A TRUSTED IAAS ENVIRONMENT WITH HARDWARE SECURITY MODULE Abstract—With the proliferation of cloud computing, security concerns about confidentiality violations of user data by the privileged domain and system administrators have been growing. This paper proposes secure cloud architecture with a hardware security module, which isolates cloud user data from potentially malicious privileged domains or cloud administrators. Within a securely isolated execution environment, the hardware security module provides essential security functionality with only restricted interfaces exposed to vulnerable management systems or cloud administrators. Such restriction prevents cloud

A Trusted IaaS Environment with Hardware Security Module

Abstract—With the proliferation of cloud computing, security concerns about

confidentiality violations of user data by the privileged domain and system

administrators have been growing. This paper proposes secure cloud architecture

with a hardware security module, which isolates cloud user data from potentially

malicious privileged domains or cloud administrators. Within a securely isolated

execution environment, the hardware security module provides essential security

functionality with only restricted interfaces exposed to vulnerable management

systems or cloud administrators. Such restriction prevents cloud administrators

from affecting the security of guest VMs. The proposed architecture not only

defends against wide attack vectors but also achieves a small TCB. This paper

discusses our hardware and software implementation of the proposed cloud

architecture, analyzes its security, and presents its performance results.


There have been many prior studies that aimed to enhance the security of cloud

architecture. Here, we discuss several studies focused on hardening virtualization

environments and enhancing the security of guest VMs, followed by enforcement

to launch VMs on a verified platform. Hardening virtualization components. To

enable virtualization, VMM and a privileged domain are essential components.

Hardening such components is a stepping stone toward the security of

virtualization. Bleikertz et al. protects VMM by a policy enforcement scheme

adopted in SELinux. Several studies focused on reducing TCB since a small TCB

implies that the system has a narrow attack surface. Murray et al. reconstructed

privileged domain components to reduce TCB. Since the security processes in the

privileged domain were moved to a separated domain and the domain was smaller

than the privileged domain, overall TCB was reduced. Gebhardt et al. exploited

Virtual Machine eXtension (VMX) for hardening VMM. By segregating code

blocks in VMM by hardware, the TCB of the overall system was reduced.

Enhancing the security of guest VMs. Since the concept of cloud-box execution

was introduced, several implementations have been proposed. To ensure an

execution environment protected from a compromised privileged domain and a

malicious administrator, an addition domain or a modified VMM was used.

However, to secure storage of guest VMs, a cloud user should encrypt VM images

or should deliver a master key for cryptographic operations. That such actions were

burdens for cloud users was not considered in prior work. In contrast, the proposed

system deploys VMs with pre-made images in a cloud repository and delivers

cryptographic keys by a cloud system. Thus, cloud users are free from such

burdens. Adopting an additional domain provides flexibility to manage guest VMs,

such as for encrypting images and for virtual machine introspection (VMI).


In this paper makes the following contributions.

_ We propose a trusted cloud system providing restricted interfaces to cloud

administrators. By providing a hardware security module supporting special

storage which is inaccessible to cloud administrators, security-critical data in the

hardware are isolated. Such restriction prevents malicious cloud administrators

from a_ecting the security

of guest VMs.

_ The proposed system provides a secure connection scheme between a user and an

allocated VM. Is also enables a cloud user to verify the allocated VM as well as the

VMM where the allocated VM runs before the first connection. Moreover, the

connection between a cloud user and an allocated VM is secured by exchanging


_ The proposed system provides a secure storage scheme. To protect VM guest

images from cloud administrators, the cloud system should isolate the

cryptographic environment as well as a cryptographic key and integrity data. Since

the cryptographic environment is not by privileged domains, VM images of guest

VMs are protected in the proposed system.

_ The proposed system provides a secure management scheme. Since a

management operation is triggered by a cloud user, and the result of the operation

is reported to the user, a cloud user knows the exact VM state. Therefore, cloud

administrators cannot change the VM state at their discretion.

_ The protocols in this paper are verified by an automatic protocol verification

tool. When a communication protocol is not designed correctly, a malicious entity

can compromise the protocol and take control of communication. We verified that

the protocols are correctly designed with an automatic verification tool.

Module 1

Cloud computing

Cloud computing refers to both the applications delivered as services over the

Internet and the hardware and systems software in the datacenters that provide

those services. There are four basic cloud delivery models, as outlined by NIST

(Badger et al., 2011), based on who provides the cloud services. The agencies may

employ one model or a combination of different models for efficient and optimized

delivery of applications and business services. These four delivery models are: (i)

Private cloud in which cloud services are provided solely for an organization and

are managed by the organization or a third party. These services may exist off-site.

