Design, Implementation and Verification of Cloud Architecture for Monitoring a Virtual Machine's Security Health

Cloud customers need assurances regarding the security of their virtual machines (VMs), operating within an Infrastructure as a Service (IaaS) cloud system. This is complicated by the customer not knowing where his VM is executing, and on the semantic gap between what the customer wants to know versus what can be measured in the cloud. We present CloudMonatt, an architecture for monitoring a VM's security health. We show a full prototype based on the OpenStack open source cloud software. We also verify CloudMonatt to show that there are no security vulnerabilities that could allow an attacker to subvert its protection. As such, we conduct a systematic security verification of CloudMonatt. We model and verify the network protocols within the distributed system, as well as interactions of hardware/software modules inside the cloud server. Our results show that CloudMonatt is capable of delivering this monitoring and attestation service to customers in an unforgeable and reliable manner.

[1]  Ernest F. Brickell,et al.  Direct anonymous attestation , 2004, CCS '04.

[2]  Krishna P. Gummadi,et al.  Policy-Sealed Data: A New Abstraction for Building Trusted Cloud Services , 2012, USENIX Security Symposium.

[3]  Ahmad-Reza Sadeghi,et al.  Property-based attestation for computing platforms: caring about properties, not mechanisms , 2004, NSPW '04.

[4]  Trent Jaeger,et al.  PRIMA: policy-reduced integrity measurement architecture , 2006, SACMAT '06.

[5]  Yuqiong Sun,et al.  Inevitable Failure: The Flawed Trust Assumption in the Cloud , 2014, CCSW.

[6]  David Evans,et al.  Statically Detecting Likely Buffer Overflow Vulnerabilities , 2001, USENIX Security Symposium.

[7]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[8]  Frederic Stumpf,et al.  Secure and Privacy-Aware Multiplexing of Hardware-Protected TPM Integrity Measurements among Virtual Machines , 2012, ICISC.

[9]  Elaine Shi,et al.  BIND: a fine-grained attestation service for secure distributed systems , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[10]  Elaine Shi,et al.  Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems , 2005, SOSP '05.

[11]  Patrick Röder,et al.  A Robust Integrity Reporting Protocol for Remote Attestation , 2006 .

[12]  James Newsome,et al.  Design, Implementation and Verification of an eXtensible and Modular Hypervisor Framework , 2013, 2013 IEEE Symposium on Security and Privacy.

[13]  Claire Vishik,et al.  TPM Virtualization: Building a General Framework , 2008 .

[14]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[15]  Jonathan K. Millen,et al.  Principles of remote attestation , 2011, International Journal of Information Security.

[16]  Ruby B. Lee,et al.  DoS Attacks on Your Memory in Cloud , 2017, AsiaCCS.

[17]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[18]  Trent Jaeger,et al.  Seeding clouds with trust anchors , 2010, CCSW '10.

[19]  Vincent Simonet Flow Caml in a Nutshell , 2003 .

[20]  Ahmad-Reza Sadeghi,et al.  A protocol for property-based attestation , 2006, STC '06.

[21]  Ahmad-Reza Sadeghi,et al.  Property-Based TPM Virtualization , 2008, ISC.

[22]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[23]  Jean-Pierre Seifert,et al.  Model-based behavioral attestation , 2008, SACMAT '08.

[24]  M. Schunter,et al.  Property Attestation — Scalable and Privacy-friendly Security Assessment of Peer Computers , 2004 .

[25]  Peng Li,et al.  Encoding information flow in Haskell , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[26]  Rui Xu,et al.  Verification of a Practical Hardware Security Architecture Through Static Information Flow Analysis , 2017, ASPLOS.

[27]  Guru Venkataramani,et al.  CC-Hunter: Uncovering Covert Timing Channels on Shared Processor Hardware , 2014, 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture.

[28]  Abhinav Srivastava,et al.  Hardening OpenStack Cloud Platforms against Compute Node Compromises , 2016, AsiaCCS.

[29]  Frederic T. Chong,et al.  Sapper: a language for hardware-level security policy enforcement , 2014, ASPLOS.

[30]  Ruby B. Lee,et al.  Characterizing hypervisor vulnerabilities in cloud computing servers , 2013, Cloud Computing '13.

[31]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[32]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[33]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[34]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[35]  Yao Wang,et al.  A Hardware Design Language for Timing-Sensitive Information-Flow Security , 2015, ASPLOS.

[36]  Michael K. Reiter,et al.  Cross-VM side channels and their use to extract private keys , 2012, CCS.

[37]  Jiangtao Li,et al.  Flexible and scalable digital signatures in TPM 2.0 , 2013, CCS.

[38]  Zhong Shao,et al.  CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels , 2016, OSDI.

[39]  Yangchun Fu,et al.  Space Traveling across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection , 2012, 2012 IEEE Symposium on Security and Privacy.

[40]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[41]  Jonathon T. Giffin,et al.  2011 IEEE Symposium on Security and Privacy Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection , 2022 .

[42]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[43]  Jakub Szefer,et al.  Architectures for Secure Cloud Computing Servers , 2013 .

[44]  Frederic T. Chong,et al.  Caisson: a hardware description language for secure information flow , 2011, PLDI '11.

[45]  Vijay Varadharajan,et al.  Property Based Attestation and Trusted Computing: Analysis and Challenges , 2009, 2009 Third International Conference on Network and System Security.

[46]  Heiko Stamer,et al.  A Software-Based Trusted Platform Module Emulator , 2008, TRUST.

[47]  Ahmad-Reza Sadeghi,et al.  Property-Based Attestation without a Trusted Third Party , 2008, ISC.

[48]  Paul England,et al.  Para-Virtualized TPM Sharing , 2008, TRUST.

[49]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[50]  Ruby B. Lee,et al.  Scalable architectural support for trusted software , 2010, HPCA - 16 2010 The Sixteenth International Symposium on High-Performance Computer Architecture.

[51]  Emin Gün Sirer,et al.  Logical attestation: an authorization architecture for trustworthy computing , 2011, SOSP.

[52]  Sagar Chaki,et al.  überSpark: Enforcing Verifiable Object Abstractions for Automated Compositional Security Analysis of a Hypervisor , 2016, USENIX Security Symposium.

[53]  Benjamin Farley,et al.  Resource-freeing attacks: improve your cloud performance (at your neighbor's expense) , 2012, CCS.

[54]  Michael Franz,et al.  Semantic remote attestation: a virtual machine directed approach to trusted computing , 2004 .

[55]  Ruby B. Lee,et al.  CloudMonatt: An architecture for security health monitoring and attestation of virtual machines in cloud computing , 2015, 2015 ACM/IEEE 42nd Annual International Symposium on Computer Architecture (ISCA).

[56]  Stefan Berger,et al.  vTPM: Virtualizing the Trusted Platform Module , 2006, USENIX Security Symposium.

[57]  Bruno Blanchet,et al.  Security Protocol Verification: Symbolic and Computational Models , 2012, POST.

[58]  Ruby B. Lee,et al.  Scalable security architecture for trusted software , 2010 .