Journal Home > Volume 22 , Issue 5
Tsinghua Science and Technology 2017, 22(5): 469-478 https://doi.org/10.23919/TST.2017.8030536
Open Access | Issue | Published: 11 September 2017

Trusted Attestation Architecture on an Infrastructure-as-a-Service

Show Author's Information Xin Jin Xingshu Chen( ) Cheng Zhao Dandan Zhao
College of Computer Science, Sichuan University, Chengdu 610065, China.
Keywords:
dynamic measurement, trusted cloud, vTPM, trusted attestation
Cite this article:
Jin X, Chen X, Zhao C, et al. Trusted Attestation Architecture on an Infrastructure-as-a-Service. Tsinghua Science and Technology, 2017, 22(5): 469-478. https://doi.org/10.23919/TST.2017.8030536
Download citation
EndNote(RIS)
BibTeX

425

Views

13

Downloads

Citations

4

Crossref

N/A

WoS

6

Scopus

3

CSCD

Abstract Full text About this article

Trusted attestation is the main obstruction preventing large-scale promotion of cloud computing. How to extend a trusted relationship from a single physical node to an Infrastructure-as-a-Service (IaaS) platform is a problem that must be solved. The IaaS platform provides the Virtual Machine (VM), and the Trusted VM, equipped with a virtual Trusted Platform Module (vTPM), is the foundation of the trusted IaaS platform. We propose a multi-dimensional trusted attestation architecture that can collect and verify trusted attestation information from the computing nodes, and manage the information centrally on a cloud management platform. The architecture verifies the IaaS’s trusted attestation by apprising the VM, Hypervisor, and host Operating System’s (OS) trusted status. The theory and the technology roadmap were introduced, and the key technologies were analyzed. The key technologies include dynamic measurement of the Hypervisor at the process level, the protection of vTPM instances, the reinforcement of Hypervisor security, and the verification of the IaaS trusted attestation. A prototype was deployed to verify the feasibility of the system. The advantages of the prototype system were compared with the Open CIT (Intel Cloud attestation solution). A performance analysis experiment was performed on computing nodes and the results show that the performance loss is within an acceptable range.


menu
Abstract
Full text
Outline
About this article

Trusted Attestation Architecture on an Infrastructure-as-a-Service

Show Author's information Xin JinXingshu Chen( )Cheng ZhaoDandan Zhao
College of Computer Science, Sichuan University, Chengdu 610065, China.

Abstract

Trusted attestation is the main obstruction preventing large-scale promotion of cloud computing. How to extend a trusted relationship from a single physical node to an Infrastructure-as-a-Service (IaaS) platform is a problem that must be solved. The IaaS platform provides the Virtual Machine (VM), and the Trusted VM, equipped with a virtual Trusted Platform Module (vTPM), is the foundation of the trusted IaaS platform. We propose a multi-dimensional trusted attestation architecture that can collect and verify trusted attestation information from the computing nodes, and manage the information centrally on a cloud management platform. The architecture verifies the IaaS’s trusted attestation by apprising the VM, Hypervisor, and host Operating System’s (OS) trusted status. The theory and the technology roadmap were introduced, and the key technologies were analyzed. The key technologies include dynamic measurement of the Hypervisor at the process level, the protection of vTPM instances, the reinforcement of Hypervisor security, and the verification of the IaaS trusted attestation. A prototype was deployed to verify the feasibility of the system. The advantages of the prototype system were compared with the Open CIT (Intel Cloud attestation solution). A performance analysis experiment was performed on computing nodes and the results show that the performance loss is within an acceptable range.

