Wenjuan Li,Lingdi Ping,Xuezeng Pan

DOI: https://doi.org/10.1109/iceie.2010.5559829

2010-01-01

Abstract:Security and interoperability is the biggest challenge to promote cloud computing currently. Trust has proved to be one of the most important and effective alternative means to construct security in distributed systems. In order to efficiently and safely construct entities' trust relationship in cloud and cross-clouds environment, this paper proposed a novel cloud trust model and a new cloud security framework. The propose trust model is domain-based. It divides one cloud provider's resource nodes into the same trust domain. It designs different trust strategies for different roles. Trust recommendation is treated as one type of cloud services just like computation or storage. Based on the proposed trust model, it introduced a novel cloud security framework with an independent trust management module. Using the proposed security model, it introduced some trust-based security mechanisms. Results of simulation experiments show that the proposed security model can achieve high transaction success rate with high trust accuracy.

Cui Yan-Li,Zhang Xing

DOI: https://doi.org/10.1109/cnmt.2009.5374540

2009-01-01

Abstract:In the distributed environment, one important security issue is how to apply further security control to the object that is released to other terminals. The appearance of trusted computing technology has provided an effective solution for this issue in the distributed environment. At the same time, through combining trusted computing technology with the strong isolation and sharing characteristic provided by virtual machine technology has further increased the security and the flexibility of distributed access control. Therefore, this paper uses trusted computing technology to improve the security of the terminal in carrying out the distributed access control, designs a trusted terminal architecture that bases on the trusted computing technology and the virtual machine technology as well as a enhanced mode that suits in distributed access control, and on this basis, analyzes the security of system design.

沈晴霓,杜虹,卿斯汉

2010-01-01

Abstract:In view of some new security issues in the computing platform with virtualization technology, this paper proposes the application of the security-oriented virtualized trusted platform (VTP) architecture, whose trusted computing base (TCB) is hierarchal and self-contained with three layer-by-layer facilities from the trust root-hardware TPM/TCM, trusted virtual machine monitor (TVMM) to security manager(SM). Based on open-source project-XEN, it gives a sample design of the virtualized trusted platform for the virtual machine and its application's security with such mechanisms as remote attestation, information flow control, secure migration and privacy protection. Scenario analysis shows that the sample VTP can support different security goals of its applications flexibly.

CHEN Wen-zhi,HUANG Wei,XIE Cheng,HE Qin-ming

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.02.016

2009-01-01

Abstract:Virtualization was introduced to increase the security of embedded devices while avoiding the shortcomings caused by the hardware-based approach such as poor flexibility,high complexity and high production cost of equipments.Virtualization platform SmartVP offers a secure system environment by the software-based approach.SmartVP partitions the computing resources on the ARM processor into two parallel sets,one for standard real-time operating system T-Kernel and the other for general-purpose operating system Linux.The trusted computing base of SmartVP is constructed by protecting the code and data of the software on T-Kernel,as well as by implementing the fundamental security services and interfaces.Both performance benchmark and applications show that SmartVP improves the security of embedded devices and reduces the implementing risk together with developing time and cost.

Xin Jin,Qixu Wang,Xiang Li,Xingshu Chen,Wei Wang

DOI: https://doi.org/10.26599/tst.2018.9010129

2019-01-01

Tsinghua Science & Technology

Abstract:As a foundation component of cloud computing platforms, Virtual Machines (VMs) are confronted with numerous security threats. However, existing solutions tend to focus on solving threats in a specific state of the VM. In this paper, we propose a novel VM lifecycle security protection framework based on trusted computing to solve the security threats to VMs throughout their entire lifecycle. Specifically, a concept of the VM lifecycle is presented divided up by the different active conditions of the VM. Then, a trusted computing based security protection framework is developed, which can extend the trusted relationship from trusted platform module to the VM and protect the security and reliability of the VM throughout its lifecycle. The theoretical analysis shows that our proposed framework can provide comprehensive safety to VM in all of its states. Furthermore, experiment results demonstrate that the proposed framework is feasible and achieves a higher level of security compared with some state-of-the-art schemes.

