Policy-Sealed Data: A New Abstraction for Building Trusted Cloud Services

Accidental or intentional mismanagement of cloud software by administrators poses a serious threat to the integrity and confidentiality of customer data hosted by cloud services. Trusted computing provides an important foundation for designing cloud services that are more resilient to these threats. However, current trusted computing technology is ill-suited to the cloud as it exposes too many internal details of the cloud infrastructure, hinders fault tolerance and load-balancing flexibility, and performs poorly. We present Excalibur, a system that addresses these limitations by enabling the design of trusted cloud services. Excalibur provides a new trusted computing abstraction, called policy-sealed data, that lets data be sealed (i.e., encrypted to a customer-defined policy) and then unsealed (i.e., decrypted) only by nodes whose configurations match the policy. To provide this abstraction, Excalibur uses attribute-based encryption, which reduces the overhead of key management and improves the performance of the distributed protocols employed. To demonstrate that Excalibur is practical, we incorporated it in the Eucalyptus open-source cloud platform. Policy-sealed data can provide greater confidence to Eucalyptus customers that their data is not being mismanaged.

[1]  Cody Cutler,et al.  Trusted Disk Loading in the Emulab Network Testbed , 2010, CSET.

[2]  Adrian Perrig,et al.  Bootstrapping Trust in Commodity Computers , 2010, 2010 IEEE Symposium on Security and Privacy.

[3]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[4]  Emin Gün Sirer,et al.  Logical attestation: an authorization architecture for trustworthy computing , 2011, SOSP.

[5]  Stefan Berger,et al.  Shamon: A System for Distributed Mandatory Access Control , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[6]  Stefan Berger,et al.  vTPM: Virtualizing the Trusted Platform Module , 2006, USENIX Security Symposium.

[7]  Dawn M. Cappelli,et al.  Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector , 2008 .

[8]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[9]  Trent Jaeger,et al.  PRIMA: policy-reduced integrity measurement architecture , 2006, SACMAT '06.

[10]  Hermann Härtig,et al.  The Nizza secure-system architecture , 2005, 2005 International Conference on Collaborative Computing: Networking, Applications and Worksharing.

[11]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[12]  Krishna P. Gummadi,et al.  Excalibur : Building Trustworthy Cloud Services , 2011 .

[13]  Trent Jaeger,et al.  Seeding clouds with trust anchors , 2010, CCSW '10.

[14]  Alec Wolman,et al.  Credo: Trusted Computing for Guest VMs with a Commodity Hypervisor , 2011 .

[15]  Dawn M. Cappelli,et al.  Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors , 2005 .

[16]  Steven Hand,et al.  Improving Xen security through disaggregation , 2008, VEE '08.

[17]  Trent Jaeger,et al.  Attestation-based policy enforcement for remote access , 2004, CCS '04.

[18]  James R. Hamilton,et al.  An Architecture for Modular Data Centers , 2006, CIDR.

[19]  Vitaly Shmatikov,et al.  Airavat: Security and Privacy for MapReduce , 2010, NSDI.

[20]  Brent Waters,et al.  Ciphertext-Policy Attribute-Based Encryption , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[21]  Haibo Chen,et al.  CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization , 2011, SOSP.

[22]  Pradeep K. Khosla,et al.  SWATT: softWare-based attestation for embedded devices , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[23]  Elaine Shi,et al.  BIND: a fine-grained attestation service for secure distributed systems , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[24]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[25]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[26]  Byung-Gon Chun,et al.  Secure Data Preservers for Web Services , 2011, WebApps.

[27]  Dan Boneh,et al.  Architectural support for copy and tamper resistant software , 2000, SIGP.

[28]  Elaine Shi,et al.  Do You Know Where Your Data Are? Secure Data Capsules for Deployable Data Protection , 2011, HotOS.

[29]  Ernest F. Brickell,et al.  Direct anonymous attestation , 2004, CCS '04.

[30]  Dmitrii Zagorodnov,et al.  Eucalyptus : A Technical Report on an Elastic Utility Computing Archietcture Linking Your Programs to Useful Systems , 2008 .

[31]  Ahmad-Reza Sadeghi,et al.  Property-based attestation for computing platforms: caring about properties, not mechanisms , 2004, NSPW '04.

[32]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[33]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[34]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[35]  Krishna P. Gummadi,et al.  Towards Trusted Cloud Computing , 2009, HotCloud.

[36]  Alec Wolman,et al.  Bunker: A Privacy-Oriented Platform for Network Tracing , 2009, NSDI.

[37]  Alec Wolman,et al.  Software abstractions for trusted sensors , 2012, MobiSys '12.

[38]  Michael Franz,et al.  Semantic remote attestation: a virtual machine directed approach to trusted computing , 2004 .