(ii) Public cloud in which cloud services are available to the public and owned by

an organization selling the cloud services, for example, Amazon cloud service. (iii)

Community cloud in which cloud services are shared by several organizations for

supporting a specific community that has shared concerns (e.g., mission, security

requirements, policy, and compliance considerations). These services may be

managed by the organizations or a third party and may exist offsite. A Special case

of Community cloud is The Government or G-Cloud. This type of cloud

computing is provided by one or more agencies (service provider role), for use by

all, or most, government agencies (user role). (iv) Hybrid cloud which is a

composition of different cloud computing infrastructure (public, private or

community). An example for hybrid cloud is the data stored in private cloud of a

travel agency that is manipulated by a program running in the public cloud.

Module 2

System Design

We propose a new cloud architecture protecting the security of guest VMs against

potentially malicious cloud administrators by isolating security-critical processes.

This isolation is accomplished by providing restricted interfaces to a privileged

domain. This architectural isolation guarantees that: a) a secure connection exists

between a cloud user and an allocated VM, b) a secure cryptographic environment

exists for VM images as well as for cryptographic keys and integrity (hash) data,

and c) there is a secure management of guest VMs. The proposed cloud

architecture includes cloud nodes and a trusted 3rd party authority called device

authority (DA). DA verifies each cloud node and lets a cloud user know whether a

VM of the cloud user is running on a verified node. Each cloud node consists of a

VMM called Trusted VMM (TVMM) and of a hardware security. TVMM is a

security-enhanced VMM isolating several data for guest VMs from cloud

administrators. TVMM encrypts the guest VM images with cryptographic keys

delivered by TCM, and enables a secure connection between a cloud user and an

allocated VM. TVMM also validates a management operation triggered by a cloud

user. TCM is a hardware based security module supporting an isolated

environment, and performs several security processes, such as signing and

validation checking, within the isolated environment. TCM also provides special

storage for keys and data. The biggest difference from existing security hardware is

the privilege on the storage. A single root user (a cloud administrator in a cloud

service context) has a root privilege on the storage of existing security hardware,

whereas a cloud user has a privilege only on their TCM data. Therefore, the data in

storage can neither be accessed nor deleted, even by a cloud administrator. In

particular, the proposed architecture provides the following capabilities.

_ Interface isolation: The proposed system provides restricted interfaces to a

privileged domain to isolate security-critical processes and data from the privileged

domain. It also provides security-critical interfaces only to a verified VMM.

_ Secure connection: The proposed system guarantees a secure connection between

a cloud user and an allocated VM.

_ Secure storage: The proposed system guarantees a protected cryptographic

environment for guest VM images.

_ Secure management: The proposed system delegates a VM management

privilege to a cloud user, and provides a way to check the completion of the

management request.

Module 3

Interface isolation

The main goal of the propose architecture is to isolate security critical processes

and data from cloud administrators. Since the proposed architecture does not count

on privileged domains, security processes are performed in TCM and TVMM.

Therefore, the private data in TCM are accessed only by TCM itself and TVMM.

On the other hand, a privileged domain also needs to access TCM for system

managements. Accessing TCM from a privileged domain, however, jeopardizes

the security of guest VMs. To resolve this dilemma, the proposed system supports

dual interfaces which expose different interfaces, management and security-critical

interfaces, to a privileged domain and TVMM respectively. Management interface

is a set of interfaces for initiating VM creation, destruction, and attestation.

Therefore, the management interface is used by a privileged domain and includes

following functions which are unrelated to accessing private data of guest VMs.

Although the privileged domain initiates the management operations, any security-

sensitive operations are conducted within TCM, protecting the private data.

Measurement and reporting: TCM supports an attestation function including

system measurement and reporting as TPM does. TCM stores system measurement

values in special registers called platform configuration registers (PCRs) and

returns a quoted blob. Since the measurement values are the calculated hash values

of platform software stacks, an external entity is able to attest the platform where

TCM is equipped.

_ Entrusted attestation: After the system boots, only measurement and reporting

and entrusted attestation functions are available to a privileged domain, but other

functions remain unavailable. They become available only after verifying system

states with the entrusted attestation performed via the management interface.