Keywords: dynamic measurement, trusted cloud, vTPM, trusted attestation

References(20)

[1]
Rong C., Nguyen S. T., and Jaatun M. G., Beyond lightning: A survey on security challenges in cloud computing, Computers & Electrical Engineering, vol. 39, no. 3, pp. 47-54, 2013.
DOI Google Scholar
[2]
Ryan M. D., Cloud computing security: The scientific challenge, and a survey of solutions, Journal of Systems and Software, vol. 86, no. 9, pp. 2263-2268, 2013.
DOI Google Scholar
[3]
Jansen W. and Timothy G., Guidelines on security and privacy in public cloud computing, NIST Special Publication, vol. 800, no. 144, pp. 10-11, 2011.
DOI Google Scholar
[4]
Inci M. S., Glmezoglu B., Apecechea G. I., Eisenbarth T., and Sunar B., Seriously, get off my cloud! Cross-VM RSA key recovery in a public cloud, IACR Cryptology ePrint Archive, p. 898, 2015.
Google Scholar
[5]
Ghazizadeh E., Zamani M., Ab Mana J. L., and Alizadeh M., Trusted computing strengthens cloud authentication, The Scientific World Journal, vol. 2014, p. 260187, 2014.
DOI Google Scholar
[6]
Bertholon B., Varrette S., and Bouvry P., Certicloud: A novel TPM-based approach to ensure cloud IAAS security, in 2011 IEEE International Conference on Cloud Computing (CLOUD), 2011.
DOI
[7]
Qiang W., Zhang K., Dai W., and Jin H., Secure cryptographic functions via virtualization-based outsourced computing, Concurrency and Computation: Practice and Experience, vol. 28, no. 11, pp. 3149-3163, 2015.
DOI Google Scholar
[8]
Santos N., Gummadi K. P., and Rodrigues R., Towards trusted cloud computing, HotCloud, vol. 9, p. 3, 2009.
Google Scholar
[9]
Perez R., Sailer R., and van Doorn L., vTPM: Virtualizing the trusted platform module, in Proc. 15th Conf. on USENIX Security Symposium, 2006.
[10]
Opencit, https://github.com/opencit/opencit/wiki/Open-CIT-2.0.7—Server-Product-Guide, 2016.
[11]
Chen L., Chen X., Jiang J., Yin X., and Shao G., Research and practice of dynamic network security architecture for IaaS platforms, Tsinghua Science and Technology, vol. 19, no. 5, pp. 496-507. 2014.
DOI Google Scholar
[12]
Shen Z. and Tong Q., The security of cloud computing system enabled by trusted computing technology, in 2010 2nd International Conference on Signal Processing Systems (ICSPS), 2010.
DOI
[13]
Kivity A., Kamay Y., Laor D., Lublin U., and Liguori A., KVM: The Linux virtual machine monitor, in Proceedings of the Linux Symposium, 2007.
[14]
KVM, http://wiki.qemu.org/KVM, 2016.
[15]
Sethi C. and Pradhan S. K., Trusted-Cloud: A cloud security model for Infrastructure-as-a-Service (IaaS), International Journal of Advanced Research in Computer Science and Software Engineering, vol. 6, no. 3, pp. 32-46, 2016.
Google Scholar
[16]
Zhang T. and Lee R. B., CloudMonatt: An architecture for security health monitoring and attestation of virtual machines in cloud computing, in 2015 ACM/IEEE 42nd Annual International Symposium on Computer Architecture (ISCA), 2015, pp. 362-374.
DOI
[17]
Shanmugam U. and Tamilselvan L., Dynamic resource monitoring of SaaS with attestation for a trusted cloud environment, International Journal of Security and Its Applications, vol.10, no. 4, pp. 41-50, 2016.
DOI Google Scholar
[18]
Van Hoorn A., Waller J., and Hasselbring W., Kieker: A framework for application performance monitoring and dynamic software analysis, in Proceedings of the 3rd ACM/SPEC International Conference on Performance Engineering, 2012, pp. 247-248.
DOI
[19]
Varadharajan V. and Tupakula U., Counteracting security attacks in virtual machines in the cloud using property based attestation, Journal of Network and Computer Applications, vol. 40, pp. 31-45, 2014.
DOI Google Scholar
[20]
Contractor D., Patel D., and Patel S., Trusted heartbeat framework for cloud computing, Journal of Information Security, vol. 7, no. 3, p.103, 2016.
DOI Google Scholar
Publication history
Copyright
Acknowledgements
Rights and permissions

Publication history

Received: 01 October 2016
Accepted: 21 October 2016
Published: 11 September 2017
Issue date: October 2017

Copyright

© The author(s) 2017

Acknowledgements

This work was supported by the National Natural Science Foundation of China (No. 61272447).

Rights and permissions

Return