TEE: a virtual DRTM based execution environment for secure cloud-end computing

Cloud computing is believed to be the next major paradigm of computing because it will substantially reduce the cost of IT systems. Ensuring security in the cloud-end is necessary because customers' data are stored and processed there. Previous studies have mainly focused on secure cloud-end storage, whereas secure cloud-end computing is much less investigated. The current practice is solely based on Virtual Machines (VM), and cannot offer adequate security because the guest Operating Systems (OS) often can be easily breached (e.g., by exploiting their vulnerabilities). This motivates the need of solutions for more secure cloud-end computing. This poster presents the design, implementation and analysis of a candidate solution, called Trusted Execution Environment (TEE), which takes advantage of both virtualization and trusted computing technologies simultaneously. The novelty behind TEE is the virtualization of the Dynamic Root of Trust for Measurement (DRTM).

[1]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[2]  Daniele Sgandurra,et al.  Cloud Security Is Not (Just) Virtualization Security , 2009 .

[3]  Kang G. Shin,et al.  Using hypervisor to provide data secrecy for user applications on a per-page basis , 2008, VEE '08.

[4]  Claudia Eckert,et al.  A formal model for virtual machine introspection , 2009, VMSec '09.

[5]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[6]  Randy H. Katz,et al.  Above the Clouds: A Berkeley View of Cloud Computing , 2009 .

[7]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[8]  Cheng Chen,et al.  Tamper-Resistant Execution in an Untrusted Operating System Using A Virtual Machine Monitor , 2007 .

[9]  Bernhard Kauer OSLO: Improving the Security of Trusted Computing , 2007, USENIX Security Symposium.

[10]  Roberto Di Pietro,et al.  Scalable and efficient provable data possession , 2008, IACR Cryptol. ePrint Arch..

[11]  Kenli Li,et al.  From Mobiles to Clouds: Developing Energy-Aware Offloading Strategies for Workflows , 2012, 2012 ACM/IEEE 13th International Conference on Grid Computing.

[12]  Krishna P. Gummadi,et al.  Towards Trusted Cloud Computing , 2009, HotCloud.

[13]  Ahmad-Reza Sadeghi,et al.  TCG inside?: a note on TPM specification compliance , 2006, STC '06.

[14]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[15]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[16]  Trent Jaeger,et al.  Trusted virtual domains: toward secure distributed services , 2005 .

[17]  Peng Ning,et al.  Managing security of virtual machine images in a cloud environment , 2009, CCSW '09.

[18]  Eyal de Lara,et al.  SnowFlock: rapid virtual machine cloning for cloud computing , 2009, EuroSys '09.

[19]  Kenli Li,et al.  Modeling and analyzing the impact of authorization on workflow executions , 2012, Future Gener. Comput. Syst..

[20]  David Lie,et al.  Computer Meteorology: Monitoring Compute Clouds , 2009, HotOS.

[21]  Stefan Berger,et al.  Security for the cloud infrastructure: Trusted virtual data center implementation , 2009, IBM J. Res. Dev..

[22]  Chris I. Dalton,et al.  Towards automated provisioning of secure virtualized networks , 2007, CCS '07.

[23]  Stefan Berger,et al.  vTPM: Virtualizing the Trusted Platform Module , 2006, USENIX Security Symposium.

[24]  Butler W. Lampson,et al.  A Trusted Open Platform , 2003, Computer.

[25]  Xuxian Jiang,et al.  Virtual distributed environments in a shared infrastructure , 2005, Computer.

[26]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[27]  Steven Hand,et al.  Improving Xen security through disaggregation , 2008, VEE '08.

[28]  Reza Curtmola,et al.  Provable data possession at untrusted stores , 2007, CCS '07.

[29]  Markus Jakobsson,et al.  Controlling data in the cloud: outsourcing computation without outsourcing control , 2009, CCSW '09.

[30]  Ahmad-Reza Sadeghi,et al.  Trusted Computing - Special Aspects and Challenges , 2008, SOFSEM.

[31]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[32]  Xiaoxin Chen,et al.  Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems , 2008, ASPLOS.

[33]  Andrew Warfield,et al.  Xen and the art of virtualization , 2003, SOSP '03.

[34]  David Lie,et al.  Splitting interfaces: making trust between applications and operating systems configurable , 2006, OSDI '06.

[35]  James Hendricks,et al.  Secure bootstrap is not enough: shoring up the trusted computing base , 2004, EW 11.

[36]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[37]  David Chisnall,et al.  The Definitive Guide to the Xen Hypervisor , 2007 .

[38]  Ari Juels,et al.  HAIL: a high-availability and integrity layer for cloud storage , 2009, CCS.

[39]  Michael K. Reiter,et al.  Minimal TCB Code Execution , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[40]  Ari Juels,et al.  Proofs of retrievability: theory and implementation , 2009, CCSW '09.

[41]  Tal Garfinkel,et al.  Towards Application Security on Untrusted Operating Systems , 2008, HotSec.

[42]  Michael K. Reiter,et al.  How low can you go?: recommendations for hardware-supported minimal TCB code execution , 2008, ASPLOS.

[43]  Evan R. Sparks A Security Assessment of Trusted Platform Modules , 2007 .

[44]  Bernhard Jansen,et al.  Trusted Virtual Domains: Secure Foundations for Business and IT Services , 2005 .

[45]  Daniele Sgandurra,et al.  Cloud security is not (just) virtualization security: a short paper , 2009, CCSW '09.

[46]  Michael K. Reiter,et al.  Safe Passage for Passwords and Other Sensitive Data , 2009, NDSS.