On the security of virtual machine migration and related topics

The extension of trusted computing to virtual environments in order to provide secure storage and ensure system integrity presents several challenges. In particular, techniques to share a hardware TPM between several virtual machines (VM) on the same host and to appropriately secure these VMs during migration need to be devised. In this work, we provide a comprehensive overview of trusted computing and its extension to virtualization by means of virtual TPMs (vTPM). We analyze existing vTPM designs and related VM-vTPM migration protocols and derive a set of requirements for the secure VM-vTPM migration. We then propose a secure migration protocol using a novel vTPM key hierarchy that satisfies these requirements. We implement our protocol and evaluate its performance using different ciphers and VM RAM sizes. Our results show that both RC4 and 128-bit AES are efficient as underlying ciphers as opposed to 3DES which introduces a significant overhead on the migration process. Moreover, the end-to-end migration time experienced by the end user (using RC4 or 128-bit AES as the underlying cipher) increases only by approximately 10% compared to the insecure migration when VM RAM size is larger than 512 MB. This overhead may be tolerable in certain applications depending on the used hardware. Thus, secure VM-vTPM migration can be practical.

[1]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[2]  Ronald Perez,et al.  Linking remote attestation to secure tunnel endpoints , 2006, STC '06.

[3]  Ahmad-Reza Sadeghi,et al.  Beyond secure channels , 2007, STC '07.

[4]  Ole Agesen,et al.  A comparison of software and hardware techniques for x86 virtualization , 2006, ASPLOS XII.

[5]  Robert P. Goldberg,et al.  Formal requirements for virtualizable third generation architectures , 1973, SOSP 1973.

[6]  Peng Ning,et al.  Remote attestation to dynamic system properties: Towards providing complete system integrity evidence , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[7]  Michael Franz,et al.  Semantic remote attestation: a virtual machine directed approach to trusted computing , 2004 .

[8]  Laxmi N. Bhuyan,et al.  Anatomy and Performance of SSL Processing , 2005, IEEE International Symposium on Performance Analysis of Systems and Software, 2005. ISPASS 2005..

[9]  Stefan Berger,et al.  vTPM: Virtualizing the Trusted Platform Module , 2006, USENIX Security Symposium.

[10]  Sameer Shende,et al.  Profiling and Tracing in Linux , 1999 .

[11]  Mendel Rosenblum,et al.  The Reincarnation of Virtual Machines , 2004, ACM Queue.

[12]  Ross J. Anderson Cryptography and competition policy: issues with 'trusted computing' , 2003, PODC '03.

[13]  Andrew Warfield,et al.  Live migration of virtual machines , 2005, NSDI.

[14]  Bernhard Kauer OSLO: Improving the Security of Trusted Computing , 2007, USENIX Security Symposium.

[15]  William A. Arbaugh,et al.  A secure and reliable bootstrap architecture , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[16]  Heiko Stamer,et al.  A Software-Based Trusted Platform Module Emulator , 2008, TRUST.

[17]  Trent Jaeger,et al.  Managing the risk of covert information flows in virtual machine systems , 2007, SACMAT '07.

[18]  Anja Feldmann,et al.  Live wide-area migration of virtual machines including local persistent state , 2007, VEE '07.

[19]  Ahmad-Reza Sadeghi,et al.  A protocol for property-based attestation , 2006, STC '06.

[20]  Claire Vishik,et al.  TPM Virtualization: Building a General Framework , 2008 .

[21]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[22]  Ahmad-Reza Sadeghi,et al.  Property-based attestation for computing platforms: caring about properties, not mechanisms , 2004, NSPW '04.

[23]  Brian D. Noble,et al.  When Virtual Is Better Than Real , 2001 .

[24]  M. Rosenblum,et al.  Optimizing the migration of virtual computers , 2002, OSDI '02.

[25]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[26]  Samuel T. King,et al.  Operating System Support for Virtual Machines , 2003, USENIX Annual Technical Conference, General Track.

[27]  Bryan Parno,et al.  Bootstrapping Trust in a "Trusted" Platform , 2008, HotSec.

[28]  Dhabaleswar K. Panda,et al.  Nomad: migrating OS-bypass networks in virtual machines , 2007, VEE '07.

[29]  Tal Garfinkel,et al.  When Virtual Is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments , 2005, HotOS.

[30]  Claudia Eckert,et al.  Enhancing Trusted Platform Modules with Hardware-Based Virtualization Techniques , 2008, 2008 Second International Conference on Emerging Security Information, Systems and Technologies.

[31]  Paul England,et al.  Para-Virtualized TPM Sharing , 2008, TRUST.

[32]  Ahmad-Reza Sadeghi,et al.  Property-Based TPM Virtualization , 2008, ISC.

[33]  Ernest F. Brickell,et al.  Direct anonymous attestation , 2004, CCS '04.