How to Secure Infrastructure Clouds with Trusted Computing Technologies

Nicolae Paladi

Swedish Institute of Computer Science

Contents

1. Infrastructure-as-a-Service

2. Security challenges of IaaS

3. Trusted Computing and TPM

4. Trusted VM launch

5. InfraCloud

6. Future work

2

Infrastructure-as-a-Service

• A 'cloud computing' service model (NIST:2011):

Provision processing, storage, networks.

Deploy and run arbitrary software.

No control over underlying cloud infrastructure.

Control over OS, storage, deployed applications.

Limited control of select networking components.

3

Infrastructure-as-a-Service architectural overview

4

OpenStack architectural overview

https://wiki.openstack.org/wiki/ArchitecturalOverview

Infrastructure-as-a-Service security issues

5

OpenStack architectural overview

https://wiki.openstack.org/wiki/ArchitecturalOverview

2011: Vulnerabilities in the AWS management console (XSS and XML wrapping attacks)

Infrastructure-as-a-Service security issues

6

OpenStack architectural overview

https://wiki.openstack.org/wiki/ArchitecturalOverview

2011: Vulnerabilities in the AWS management console (XSS and XML wrapping attacks)

2012: Cross-VM Side Channels can be used to extract private keys.

Infrastructure-as-a-Service security issues

7

OpenStack architectural overview

https://wiki.openstack.org/wiki/ArchitecturalOverview

2011: Vulnerabilities in the AWS management console (XSS and XML wrapping attacks)

2012: Cross-VM Side Channels can be used to extract private keys

2012: Rackspace’s

“dirty disks”

Can we help it?

8

Introducing the TPM

Trusted platform module v1.2 as specified by TCG.

v2.0 is currently under review.

Tamper-evident.

16+ PCRs for volatile storage.

Four operations: Signing / Binding / Sealing / Sealed-sign.

9

Introducing the TPM: output

• Produces integrity measurements of the firmware at boot time.

Can produce integrity measurements of the loaded kernel modules (sample below).

10

Introducing the TPM: usage

• Microsoft BitLocker

• Google Chromium OS

• Citrix XenServer

• Oracle’s X- and T-Series Systems

• HP ProtectTools

• Others

11

Securing IaaS environments with trusted computing

• Virtualization security.

• Storage protection in IaaS environments.

• Computing security in IaaS environments.

• Remote host software integrity attestation.

• Runtime host software integrity attestation.

• Encryption key management in IaaS environments.

12

Computing security in IaaS environments: Problem Setting

• “Consumer is able to deploy and run arbitrary software, which can include operating systems and applications.”

Client can launch VMs for sensitive computations.

Trusted VM launch – the correct VM is launched in a IaaS platform on a host with a known software stack verified to not have been modified by malicious actors.

IaaS security with trusted computing.

How do we ensure a trusted VM launch in an untrusted

IaaS environment?

13

Attack scenario 1

Hardware

Client (C)

Scheduler

(S)

Trusted

Compute

Host

(CH)

Compute

Host

(CH)

Hardware Hardware

Remote attacker

(Ar)

14

Ar could schedule

the VM instance to

be launched on a

compromised host

Attack scenario 2

Trusted

Compute

Host

(CH)

Hardware

Scheduler

(S)

Client (C)

Compute

Host

(CH)

Hardware Hardware

Compute

Host

(CH)

15

Ar could

compromise

the VM image

prior to

launch

Remote attacker

(Ar)

Trusted VM launch protocol

• Ensure VM image launched on a trusted host.

• Ensure communication with VM launched on a trusted

CH rather than a random VM.

• Compute host to verify the integrity VM image to be

launched.

• Minimum implementation footprint on the IaaS

codebase.

• Transparent view of the secure launch procedures.

16

Protocol: birds-eye view

(S)

CH

HW Client (C)

CH CH

HW HW

+

TPM

1.

2.

3.

4. 5.

6.

Prototype implementation

• OpenStack cluster deployed on 3 nodes (TPM-equipped)

• Code extensions:

• Changes OpenStack launch procedure.

• Implementation of an OpenStack–TPM communication “glue”.

• Implementation of a TTP (interpretation of attestation info)

• Implementation of client-side functionality (token generation, trusted launch verification).

18

• Ongoing project in collaboration between

Region Skåne, Ericsson Research and SICS.

• Aim: proof of concept design and deployment

of one of the region’s medical journaling

systems in a hardened and trustworthy

IaaS environment.

• Prototype implementation based on earlier

research, as well as solutions to newly

identified challenges.

19

Securing IaaS with InfraCloud: The project

Numerous new research challenges have been identified already in the early stages of the project:

• Storage protection in untrusted IaaS environments.

• Verification and protection of a deployment’s network

configuration.

• Runtime VM instance protection (prevent memory dumping,

cloning).

• Secure key handling mechanisms in untrusted IaaS

deployments.

• Update and patch deployment on guest VM instances.

• Interpretation of TPM attestation data.

20

Securing IaaS with InfraCloud: The challenges

Conclusion

• Out-of-the-box public IaaS probably not acceptable

for most organizations handling sensitive data.

• A comprehensive solution for data protection in public

IaaS environments has not been found yet.

• SICS Secure Systems lab works with various aspects

of guest protection in untrusted IaaS.

• Trusted Computing Technologies allow to address

some of the issues with IaaS security.

• Participation in the InfraCloud project and practical

application of protocols reveal multiple new research

challenges.

21