Xin Wan,XinFang Zhang,Liang Chen,JianXin Zhu

DOI: https://doi.org/10.1109/ICSAI.2012.6223146

2012-01-01

Abstract:One of the most important benefits of virtualization is Virtual Machine (VM) migration. While the performance of live VM migration is well explored, the security aspects have received very little attention. The extension of trusted computing to virtual systems using vTPMs allows applications in the VM to use the vTPM for secure storage and reporting platform integrity. In this paper, we propose an improved secure vTPM migration protocol using a trusted channel and property-based attestation of destination platform to assure the security requirements of the vTPM migration.

Xiaoguang Wang,Yi Shi,Yuehua Dai,Yong Qi,Jianbao Ren,Yu Xuan

DOI: https://doi.org/10.4304/jcp.9.10.2303-2314

2014-01-01

Journal of Computers

Abstract:The Infrastructure as a Service (IaaS) cloud computing model is widely used in current IT industry, providing the cloud users virtual machines as the executing environment. However, current executing environment the cloud provided is not trustworthy. For a user's executing environment faces threats from malicious cloud users who aim at attacking the underlying virtualization software (virtual machine monitor, VMM, or hypervisor). In this paper, we first make an analysis of the potential threats to a commodity hypervisor, and then propose architecture to build a more trustworthy executing environment for IaaS cloud. The main ideas of our architecture are: removing interaction between hypervisor and the exposed executing environment, enhancing platform data secrecy as well as providing feature rich environment attestation. To prove the effectiveness of our architecture, we build a prototype system, named TrustOSV, which can host multiple trustworthy isolated computing environments on multi-core x86 hardware. The final evaluation shows that TrustOSV can provide enhanced security guarantees to the exposed VMs at modest cost.

Mingxing Zhou,Shuhua Ruan,Junwei Liu,Xingshu Chen,Miaomiao Yang,Qixu Wang

DOI: https://doi.org/10.1109/cloud55607.2022.00058

2022-01-01

Abstract:Numbers of applications and businesses are hosted on cloud computing platforms, and it is essential for cloud tenants to protect their data through encryption or other methods. When tenants use encryption algorithms provided by software, they are bound to face the defect that keys are not protected by hardware. Trusted computing technology can securely store the key in the hardware device. However, the hardware TPM cannot provide services for multiple VMs simultaneously. The virtual trusted computing technology virtualizes the TPM and can assign vTPM to each VM. Currently, vTPM only supports RSA, ECDSA, SHA256, and AES algorithms, et al. Relevant studies have shown that SM2/SM3/SM4 algorithms are more secure than ECDSA/SHA256/AES. In order to cope with the limitations of the cryptographic algorithms supported by vTPM, we design the vTPM-SM scheme to provide a secure and reliable SM2/SM3/SM4 algorithm application method for cloud environments. Experiments show that vTPM-SM can effectively realize the VM using Chinese commercial cryptographic algorithms through vTPM. Compared with the existing scheme, using SM2/SM3/SM4 algorithm reduces the time overhead by about 31.6%, 83.3% and 15.5%, respectively.

Xin Wan,ZhiTing Xiao,Yi Ren

DOI: https://doi.org/10.1109/mines.2012.244

2012-01-01

Abstract:Cloud computing enables organizations to realize the commercial benefits while facing the new security issues. In this paper, we presents a security model for called the Trusted Private Virtual Data center (TVPDc) that offering centralized security management of the computing and storage resources distributed in different locations and physical machines within an IaaS cloud. The TVPDc model can satisfy the need of the organizations for privacy protection and data integrity guarantees and enhances the system management capabilities in virtualized environments.

Wei Sun

2010-01-01

Abstract:The reason to develop trusted computing was simply set forth,and the developing progress of virtualization technology and Xen was simply introduced.Then,a comprehensive research was made on the solution of IBM vTPM,which successfully achieves an implementation of virtualizing TPM in Xen.Finally,some differences between IBM vTPM and other trusted computing solutions were proposed.