_ Managing VSC: TCM maintains a data structure called VM security context

(VSC), which contains securitycritical data for each VM. VSC has cryptographic

keys for disk encryption, and has the integrity data of VM images. Even though the

keys and integrity data are read and modified via a security-critical interface,

allocation and deallocation are accomplished via the management interface.

Security critical interface is accessible only from the verified TVMM to provide

security related functionality. To be specific, the following functions are provided.

_ Accessing cryptographic keys and integrity data: TCM creates cryptographic

keys for VM images and integrity data of the images, and stores them in VSC. The

keys and integrity data are accessible from TVMM, which is verified with the

entrusted attestation scheme before accessing the keys and integrity data.

_ Signing initial guest image hash: To guarantee that a cloud user connects to a

correct VM on the attested platform, the user should be able to check the initial

guest image hash. The guest image hash is signed by the AIK of TCM to prevent

forgery, and is verified by DA afterwards. This function is used for the secure

connection between users and TCM, as described in the following section.

_ Management request validation: A cloud user sends a management operation to a

cloud node. When such an operation is not triggered by a valid cloud user, the VM

state of a cloud user could be changed arbitrarily. Thus, this function is used for

validating the owner of a guest VM as described in x3.4. In the proposed system

architecture, the system BIOS, bootloader, and VMM are also part of the TCB, in

addition to TCM. Although TCM itself is verified and cannot be changed in an

isolated environment, the other system software stack must be verified to guarantee

the trustworthiness of the entire cloud system. TCM grants VMM accesses to

security sensitive services only if the VMM is verified to be a known-correct

TVMM. Since the TVMM denies any access from a privileged

Module 4

Secure connection

To establish a secure connection between a cloud user and an allocated VM, there

are three equirements. First, a cloud user should attest the platform where the

allocated VM is running. Second, a cloud user should attest the allocated VM

images. Third, a cloud user should receive a VM server key (e.g., SSH server key

of the VM) and set a user key (e.g., user key of SSH server) securely in the

allocated VM. To meet these requirements, we define a secure connection protocol

and summarize keys in the protocol. Since platform information and VM image

information includes ash values that a cloud user does not know, the cloud user

communicates to DA and DA translates such hash values into human recognizable

information according to the protocol. DA communicates to TCM with a session

key created by the entrusted verification protocol. During the entrusted verification

process, DA attests the platform meeting the first requirement. To meet the second

requirement, the proposed system stores the hashes of initial images during initial

deployment, and the hashes are verified by DA afterward to ensure the initial

integrity of VM images. In most cloud services, pre-made VM images are used to

launch a new VM. Even though they exist as unencrypted images in the cloud

repository, they are encrypted with a cryptographic key in VSC before the first

launch. During the encryption process, the initial integrity hash value is calculated

and stored in VSC. The hash value is delivered to DA in Step 9, and DA translates

the hash value to VM image information such as OS version and software stacks.

The VM image information is delivered to the cloud user in Step 10 and the cloud

user is able to check the allocated VM images. To meet the third requirement, a

VM server key and a user key are also exchanged securely with the proposed

protocol. For major cloud service vendors, cloud systems create user keys and

stores them in their server. Afterwards, an allocated VM downloads the user key

via HTTP. Accordingly, cloud administrators can access the stored user key.

Contrary to such an approach, with the proposed protocol, a cloud user creates a

pair of cryptographic keys and delivers the public part of the key to the allocated

VM. The user key is denoted by UK. Since the user key is asymmetric, the private

part of the user key is and is never revealed. The VM server key denoted by VK is

created by the OS of the allocated VM and is delivered to the cloud user via the

protocol. Therefore, only the cloud user is able to connect to the allocated VM.

Once a VM server key and a user key are exchanged, the communication between

a cloud user and an allocated VM is secured by a public key protocol such as the

Needham- Schroeder-Lowe protocol.


Security is a primary consideration for cloud users. Even though security threats by

cloud administrators are feasible

and critical, cloud service providers are mainly concerned with security threats

from external attacks rather than internal attacks. This viewpoint hinders the

proliferation of cloud computing. In this paper was presented a cloud system

architecture consisting of TCM and TVMM to prevent cloud administrators from

a_ecting the security of guest VMs. As the architecture isolates the data of cloud

users from cloud administrators, the data of cloud users are protected even with a

compromised privileged domain or malicious cloud administrators. The proposed

system provides security functionality against wide attack vectors and achieves a

small TCB. It also shows reasonable I/O performance, proving its feasibility.


