Measuring Semantic Integrity for Remote Attestation

  • Fabrizio Baiardi
  • Diego Cilea
  • Daniele Sgandurra
  • Francesco Ceccarelli
Conference paper

DOI: 10.1007/978-3-642-00587-9_6

Volume 5471 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Baiardi F., Cilea D., Sgandurra D., Ceccarelli F. (2009) Measuring Semantic Integrity for Remote Attestation. In: Chen L., Mitchell C.J., Martin A. (eds) Trusted Computing. Trust 2009. Lecture Notes in Computer Science, vol 5471. Springer, Berlin, Heidelberg

Abstract

We propose a framework for the attestation of the integrity of a remote system that considers not only the configuration of the system to be attested but also its current behaviour. The resulting architecture, called Virtual machine Integrity Measurement System (VIMS), is based upon virtualization technology and it runs two virtual machines on a system to be attested, i.e. the Client (C-VM) and the Assurance VM (A-VM). A generic remote server (REM-S) accepts incoming connections and cooperates with the A-VM to authenticate and attest the integrity of the C-VM and of the software it runs. The A-VM is a shadow machine that exploits virtual machine introspection to apply a set of consistency checks on the configuration of the C-VM and on the software it currently runs. The checks depend upon the security policies that the REM-S establishes in the initial connection handshake. The REM-S defines both the complexity of checks to be applied and the frequency of their execution and it communicates the security policy to the A-VM through a control channel. Policies that can be applied range from the one that simply checks the integrity of the binaries loaded by the C-VM to those that continuously monitor the dynamic behaviour of applications to discover attacks that alter their expected behaviour. The control channel also transmits the results of the checks from the A-VM to the REM-S. As an example, remote attestation can be adopted when a client software on the C-VM tries to establish a secure channel to a REM-S on an Intranet.

After describing the overall VIMS architecture, we present and discuss the implementation and the performance of a first prototype.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Fabrizio Baiardi
    • 1
  • Diego Cilea
    • 2
  • Daniele Sgandurra
    • 2
  • Francesco Ceccarelli
    • 3
  1. 1.Polo G. Marconi, La SpeziaUniversità di PisaItaly
  2. 2.Dipartimento di InformaticaUniversità di PisaItaly
  3. 3.ENEL SpAItaly