Jingkai Mao,Haoran Zhu,Junchao Fan,Lin Li,Xiaolin Chang

2024-05-02

Abstract:The Virtual Machine (VM)-based Trusted-Execution-Environment (TEE) technology, like AMD Secure-Encrypted-Virtualization (SEV), enables the establishment of Confidential VMs (CVMs) to protect data privacy. But CVM lacks ways to provide the trust proof of its running state, degrading the user confidence of using CVM. The technology of virtual Trusted Platform Module (vTPM) can be used to generate trust proof for CVM. However, the existing vTPM-based approaches have the weaknesses like lack of a well-defined root-of-trust, lack of vTPM protection, and lack of vTPM's trust proof. These weaknesses prevent the generation of the trust proof of the CVM. This paper proposes an approach to generate the trust proof for AMD SEV-based CVM so as to ensure its security by using a secure vTPM to construct Trusted Complete Chain for the CVM (T3CVM). T3CVM consists of three components: 1) TR-Manager, as the well-defined root-of-trust, helps to build complete trust chains for CVMs; 2) CN-TPMCVM, a special CVM provides secure vTPMs; 3) CN-CDriver, an enhanced TPM driver. Our approach overcomes the weaknesses of existing approaches and enables trusted computing-based applications to run seamlessly in the trusted CVM. We perform a formal security analysis of T3CVM, and implement a prototype system to evaluate its performance.

Cryptography and Security,Software Engineering

Deliang Xu,Cai Fu,Guohui Li,Deqing Zou,Honghao Zhang,Xiao-Yang Liu

DOI: https://doi.org/10.1109/access.2017.2754515

IF: 3.9

2017-01-01

IEEE Access

Abstract:The increasing use of virtualization puts stringent security requirements on software integrity and workload isolation of cloud computing. The encryption card provides hardware cryptographic services for users and is believed to be superior to software cryptography. However, we cannot use the encryption card directly in the user domain because of the complicated virtualization mechanisms and the security problems about the user key and the user private data flow. To address these challenges, we propose a new virtualization architecture to ensure the trustworthiness of encryption cards. First, we design a privacy preserving model to ensure the security of the dynamic schedule of encryption cards. Second, we present a hardware trust verification procedure based on the trusted platform module to supply a trusted virtualization hardware foundation. Third, we provide a series of security protocols to establish a trusted chain between users and encryption cards. Finally, we give security proofs of the encryption card virtualization architecture. Based on our prototype implementation, the encryption service provided by the encryption card has higher-level security and higher efficiency than software encryption. It provides strong support for security services of virtualization systems in cloud computing.

Xiao-xiang JIAN,Hong GAO,Wen-huang LIU

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.36.022

2006-01-01

Abstract:According to the coming of the global information age,trusted computing improved from fault-tolerance computing,fault detection,redundancy backup technique to trusted computing software and hardware platforms.This article analyzes the limitation of current trusted computing platform based on integrated TPM,and discusses methods using portable TPM to solve current problems.A trusted computing model and its implementation is presented,which is based on the portable TPM.

Xu-dong HAO,Chun-xiang XU

DOI: https://doi.org/10.3969/j.issn.1009-2552.2009.09.017

2009-01-01

Abstract:As a hot topic of computing world at present,the virtualization technology can make convince to manage the computing resources and be used to cloud computing.With the growing of these technology,some security problems come out,many malicious programs are booted on the launching time of the virtualization systems,then the trusted execution technology becomes more important.This paper introduces the features and mechanism of the trusted execution technology,and analyses the central component of this technology,finally gives a conclusion for the research status and exist problems.

Tianqi XU,Shufen LIU,Lu HAN

DOI: https://doi.org/10.13413/j.cnki.jdxblxb.2014.03.23

2014-01-01

Abstract:To improve virtualization security issues in cloud computing selurity proposed a trusted virtualization architecture. The architecture constructs a credible framework from the bottom infrastructure to the upper application services by adding virtual trusted platform module in analog processor and the trusted platform module driver in the operating system.This architecture combines the trusted platform module in the virtualization platform servers,which can effectively solve the security problem in server virtualization platform.

