Trusted Virtual Domains – Design, Implementation and Lessons Learned

Catuogno, Luigi; Dmitrienko, Alexandra; Eriksson, Konrad; Kuhlmann, Dirk; Ramunno, Gianluca; Sadeghi, Ahmad-Reza; Schulz, Steffen; Schunter, Matthias; Winandy, Marcel; Zhan, Jing

doi:10.1007/978-3-642-14597-1_10

Cited by 28 publications

(18 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Another related line of research leverages the trusted hardware to bootstrap entire platforms for secure software execution (e.g. Flicker [23], Trusted Virtual Domains [10], Haven [3]). These are large systems that are currently outside the scope of provable-security techniques.…”

Section: Other Related Workmentioning

confidence: 99%

Foundations of Hardware-Based Attested Computation and Application to SGX

Barbosa

Portela

Scerri

et al. 2016

2016 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

Exciting new capabilities of modern trusted hardware technologies allow for the execution of arbitrary code within environments completely isolated from the rest of the system and provide cryptographic mechanisms for securely reporting on these executions to remote parties.Rigorously proving security of protocols that rely on this type of hardware faces two obstacles. The first is to develop models appropriate for the induced trust assumptions (e.g., what is the correct notion of a party when the peer one wishes to communicate with is a specific instance of an an outsourced program). The second is to develop scalable analysis methods, as the inherent stateful nature of the platforms precludes the application of existing modular analysis techniques that require high degrees of independence between the components.We give the first steps in this direction by studying three cryptographic tools which have been commonly associated with this new generation of trusted hardware solutions. Specifically, we provide formal security definitions, generic constructions and security analysis for attested computation, key-exchange for attestation and secure outsourced computation. Our approach is incremental: each of the concepts relies on the previous ones according to an approach that is quasi-modular. For example we show how to build a secure outsourced computation scheme from an arbitrary attestation protocol combined together with a key-exchange and an encryption scheme.

show abstract

Section: Other Related Workmentioning

confidence: 99%

Foundations of Hardware-Based Attested Computation and Application to SGX

Barbosa

Portela

Scerri

et al. 2016

2016 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

show abstract

“…Furthermore, these extensions protect DomC in a reasonable adversary model from any unauthorized access that tries to extract cryptographic material from the VM -either from a privileged management domain or from outside the VM. The flexible nature of DomC allows for building more advanced architectures, such as Trusted Virtual Domains [10], on top of our CaaS. Evaluation of full disk encryption with our reference implementation showed that DomC imposes a minimal performance overhead.…”

Section: Discussionmentioning

confidence: 99%

“…To make the same key available on all cloud nodes, we use migratable keys, i.e., its usage is bound to one or more trustworthy platform states but not a particular platform. For brevity, we omit the setup of this TPM key from our protocol and refer to related work [10]. An authenticated boot [35] measures the platform state, during boot.…”

Section: Detailed Image Setup Workflowmentioning

confidence: 99%

Client-Controlled Cryptography-as-a-Service in the Cloud

Bleikertz

Bugiel

Ideler

et al. 2013

Applied Cryptography and Network Security

Self Cite

View full text Add to dashboard Cite

Abstract. Today, a serious concern about cloud computing is the protection of clients' data and computations against various attacks from outsiders as well as against the cloud provider. Moreover, cloud clients are rather limited in implementing, deploying and controlling their own security solutions in the cloud. The provider theoretically has access to stored keys in dormant images and deploying keys during run-time is infeasible because authenticating running VM instances is not possible. In this paper, we present a security architecture that allows for establishing secure client-controlled Cryptography-as-a-Service (CaaS) in the cloud: Our CaaS enables clients to be in control of the provisioning and usage of their credentials and cryptographic primitives. They can securely provision keys or even implement their private virtual security module (e.g., vHSM or SmartCard). All clients' cryptographic operations run in a protected client-specific secure execution domain. This is achieved by modifying the Xen hypervisor and leveraging standard Trusted Computing technology. Moreover, our solution is legacy-compatible by installing a transparent cryptographic layer for the storage and network I/O of a VM. We reduced the privileged hypercalls necessary for administration by 79%. We evaluated the effectiveness and efficiency of our design which resulted in an acceptable performance overhead.

show abstract

“…Excalibur [24] uses remote attestation and trusted platform module (TPM) sealing mechanisms to ensure proper execution environments of Virtual Machines (VMs) as they migrate within a datacenter. Trusted virtual domains [9], [10] extend trusted platform technology using virtualization to provide isolated execution environments that span multiple physical platforms. In [12], the authors consider information flow control across virtual domains within a single enterprise infrastructure.…”

Section: B Related Workmentioning

confidence: 99%

Distributed Enforcement of Sticky Policies with Flexible Trust

Brown

Blough

2015

2015 IEEE 17th International Conference on High Performance Computing and Communications, 2015 IEEE 7th International Symposium

View full text Add to dashboard Cite

In this paper, we describe an approach to distributed enforcement of sticky policies in heterogeneous hardware and software environments. These heterogeneous environments might have differing mechanisms for attesting to their security capabilities and data sources might specify different levels of trust for different data items. Such an environment requires highly flexible policy specification and enforcement mechanisms. We employ sticky policies that travel with data wherever it travels, and we separate them into two components, a hosting policy and a usage policy. Hosting policies are used to ensure that data are transferred only to entities that are provably capable of providing local enforcement and only further transferring data under the same policies. Usage policies confer access, viewing, and update capabilities on users based on their attributes. The approach is supported by attribute-based certificates and policies, which include what authorities are trusted to certify attributes. In addition to presenting a full description of the approach, we report on a prototype implementation that includes all of the aforementioned components and also makes use of a modified version of Excel we developed to track security labels as data move through spreadsheets that are being shared by multiple users across different systems. II. INTRODUCTIONIn the information age in which we live, organizations maintain large amounts of data, much of it sensitive. In many situations, there could be great value in sharing these data with individuals or partners outside of an organization's controlled hardware/software infrastructure. For example, in the domain of medicine, health professionals would like to safely access patient information on their laptops or even mobile devices, and controlled sharing of such data for both health care and research purposes has obvious scientific and social benefits. Clearly, inadvertent disclosure of health information could have severe consequences for patients with sensitive conditions. Thus, although the benefits of information sharing are great, the risks of data breaches if the information is not properly handled after it is shared are often greater. A similar analysis can be made concerning sensitive customer information held by commercial organizations, information maintained in databases by law enforcement organizations, etc.Organizations that allow sensitive data to be disseminated need assurances that the systems receiving the data will control access so that users only see the information appropriate to their level of authorization, maintain sensitivity labels on information as data are propagated within the system, and only further disseminate the data to other systems if those systems meet the requirements of the data owner. Enabling concepts for this vision are sticky policies, wherein policies on data usage are propagated along with data as they move within and between systems, and information flow control (IFC), where sensitive information is tagged, tags propagate with data as t...

show abstract

Trusted Virtual Domains – Design, Implementation and Lessons Learned

Cited by 28 publications

References 15 publications

Foundations of Hardware-Based Attested Computation and Application to SGX

Foundations of Hardware-Based Attested Computation and Application to SGX

Client-Controlled Cryptography-as-a-Service in the Cloud

Distributed Enforcement of Sticky Policies with Flexible Trust

Contact Info

Product

Resources

About