A Framework for Realizing Security on Demand in Cloud Computing

In this paper we present our vision for Security on Demand in cloud computing: a system where cloud providers can offer customized security for customers' code and data throughout the term of contract. Security on demand enables security-focussed competitive service differentiation and pricing, based on a threat model that matches the customer's security requirements for the virtual machine he is leasing. It also enables a cloud provider to bring in new secure servers to the data center, and derive revenue from these servers, while still using existing servers. We show a framework where customers' security requests can be expressed and enforced by leveraging the capabilities of servers with different security architectures.

[1]  G. Edward Suh,et al.  AEGIS: architecture for tamper-evident and tamper-resistant processing , 2003, ICS.

[2]  Umesh Deshpande,et al.  Live gang migration of virtual machines , 2011, HPDC '11.

[3]  Roy T. Fielding,et al.  The Apache HTTP Server Project , 1997, IEEE Internet Comput..

[4]  Jennifer Rexford,et al.  NoHype: virtualized cloud infrastructure without the virtualization , 2010, ISCA.

[5]  Ruby B. Lee,et al.  A software-hardware architecture for self-protecting data , 2012, CCS.

[6]  Yellu Sreenivasulu,et al.  FAST TRANSPARENT MIGRATION FOR VIRTUAL MACHINES , 2014 .

[7]  Zhi Wang,et al.  HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity , 2010, 2010 IEEE Symposium on Security and Privacy.

[8]  Jaehyuk Huh,et al.  Architectural support for secure virtualization under a vulnerable hypervisor , 2011, 2011 44th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[9]  Elisabeth Buffard,et al.  VLC Media Player , 2012 .

[10]  Dan Boneh,et al.  Architectural support for copy and tamper resistant software , 2000, SIGP.

[11]  Heiko Ludwig,et al.  Web Service Level Agreement (WSLA) Language Specification , 2003 .

[12]  Deshi Ye,et al.  Virt-LM: a benchmark for live migration of virtual machine , 2011, ICPE '11.

[13]  Pankesh Patel,et al.  Service Level Agreement in Cloud Computing , 2009 .

[14]  Alexander Tereshkin Evil maid goes after PGP whole disk encryption , 2010, SIN.

[15]  Juan del Cuvillo,et al.  Using innovative instructions to create trustworthy software solutions , 2013, HASP '13.

[16]  Ruby B. Lee,et al.  Scalable architectural support for trusted software , 2010, HPCA - 16 2010 The Sixteenth International Symposium on High-Performance Computer Architecture.

[17]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[18]  Sean W. Smith,et al.  Building the IBM 4758 Secure Coprocessor , 2001, Computer.

[19]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[20]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[21]  Ruby B. Lee,et al.  Scalable security architecture for trusted software , 2010 .

[22]  H. Peter Hofstee,et al.  Cell Broadband Engine processor vault security architecture , 2007, IBM J. Res. Dev..

[23]  Ruby B. Lee,et al.  Architectural support for hypervisor-secure virtualization , 2012, ASPLOS XVII.

[24]  Jennifer Rexford,et al.  Eliminating the hypervisor attack surface for a more secure cloud , 2011, CCS '11.

[25]  Rui Wang,et al.  Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow , 2010, 2010 IEEE Symposium on Security and Privacy.

[26]  Ruby B. Lee,et al.  Hardware-rooted trust for secure key management and transient trust , 2007, CCS '07.

[27]  Scott A. Rotondo Trusted Computing Group , 2011, Encyclopedia of Cryptography and Security.

[28]  Ruby B. Lee,et al.  Architecture for protecting critical secrets in microprocessors , 2005, 32nd International Symposium on Computer Architecture (ISCA'05).

[29]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[30]  Xiaoxin Chen,et al.  Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems , 2008, ASPLOS.

[31]  Jakub Szefer,et al.  Architectures for Secure Cloud Computing Servers , 2013 .

[32]  Andrew Warfield,et al.  Live migration of virtual machines , 2005, NSDI.