ZHANG Lei,CHEN Xing-shu,LIU Liang,LI Hui

DOI: https://doi.org/10.3969/j.issn.1001-0548.2015.01.020

2015-01-01

Abstract:For the kernel integrity threats of virtual machine in cloud computing environment, an integrity protecting technology of virtual machine kernel, cloud trusted virtual machine(CTVM ), is proposed. In the CTVM, the virtual trusted execution environment in kernel-based virtual machine(KVM) is created, the multiple virtual machines are endowed with a trusted computing function at the same time, and the guest virtual machines are provided with integrity measurement ability. By utilizing hardware virtualization technology, the untrusted kernel modules are isolated from operating system kernel through constructing isolated address space in guest virtual machines, so as to protect the booting integrity and runtime integrity of guest virtual machines. Finally, with a domestic server as the experimental platform, CTVM prototype system is presented. System test and analysis show that the system performance loss is within the acceptable range.

Wu Luo,Wei Liu,Yang Luo,Anbang Ruan,Qingni Shen,Zhonghai Wu

DOI: https://doi.org/10.1109/trustcom.2016.0058

2016-01-01

Abstract:In recent years, the rapid development of virtualization and container technology brings unprecedented impact on traditional IT architecture. Trusted Computing devotes to provide a solution to protect the integrity of the target platform and introduces a virtual TPM to adapt to the challenges that virtualization brings. However, the traditional integrity measurement solution and remote attestation has limitations due to the challenges such as large of measurement and attestation cost and overexposure of configurations details. In this paper, we propose the Partial Attestation Model. The basic idea of Partial Attestation Model is to reconstruct the Chain of Trust by dividing them into several separated ones. Our model therefore enables the challenger to attest the specified security requirements of the target platform, instead of acquiring and verifying the complete detailed configurations. By ignoring components not related to the target requirements, our model reduces the attestation costs. In addition, we further implement an attestation protocol to prevent overexposure of the target platform's configuration details. We build a use case to illustrate the implementation of our model, and the evaluations on our prototype show that our model achieves better efficiency than the existing remote attestation scheme.

Melker Veltman,Alexandra Parkegren,Victor Morel

2023-10-05

Abstract:When software services use cloud providers to run their workloads, they place implicit trust in the cloud provider, without an explicit trust relationship. One way to achieve such explicit trust in a computer system is to use a hardware Trusted Platform Module (TPM), a coprocessor for trusted computing. However, in the case of managed platform-as-a-service (PaaS) offerings, there is currently no cloud provider that exposes TPM capabilities. In this paper, we improve trust by integrating a virtual TPM device into the Firecracker hypervisor, originally developed by Amazon Web Services. In addition to this, multiple performance tests along with an attack surface analysis are performed to evaluate the impact of the changes introduced. We discuss the results and conclude that the slight performance decrease and attack surface increase are acceptable trade-offs in order to enable trusted computing in PaaS offerings.

Cryptography and Security,Hardware Architecture,Computers and Society

Shuang Zhang,Xinyu Wan,Deqi Kong,Yangming Guo

DOI: https://doi.org/10.1109/dsa51864.2020.00043

2020-01-01

Abstract:With the application of virtualization and multi-core processor in embedded system, the computing capacity of embedded system has been improved comprehensively, but it is also faced with malicious attacks against virtualization technology. First, it was analyzed the security requirements of each layer of embedded virtualization computing platform. Aiming at the security requirements, it was proposed the security architecture of embedded virtualization computing platform based on trusted computing module. It was designed the hardware trusted root on the hardware layer, the virtualization trusted root on the virtual machine manager layer, trusted computing component and security function component on guest operation system layer. Based on the trusted roots, it was built the static extension of the trusted chain on the platform. This security architecture can improve the active security protection capability of embedded virtualization computing platform.

LIU Yu-tao,CHEN Hai-bo

DOI: https://doi.org/10.11959/j.issn.2096-109x.2016.00091

2016-01-01

Abstract:The virtualization security has increasingly drawn widespread attention with the spread of cloud computing in recent years.Thanks to another level of indirection,virtualization can provide stronger isolation mechanisms,as well as bottom-up security services for upper-level software.On the other side,the extra indirection brings complexity and overhead as well,which poses huge challenges.A series of recent representative work done by the institute of parallel and distributed system shanghai jiaotong university,including providing security services of trusted execution environment,virtual machine monitoring,intra-domain isolation,as well as optimizing trusted computing base and cross-world calls in the virtualization environment.Finally the problems and directions in the space of virtualization security were summarized.