A Cleanroom Monitoring System for Network Computing Service Based on Remote Attestation

Most of security measures for network computing are provided by service provider itself. However, this kind of methods cannot be trusted radically by the user for lacking the ability to control the resource directly. The computing environment for the user is unable to know what software will be provided. To address this problem, we present a security scheme, named Cleanroom Monitoring System (CMS), to monitor the computing environment provided by server. The CMS provides a mechanism for the user to control the runtime system. Specifically, a secure server is added in CMS as remote trusted base, to provide clean software for the user. A kernel-based monitoring is designed into client OS for illegal procedure detecting, and it is unable to be bypassed. To protect the monitoring module from malicious attacking, the CMS creates the trust chain from the secure server to the client with a lightweight verifiable computing mechanism. This paper presents the implementation and evaluation of the CMS which has gone through rigorous and thorough evaluation of effectiveness and performance. It is currently deployed on the local server and personal computers for a real scenario. The evaluation result shows that the CMS performs effectively with an acceptable overhead.

[1]  Nezer Zaidenberg,et al.  Remote Attestation of Software and Execution-Environment in Modern Machines , 2015, 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing.

[2]  Peng Ning,et al.  Remote attestation to dynamic system properties: Towards providing complete system integrity evidence , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[3]  G. Lakpathi,et al.  Identity-Based Encryption with Outsourced Revocation in Cloud Computing , 2016 .

[4]  Chang Young Jung A Computational Dynamic Trust Model for User Authorization , 2015 .

[5]  Stefano Bregni,et al.  Synchronization over Ethernet and IP in next-generation networks [Guest Editorial] , 2010 .

[6]  Yaoxue Zhang,et al.  TransOS: a transparent computing-based operating system for the cloud , 2012, Int. J. Cloud Comput..

[7]  Sugata Sanyal,et al.  A Survey on Security Issues in Cloud Computing , 2011, 1109.5388.

[8]  Xuxian Jiang,et al.  Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing , 2008, RAID.

[9]  Schahram Dustdar,et al.  Esc: Towards an Elastic Stream Computing Platform for the Cloud , 2011, 2011 IEEE 4th International Conference on Cloud Computing.

[10]  Matti A. Hiltunen,et al.  System Call Monitoring Using Authenticated System Calls , 2006, IEEE Transactions on Dependable and Secure Computing.

[11]  Leonardo Neumeyer,et al.  S4: Distributed Stream Computing Platform , 2010, 2010 IEEE International Conference on Data Mining Workshops.

[12]  Jean-Pierre Seifert,et al.  Remote Attestation with Domain-Based Integrity Model and Policy Analysis , 2012, IEEE Transactions on Dependable and Secure Computing.

[13]  Yunheung Paek,et al.  Detecting and Preventing Kernel Rootkit Attacks with Bus Snooping , 2017, IEEE Transactions on Dependable and Secure Computing.

[14]  Gang Xu,et al.  Verifiable Computation with Reduced Informational Costs and Computational Costs , 2014, ESORICS.

[15]  Pritesh Jain,et al.  A survey and analysis of cloud model-based security for computing secure cloud bursting and aggregation in renal environment , 2011, 2011 World Congress on Information and Communication Technologies.

[16]  Harlan D. Mills,et al.  Engineering software under statistical quality control , 1990, IEEE Software.

[17]  Shaohua Tang,et al.  Verifiable computation with access control in cloud computing , 2013, The Journal of Supercomputing.

[18]  Liang Zhong,et al.  A VMM-Based System Call Interposition Framework for Program Monitoring , 2010, 2010 IEEE 16th International Conference on Parallel and Distributed Systems.

[19]  Haralambos Mouratidis,et al.  Cloud Security Audit for Migration and Continuous Monitoring , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[20]  Xiangjian He,et al.  Unsupervised Feature Selection Method for Intrusion Detection System , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[21]  Craig Gentry,et al.  Non-interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers , 2010, CRYPTO.

[22]  Carlos Becker Westphall,et al.  Toward an architecture for monitoring private clouds , 2011, IEEE Communications Magazine.

[23]  Henda Ben Ghezala,et al.  A Secure Cloud Computing Architecture Design , 2014, 2014 2nd IEEE International Conference on Mobile Cloud Computing, Services, and Engineering.

[24]  Jianer Chen,et al.  Security from the transparent computing aspect , 2014, 2014 International Conference on Computing, Networking and Communications (ICNC).

[25]  Jin Wang,et al.  Mutual Verifiable Provable Data Auditing in Public Cloud Storage , 2015 .

[26]  Luis Rodero-Merino,et al.  Finding your Way in the Fog: Towards a Comprehensive Definition of Fog Computing , 2014, CCRV.