Trusted Launch of Generic Virtual Machine Images in Public IaaS Environments
- 1. Trusted Launch of Generic Virtual Machine Images in Public IaaS Environments Nicolae Paladi1*, Christian Gehrmann1, Mudassar Aslam1, Fredric Morenius2 1 Swedish Institute of Computer Science 2 Ericsson Research
- 2. 2 Contents 1. Infrastructure-as-a-Service 2. Problem Setting 3. Attacker Model 4. Related Work 5. Protocol Description 6. Protocol Implementation 7. Conclusion - u re ct ru - st a fra as- vice In r Se
- 3. 3 Infrastructure-as-a-Service • A 'cloud computing' service model (NIST:2011): Provision processing, storage, networks. Deploy and run arbitrary software No control over underlying cloud infrastructure Control over OS, storage, deployed applications. Limited control of select networking components. rio e na d s Sc an tion i in def
- 4. 4 Scenario and Definitions Scheduler (S) Compute Compute Compute Host Host Host (CH) (CH) (CH) Hardware Hardware Hardware Client (C) f rie te B o M N TP on
- 5. 5 A Brief Note on TPM • Trusted platform module v1.2 as specified by TCG • v2.0 is currently under review • Tamper-evident • 16+ PCRs as volatile or non-volatile storage Four operations: Signing / Binding / Sealing / Sealed-sign em o bl ng Pr etti S
- 6. 6 Problem Setting • “Consumer is able to deploy and run arbitrary software, which can include operating systems and applications.” • Client can launch VMs for sensitive computations. • Trusted VM launch – the correct VM is launched in a IaaS platform on a host with a known software stack verified to not have been modified by malicious actors. • How do we ensure a trusted VM launch in an untrusted IaaS environment? er ta c k el At od M
- 7. 7 Attacker Model • (Ar) has root access to IaaS hosts. • (Ar) has no physical access. • (Ar) has no access to CH's memory. • (Ar) can act maliciously or in good faith. ck tta ario A n e Sc 1 • (A ) can be a person/malicious software/code bug.
- 8. 8 Attack scenario 1 Remote Attacker Scheduler Ar (S) Trusted Compute Compute Host Host (CH) (CH) Hardware Hardware Hardware Client (C) ck tta ario A n e Sc 2
- 9. 9 Attack scenario 2 Remote Attacker Ar Compute Compute Host Host (CH) (CH) Hardware Hardware Hardware Client (C) ed lat rk Re o W
- 10. 10 Related Work d u ste d Tr hir ty T ar P
- 11. 11 Trusted VM Launch Protocol: Trusted Third Party • Trusted Third Party (TTP) – trusted by C and IaaS, able to assess the SP of CH according to predefined guidelines. • Security profile (SP) – verified setup of an VM, trusted by the Participants. • Currently no fine-grained scale of SP available. • Limited to only matching the measurements with reference values. g Bi e e r Th ictu P
- 12. The big picture 3. (S) 1. 4. 5. 2. CH CH CH 6. HW HW HW + TPM l Client (C) c o ion to t ro crip P s 1) e ( D
- 13. 13 Trusted VM Launch Protocol: Protocol Details (1) l c o ion to t ro crip P s 2) e ( D
- 14. 14 Trusted VM Launch Protocol: Protocol Details (2) l co ion to t ro rip P sc 3) e ( D
- 15. 15 Trusted VM Launch Protocol: Protocol Details (3) l c o ion to t ro crip P s 4) e ( D
- 16. 16 Trusted VM Launch Protocol: Protocol Details (4) k S tac n pe O
- 17. 18 Trusted VM Launch Protocol: OpenStack • Protocol was implemented in OpenStack • Open Source IaaS deployment and management platform. • Large user base and multiple industry contributors • “Essex” release as baseline. • Aimed to have a minimal footprint in terms of code modifications. • Implementation changed 4 components involved in the launch process (presented next). l n co atio to t r o en P m ) e pl (1 Im
- 18. 19 Trusted VM Launch Protocol: Protocol Implementation (1) Affected components: • Nova SQL db – global security profile per compute host. • Dashboard – request compute host attestation, minimum SP, TTP’s URL and Token upload. • Scheduler – SimpleScheduler to schedule VM launches on trusted CH with the requested–or stricter–SP. • Nova compute – support communication with TPM through TSS, encryption/decryption and VM image integrity assessment. l n co tatio to ro en P e m 2) pl ( Im
- 19. 20 Trusted VM Launch Protocol: Protocol Implementation (2) • TrustedComputingPools (currently in blueprints) will introduce TPM support in OpenStack • Trusted IaaS provider with untrusted nodes. • Node attestation offered as “premium service”. • Node attestation performed by IaaS provider itself. n u si o n cl Co
- 20. 21 Conclusion • A trusted VM launch protocol available assuming an untrusted IaaS platform + TPM + physical security of the hosts. • Fairly close to ongoing industrial implementation but offers stricter security guarantees. • Fine-grained attestation process on the TTP side still a research challenge.