Journal Home > Volume 24 , Issue 5
Tsinghua Science and Technology 2019, 24(5): 520-534 https://doi.org/10.26599/TST.2018.9010129
Open Access | Issue | Published: 29 April 2019

Cloud Virtual Machine Lifecycle Security Framework Based on Trusted Computing

Show Author's Information Xin Jin Qixu Wang( ) Xiang Li Xingshu Chen Wei Wang
College of Computer Science, Sichuan University, Chengdu 610065, China.
College of Cybersecurity, Sichuan University, Chengdu 610065, China.
Keywords:
virtual trusted computing, virtual machine lifecycle, trusted chain, security measurement, state monitoring
Cite this article:
Jin X, Wang Q, Li X, et al. Cloud Virtual Machine Lifecycle Security Framework Based on Trusted Computing. Tsinghua Science and Technology, 2019, 24(5): 520-534. https://doi.org/10.26599/TST.2018.9010129
Download citation
EndNote(RIS)
BibTeX

456

Views

38

Downloads

Citations

10

Crossref

N/A

WoS

17

Scopus

5

CSCD

Abstract Full text About this article

As a foundation component of cloud computing platforms, Virtual Machines (VMs) are confronted with numerous security threats. However, existing solutions tend to focus on solving threats in a specific state of the VM. In this paper, we propose a novel VM lifecycle security protection framework based on trusted computing to solve the security threats to VMs throughout their entire lifecycle. Specifically, a concept of the VM lifecycle is presented divided up by the different active conditions of the VM. Then, a trusted computing based security protection framework is developed, which can extend the trusted relationship from trusted platform module to the VM and protect the security and reliability of the VM throughout its lifecycle. The theoretical analysis shows that our proposed framework can provide comprehensive safety to VM in all of its states. Furthermore, experiment results demonstrate that the proposed framework is feasible and achieves a higher level of security compared with some state-of-the-art schemes.


menu
Abstract
Full text
Outline
About this article

Cloud Virtual Machine Lifecycle Security Framework Based on Trusted Computing

Show Author's information Xin JinQixu Wang( )Xiang LiXingshu ChenWei Wang
College of Computer Science, Sichuan University, Chengdu 610065, China.
College of Cybersecurity, Sichuan University, Chengdu 610065, China.

Abstract

As a foundation component of cloud computing platforms, Virtual Machines (VMs) are confronted with numerous security threats. However, existing solutions tend to focus on solving threats in a specific state of the VM. In this paper, we propose a novel VM lifecycle security protection framework based on trusted computing to solve the security threats to VMs throughout their entire lifecycle. Specifically, a concept of the VM lifecycle is presented divided up by the different active conditions of the VM. Then, a trusted computing based security protection framework is developed, which can extend the trusted relationship from trusted platform module to the VM and protect the security and reliability of the VM throughout its lifecycle. The theoretical analysis shows that our proposed framework can provide comprehensive safety to VM in all of its states. Furthermore, experiment results demonstrate that the proposed framework is feasible and achieves a higher level of security compared with some state-of-the-art schemes.

Keywords: virtual trusted computing, virtual machine lifecycle, trusted chain, security measurement, state monitoring

References(40)

