Trusted Bytecode Virtual Machine Module: A Novel Method for Dynamic Remote Attestation in Cloud Computing

Mei, Songzhu; Wang, Zhiying; Cheng, Yong Qiang; Ren, Jiangchun; Wu, Jiangjiang; Zhou, Jie

doi:10.1080/18756891.2012.733231

Cited by 14 publications

(9 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…2011) and remote attestation to ensure the trustworthy of guest kernel (Mei et al. 2012), combined with our work, would greatly improve the overall security of the cloud platform.…”

Section: Related Workmentioning

confidence: 73%

Hardware assisted hypervisor introspection

Shi

Yang

Tang³

2016

SpringerPlus

View full text Add to dashboard Cite

In this paper, we introduce hypervisor introspection, an out-of-box way to monitor the execution of hypervisors. Similar to virtual machine introspection which has been proposed to protect virtual machines in an out-of-box way over the past decade, hypervisor introspection can be used to protect hypervisors which are the basis of cloud security. Virtual machine introspection tools are usually deployed either in hypervisor or in privileged virtual machines, which might also be compromised. By utilizing hardware support including nested virtualization, EPT protection and #BP, we are able to monitor all hypercalls belongs to the virtual machines of one hypervisor, include that of privileged virtual machine and even when the hypervisor is compromised. What’s more, hypercall injection method is used to simulate hypercall-based attacks and evaluate the performance of our method. Experiment results show that our method can effectively detect hypercall-based attacks with some performance cost. Lastly, we discuss our furture approaches of reducing the performance cost and preventing the compromised hypervisor from detecting the existence of our introspector, in addition with some new scenarios to apply our hypervisor introspection system.

show abstract

“…2011) and remote attestation to ensure the trustworthy of guest kernel (Mei et al. 2012), combined with our work, would greatly improve the overall security of the cloud platform.…”

Section: Related Workmentioning

confidence: 73%

Hardware assisted hypervisor introspection

Shi

Yang

Tang³

2016

SpringerPlus

View full text Add to dashboard Cite

show abstract

“…Cloud users are able to choose any model above (SaaS, PaaS, IaaS) according to functionality and security concerns. Apparently, the IaaS model is the better choice for providing the most security assurance as the users can enforce their security policies at their will [13].…”

Section: Cloud Computingmentioning

confidence: 99%

“…On the other hand, a secure network connection between a requester and an attester is requisite to satisfy the confidentiality requirement and not to expose the detailed information of the attested system, such as a TLS/SSL-protected connection.In a cloud environment, a set of requesters may simultaneously raise their requests to challenge the same target, such as attestations on security monitor systems [9][10][11] or microservices-based cloud systems [12]. While some previous works proposed techniques for TPM-based attestation over a secure connection [6,13,14], they focused on the single-requester scenario. If every requester is to run a standard attestation, the throughput of the attester would be extremely low due to the numerous operations in the signature and encryption.…”

mentioning

confidence: 99%

Astrape: An Efficient Concurrent Cloud Attestation with Ciphertext-Policy Attribute-Based Encryption

Zhou

Mei

et al. 2018

Symmetry

Self Cite

View full text Add to dashboard Cite

Cloud computing emerges as a change in the business paradigm that offers pay-as-you-go computing capability and brings enormous benefits, but there are numerous organizations showing hesitation for the adoption of cloud computing due to security concerns. Remote attestation has been proven to boost confidence in clouds to guarantee hosted cloud applications' integrity. However, the state-of-the-art attestation schemes do not fit that multiple requesters raise their challenges simultaneously, thereby leading to larger performance overheads on the attester side. To address that, we propose an efficient and trustworthy concurrent attestation architecture under multi-requester scenarios, Astrape, to improve efficiency in the integrity and confidentiality protection aspects to generate an unforgeable and encrypted attestation report. Specifically, we propose two key techniques in this paper. The first one-aggregated attestation signature-reliably protects the attestation content from being compromised even in the presence of adversaries who have full control of the network, therefore successfully providing attestation integrity. The second one-delegation-based controlled report-introduces a third-party service to distribute the attestation report to requesters in order to save computation and communication overload on the attested party. The report is encrypted with an access policy by using attribute-based encryption and accessed by a limited number of qualified requesters, hence supporting attestation confidentiality. The experimental results show that Astrape can take no more than 0.4 s to generate an unforgeable and encrypted report for 1000 requesters and deliver a throughput speedup of approximately 30× in comparison to the existing attestation systems.Symmetry 2018, 10, 425 2 of 25 Remote attestation has been proposed for this purpose by analyzing the integrity of a remote system to judge its trustworthiness. Typical attestation schemes are designed based on the following steps. First, an attestation challenger (requester) sends a target system (attester) a challenge message in which there is a random nonce against replay attack. Second, the attester responds with an evidence report about the integrity of its components in an unforgeable manner. Finally, the requester verifies the report and determines whether the status of the attested system is acceptable. Attestation systems in cloud computing typically face challenges in integrity and confidentiality protection as the open network in public clouds is a prime attack vector for adversaries. On the one hand, one common approach to guarantee integrity is to employ a standard signature [6] based on a pair of attestation keys in a Trusted Platform Module (TPM) [7,8] that is first introduced by the Trusted Computing Group (TCG). The standard signature is called the quote operation in trusted computing. On the other hand, a secure network connection between a requester and an attester is requisite to satisfy the confidentiality requirement and not to expose the det...

show abstract

“…However, it pays great attention to the semantic correctness rather than trusted running status. Some works [9] [10] have been done to use trusted computing to ensure application running as expected, which has laid a foundation stone for this paper.…”

Section: Related Workmentioning

confidence: 99%

JVM-Based Dynamic Attestation in Cloud Computing

Wang

Ren

et al. 2014

2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications

Self Cite

View full text Add to dashboard Cite

Cloud computing has brought academic and industry tremendous benefits and improved computing efficiency compared with the traditional model; however, the adoption of this unique model also exacerbates security challenges and raises trust risks. And existing security solutions have less effectiveness and efficiency upon these unchartered cloud threats. We introduce trusted computing into current cloud platform to address the above issues and design JVM-based Dynamic Attestation Architecture, DTEM, to support application services with robust security guarantee. This framework gives trusted-degree estimate for the deployment and runtime status of an application as well as dynamically responds remote attestation with integrity proof of running applications.

show abstract

Trusted Bytecode Virtual Machine Module: A Novel Method for Dynamic Remote Attestation in Cloud Computing

Cited by 14 publications

References 8 publications

Hardware assisted hypervisor introspection

Hardware assisted hypervisor introspection

Astrape: An Efficient Concurrent Cloud Attestation with Ciphertext-Policy Attribute-Based Encryption

JVM-Based Dynamic Attestation in Cloud Computing

Contact Info

Product

Resources

About