Presentation for the Trusted Computing Security workshop 2013 organized in Lund, Sweden by the SICS secure systems lab

1. How to Secure Infrastructure Clouds with Trusted
Computing Technologies
Nicolae Paladi
Swedish Institute of Computer Science

2. 2
Contents
1. Infrastructure-as-a-Service
2. Security challenges of IaaS
3. Trusted Computing and TPM
4. Trusted VM launch
5. InfraCloud
6. Future work

3. 3
Infrastructure-as-a-Service
• A 'cloud computing' service model (NIST:2011):
 Provision processing, storage, networks.
 Deploy and run arbitrary software.
 No control over underlying cloud infrastructure.
 Control over OS, storage, deployed applications.
 Limited control of select networking components.

4. 4
Infrastructure-as-a-Service
architectural overview
OpenStack architectural overview
https://wiki.openstack.org/wiki/ArchitecturalOverview

5. 5
Infrastructure-as-a-Service
security issues
 2011: Vulnerabilities in
the AWS management
console (XSS and XML
wrapping attacks)
OpenStack architectural overview
https://wiki.openstack.org/wiki/ArchitecturalOverview

6. 6
Infrastructure-as-a-Service
security issues
 2011: Vulnerabilities in
the AWS management
console (XSS and XML
wrapping attacks)
 2012: Cross-VM Side
Channels can be used
to extract private keys.
OpenStack architectural overview
https://wiki.openstack.org/wiki/ArchitecturalOverview

7. 7
Infrastructure-as-a-Service
security issues
 2011: Vulnerabilities in
the AWS management
console (XSS and XML
wrapping attacks)
 2012: Cross-VM Side
Channels can be used
to extract private keys
 2012: Rackspace’s
“dirty disks”
OpenStack architectural overview
https://wiki.openstack.org/wiki/ArchitecturalOverview

8. 8
Can we help it?

9. 9
Introducing the TPM
 Trusted platform module v1.2 as specified by TCG.
 v2.0 is currently under review.
 Tamper-evident.
 16+ PCRs for volatile storage.
 Four operations: Signing / Binding / Sealing /
Sealed-sign.

10. 10
Introducing the TPM: output
• Produces integrity measurements of the firmware at
boot time.
 Can produce integrity measurements of the loaded
kernel modules (sample below).

11. 11
Introducing the TPM: usage
• Microsoft BitLocker
• Google Chromium OS
• Citrix XenServer
• Oracle’s X- and T-Series Systems
• HP ProtectTools
• Others

12. 12
Securing IaaS environments
with trusted computing
• Virtualization security.
• Storage protection in IaaS environments.
• Computing security in IaaS environments.
• Remote host software integrity attestation.
• Runtime host software integrity attestation.
• Encryption key management in IaaS environments.

13. 13
Computing security in
IaaS environments: Problem Setting
• “Consumer is able to deploy and run arbitrary software,
which can include operating systems and applications.”
 Client can launch VMs for sensitive computations.
 Trusted VM launch – the correct VM is launched in a IaaS
platform on a host with a known software stack verified to
not have been modified by malicious actors.
 IaaS security with trusted computing.
 How do we ensure a trusted VM launch in an untrusted
IaaS environment?

14. 14
Attack scenario 1
Remote attacker
(Ar)
Scheduler
(S)
Ar could schedule
the VM instance to
be launched on a
compromised host
Trusted
Compute Compute
Host Host
(CH) (CH)
Hardware Hardware Hardware
Client (C)

15. 15
Attack scenario 2
Remote attacker
(Ar)
Scheduler
(S)
Trusted
Compute Compute Compute
Host Host Host
(CH) (CH) (CH)
Ar could
compromise
the VM image
prior to Hardware Hardware Hardware
launch
Client (C)

16. 16
Trusted VM launch protocol
• Ensure VM image launched on a trusted host.
• Ensure communication with VM launched on a trusted
CH rather than a random VM.
• Compute host to verify the integrity VM image to be
launched.
• Minimum implementation footprint on the IaaS
codebase.
• Transparent view of the secure launch procedures.

17. Protocol: birds-eye view
3. (S)
1.
4.
5.
2.
6.
CH CH CH
HW
HW HW +
Client (C) TPM

18. 18
Prototype implementation
• OpenStack cluster deployed on 3 nodes (TPM-equipped)
• Code extensions:
• Changes OpenStack launch procedure.
• Implementation of an OpenStack–TPM communication
“glue”.
• Implementation of a TTP (interpretation of attestation info)
• Implementation of client-side functionality (token generation,
trusted launch verification).

19. 19
Securing IaaS with InfraCloud:
The project
• Ongoing project in collaboration between
Region Skåne, Ericsson Research and SICS.
• Aim: proof of concept design and deployment
of one of the region’s medical journaling
systems in a hardened and trustworthy
IaaS environment.
• Prototype implementation based on earlier
research, as well as solutions to newly
identified challenges.

20. 20
Securing IaaS with InfraCloud:
The challenges
Numerous new research challenges have been identified
already in the early stages of the project:
• Storage protection in untrusted IaaS environments.
• Verification and protection of a deployment’s network
configuration.
• Runtime VM instance protection (prevent memory dumping,
cloning).
• Secure key handling mechanisms in untrusted IaaS
deployments.
• Update and patch deployment on guest VM instances.
• Interpretation of TPM attestation data.

21. 21
Conclusion
• Out-of-the-box public IaaS probably not acceptable
for most organizations handling sensitive data.
• A comprehensive solution for data protection in public
IaaS environments has not been found yet.
• SICS Secure Systems lab works with various aspects
of guest protection in untrusted IaaS.
• Trusted Computing Technologies allow to address
some of the issues with IaaS security.
• Participation in the InfraCloud project and practical
application of protocols reveal multiple new research
challenges.