[1]
Y. Han, J. Chan, T. Alpcan, and C. Leckie, Using virtual machine allocation policies to defend against co-resident attacks in cloud computing, IEEE Trans. Depend. Secure Comput., vol. 14, no. 1, pp. 95-108, 2017.
Google Scholar
[2]
M. S. Dildar, N. Khan, J. B. Abdullah, and A. S. Khan, Effective way to defend the hypervisor attacks in cloud computing, in Proc. 2017 2nd Int. Conf. Anti-Cyber Crimes, Abha, Saudi Arabia, 2017, pp. 154-159.
DOI
[3]
K. S. Tep, B. Martini, R. Hunt, and K. K. R. Choo, A taxonomy of cloud attack consequences and mitigation strategies: The role of access control and privileged access management, in Proc. 2015 IEEE Trustcom/BigDataSE/ISPA, Helsinki, Finland, 2015, pp. 1073-1080.
DOI
[4]
K. Scarfone, M. Souppaya, and P. Hoffman, Guide to Security for Full Virtualization Technologies. Gaithersburg, MD, USA: National Institute of Standards & Technology, 2011.
DOI
[5]
Y. Yu, M. H. Au, G. Ateniese, X. Y. Huang, W. Susilo, Y. S. Dai, and G. Y. Min, Identity-based remote data integrity checking with perfect data privacy preserving for cloud storage, IEEE Trans. Inf. Foren. Secur., vol. 12, no. 4, pp. 767-778, 2017.
DOI Google Scholar
[6]
S. M. N. Islam and M. M. Rahman, Securing virtual machine images of cloud by encryption through Kerberos, in Proc. 2017 2nd Int. Conf. Convergence in Technology, Mumbai, India, 2017, pp. 1074-1079.
[7]
M. Masdari, S. S. Nabavi, and V. Ahmadi, An overview of virtual machine placement schemes in cloud computing, J. Network Comput. Appl., vol. 66, pp. 106-127, 2016.
DOI Google Scholar
[8]
F. Tao, C. Li, T. W. Liao, and Y. J. Laili, BGM-BLA: A new algorithm for dynamic migration of virtual machines in cloud computing, IEEE Trans. Serv. Comput., vol. 9, no. 6, pp. 910-925, 2016.
DOI Google Scholar
[9]
W. B. Mao, Method and apparatus for securing the full lifecycle of a virtual machine, US Patent 20130061293, March 7, 2013.
[10]
N. Barak, A. Jerbi, E. Hadar, and M. Kletskin, System and method for enforcement of security controls on virtual machines throughout life cycle state changes, US Patent 9389898, July 12, 2016.
[11]
R. J. Forrester, W. W. Starnes, and F. A. Tycksen Jr., Method and apparatus for lifecycle integrity verification of virtual machines, US Patent 9450966, September 20, 2016.
[12]
R. Schwarzkopf, Virtual machine lifecycle management in grid and cloud computing, http://archiv.ub.uni-marburg. de/diss/z2015/0407/pdf/drs.pdf, 2015.
[13]
Top Threats Working Group, The Treacherous 12: Cloud Computing Top Threats in 2016, http://www.storm-clouds. eu/services/2017/04/the-treacherous-12-cloud-computing-top-threats-in-2016, 2016.
[14]
M. Henson and S. Taylor, Memory encryption: A survey of existing techniques, ACM Comput. Surveys, vol. 46, no. 4, p. 53, 2014.
DOI Google Scholar
[15]
I. O. Nunes and G. Tsudik, KRB-CCN: Lightweight authentication & access control for private content-centric networks, arXiv preprint arXiv: 1804.03820, 2018.
DOI Google Scholar
[16]
C. Alcaraz and S. Zeadally, Critical infrastructure protection: Requirements and challenges for the 21st century, Int.J. Crit. Infrastruct. Prot., vol. 8, pp. 53-66, 2015.
DOI Google Scholar
[17]
D. J. Chen, N. Zhang, R. X. Lu, N. Cheng, K. Zhang, and Z. G. Qin, Channel precoding based message authentication in wireless networks: Challenges and solutions, IEEE Network, vol. 33, no. 1, pp. 99-105, 2018.
DOI Google Scholar
[18]
N. Zhang, N. Cheng, N. Lu, X. Zhang, J. W. Mark, and X. M. Shen, Partner selection and incentive mechanism for physical layer security, IEEE Trans. Wirel. Commun., vol. 14, no. 8, pp. 4265-4276, 2015.
DOI Google Scholar
[19]
X. P. Liang, S. Shetty, L. C. Zhang, C. Kamhoua, and K. Kwiat, Man In The Cloud (MITC) defender: SGX-based user credential protection for synchronization applications in cloud computing platform, in Proc. 2017 IEEE 10th Int. Conf. Cloud Computing, Honolulu, HI, USA, 2017, pp. 302-309.
DOI
[20]
M. Plauth, F. Teschke, D. Richter, and A. Polze, Hardening Application Security using Intel SGX, in Proc. 2018 IEEE Int. Conf. Software Quality, Reliability and Security (QRS), Lisbon, Portugal, 2018, pp. 375-380.
DOI
[21]
