual Machines (VM), and cannot offer adequate security because the guest Operating Systems (OS) often can be compromised (e.g., by exploiting their vulnerabilities). This motivates the need of solutions for more secure cloud-end computing. This paper presents the design, implementation and analysis of a candidate solution, called Trusted Execution Environment (TEE), which takes advantage of both virtualization and trusted computing technologies simultaneously. The novelty behind TEE is the virtualization of the Dynamic Root of Trust for Measurement (DRTM).

[1]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[2]  Antonio Iera,et al.  The Internet of Things: A survey , 2010, Comput. Networks.

[3]  David Chisnall,et al.  The Definitive Guide to the Xen Hypervisor , 2007 .

[4]  Evan R. Sparks A Security Assessment of Trusted Platform Modules , 2007 .

[5]  Ahmad-Reza Sadeghi,et al.  Trusted Computing - Special Aspects and Challenges , 2008, SOFSEM.

[6]  Chris I. Dalton,et al.  Towards automated provisioning of secure virtualized networks , 2007, CCS '07.

[7]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[8]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[9]  David Lie,et al.  Splitting interfaces: making trust between applications and operating systems configurable , 2006, OSDI '06.

[10]  David Lie,et al.  Computer Meteorology: Monitoring Compute Clouds , 2009, HotOS.

[11]  Xiaoxin Chen,et al.  Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems , 2008, ASPLOS.

[12]  Andrew Warfield,et al.  Xen and the art of virtualization , 2003, SOSP '03.

[13]  Butler W. Lampson,et al.  A Trusted Open Platform , 2003, Computer.

[14]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[15]  Steven Hand,et al.  Improving Xen security through disaggregation , 2008, VEE '08.

[16]  Claudia Eckert,et al.  A formal model for virtual machine introspection , 2009, VMSec '09.

[17]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[18]  Markus Jakobsson,et al.  Controlling data in the cloud: outsourcing computation without outsourcing control , 2009, CCSW '09.

[19]  Michael K. Reiter,et al.  Safe Passage for Passwords and Other Sensitive Data , 2009, NDSS.

[20]  Ahmad-Reza Sadeghi,et al.  TCG inside?: a note on TPM specification compliance , 2006, STC '06.

[21]  Daniele Sgandurra,et al.  Cloud security is not (just) virtualization security: a short paper , 2009, CCSW '09.

[22]  Stefan Berger,et al.  Security for the cloud infrastructure: Trusted virtual data center implementation , 2009, IBM J. Res. Dev..

[23]  Trent Jaeger,et al.  Trusted virtual domains: toward secure distributed services , 2005 .

[24]  Stefan Berger,et al.  vTPM: Virtualizing the Trusted Platform Module , 2006, USENIX Security Symposium.

[25]  James Hendricks,et al.  Secure bootstrap is not enough: shoring up the trusted computing base , 2004, EW 11.

[26]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[27]  Randy H. Katz,et al.  Above the Clouds: A Berkeley View of Cloud Computing , 2009 .

[28]  Marimuthu Palaniswami,et al.  Internet of Things (IoT): A vision, architectural elements, and future directions , 2012, Future Gener. Comput. Syst..

[29]  Cheng Chen,et al.  Tamper-Resistant Execution in an Untrusted Operating System Using A Virtual Machine Monitor , 2007 .

[30]  Ari Juels,et al.  HAIL: a high-availability and integrity layer for cloud storage , 2009, CCS.

[31]  Reza Curtmola,et al.  Provable data possession at untrusted stores , 2007, CCS '07.

[32]  Michael K. Reiter,et al.  Minimal TCB Code Execution , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[33]  Ari Juels,et al.  Proofs of retrievability: theory and implementation , 2009, CCSW '09.

[34]  Michael K. Reiter,et al.  How low can you go?: recommendations for hardware-supported minimal TCB code execution , 2008, ASPLOS.

[35]  Tal Garfinkel,et al.  Towards Application Security on Untrusted Operating Systems , 2008, HotSec.

[36]  Bernhard Kauer OSLO: Improving the Security of Trusted Computing , 2007, USENIX Security Symposium.

[37]  Eyal de Lara,et al.  SnowFlock: rapid virtual machine cloning for cloud computing , 2009, EuroSys '09.

[38]  Xuxian Jiang,et al.  Virtual distributed environments in a shared infrastructure , 2005, Computer.

[39]  Kang G. Shin,et al.  Using hypervisor to provide data secrecy for user applications on a per-page basis , 2008, VEE '08.

[40]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[41]  Roberto Di Pietro,et al.  Scalable and efficient provable data possession , 2008, IACR Cryptol. ePrint Arch..

[42]  Kenli Li,et al.  From Mobiles to Clouds: Developing Energy-Aware Offloading Strategies for Workflows , 2012, 2012 ACM/IEEE 13th International Conference on Grid Computing.

[43]  Shouhuai Xu,et al.  TEE: a virtual DRTM based execution environment for secure cloud-end computing , 2010, CCS '10.

[44]  Peng Ning,et al.  Managing security of virtual machine images in a cloud environment , 2009, CCSW '09.

[45]  Kenli Li,et al.  Modeling and analyzing the impact of authorization on workflow executions , 2012, Future Gener. Comput. Syst..