W. Arthur, D. Challener, and K. Goldman, Platform security technologies that use TPM 2.0, in Proc. A Practical Guide to TPM 2.0, Berkeley, CA, USA, 2015, pp. 331-348.
DOI
[22]
J. X. Li, D. S. Li, Y. M. Ye, and X. C. Lu, Efficient multi-tenant virtual machine allocation in cloud data centers, Tsinghua Sci. Technol., vol. 20, no.1, pp. 81-89, 2015.
DOI Google Scholar
[23]
X. M. Ye, X. S. Chen, H. Z. Wang, X. M. Zeng, G. L. Shao, X. Y. Yin, and C. Xu, An anomalous behavior detection model in cloud computing, Tsinghua Sci. Technol., vol. 21, no. 3, pp. 322-332, 2016.
DOI Google Scholar
[24]
X. Jin, X. S. Chen, C. Zhao, and D. D. Zhao, Trusted attestation architecture on an infrastructure-as-a-service, Tsinghua Sci. Technol., vol. 22, no. 5, pp. 469-477, 2017.
DOI Google Scholar
[25]
X. Wan, X. F. Zhang, L. Chen, and J. X. Zhu, An improved vTPM migration protocol based trusted channel, in Proc. 2012 Int. Conf. Systems and Informatics, Yantai, China, 2012, pp. 870-875.
DOI
[26]
D. G. Sun, J. Zhang, W. Fan, T. T. Wang, C. Liu, and W. Q. Huang, SPLM: Security protection of live virtual machine migration in cloud computing, in Proc. 4th ACM Int. Workshop on Security in Cloud Computing, New York, NY, USA, 2016, pp. 2-9.
DOI
[27]
N. T. Hieu, M. Di Francesco, and A. Y. Jääski, A virtual machine placement algorithm for balanced resource utilization in cloud data centers, in Proc. 2014 IEEE 7th Int. Conf. Cloud Computing, Anchorage, AK, USA, 2014, pp. 474-481.
DOI
[28]
F. L. Pires and B. Baran, A virtual machine placement taxonomy, in Proc. 2015 15th IEEE/ACM Int. Symp. Cloud and Grid Computing, Shenzhen, China, 2015, pp. 159-168.
DOI
[29]
Z. Zhou, Z. G. Hu, T. Song, and J. Y. Yu, A novel virtual machine deployment algorithm with energy efficiency in cloud computing, J. Cent. South Univ., vol. 22, no. 3, pp. 974-983, 2015.
DOI Google Scholar
[30]
ISO/IEC, ISO/IEC 11889-1: 2015 Information technology —Trusted platform module library—Part 1: Architecture, Geneva, Switzerland, 2015.
[31]
Trusted computing group, Trusted Computing: An Effective Approach to Cybersecurity Defense. Beaverton, OR, USA: TCG, 2013.
[32]
Trusted computing group, TPM Main Part 1 Design Principles, Specification Version 1.2, Revision 116. Beaverton, OR, USA, TCG, 2011.
[33]
D. Challener, K. Yoder, and R. Catherman, A Practical Guide to Trusted Computing. London, UK: Pearson Education, 2007.
[34]
R. Perez, R. Sailer, and L. Doorn, vTPM: Virtualizing the trusted platform module, in Proc. 15th Conf. USENIX Security Symp., San Diego, CA, USA, 2006, pp. 305-320.
[35]
C. H. Devassy, M. Prasad, and V. Anil, Mastering KVM Virtualization. Birmingham, UK: Packt Publishing Ltd., 2016, pp. 155-156.
[36]
Y. Shi, B. Zhao, Z. Yu, and H. G. Zhang, A security-improved scheme for virtual TPM based on KVM, Wuhan Univ. J. Nat. Sci., vol. 20, no. 6, pp. 505-511, 2015.
DOI Google Scholar
[37]
S. Berger, K. Goldman, D. Pendarakis, D. Safford, E. Valdez, and M. Zohar, Scalable attestation: A step toward secure and trusted clouds, in Proc. 2015 IEEE Int. Conf. Cloud Engineering, Tempe, AZ, USA, 2015, pp. 185-194.
DOI
[38]
W. Arthur and D. Challener, A Practical Guide to TPM 2.0: Using the New Trusted Platform Module in the New Age of Security. Springer, 2015, pp. 156-161.
Google Scholar
[39]
Trusted computing group, Virtualized Trusted Platform Architecture Specification, Specification Version 1.0, Revision 0.26. Beaverton, OR, USA, TCG, 2011.
[40]
X. Li, X. Jin, Q. X. Wang, M. S. Cao, and X. S. Chen, SCCAF: A secure and compliant continuous assessment framework in cloud-based IoT context, Wirel. Commun.Mob. Comput., vol. 2018, p. 3078272, 2018.
DOI Google Scholar
Publication history
Copyright
Acknowledgements
Rights and permissions

Publication history

Received: 10 October 2018
Accepted: 10 November 2018
Published: 29 April 2019
Issue date: October 2019

Copyright

© The author(s) 2019

Acknowledgements

Acknowledgements

This work was supported by the National Natural Science Foundation of China (Nos. 61802270 and 61802271), and the Fundamental Research Funds for the Central Universities (Nos. SCU2018D018 and SCU2018D022).

Rights and permissions

Return