Abstract
Most cloud providers afford their tenants with cryptographic services that greatly escalate the protection of users’ private keys. Isolated from the guest operating systems (OSes), the keys are kept confidential even if the OS kernel is compromised. However, existing cryptographic services are ineffective in the access control of these critical services. In particular, they enforce controls for the key accesses mainly based on non-cryptographic authentication/authorization information (i.e., the identity and the password). Some platforms leverage other information such as the resource identification of the Virtual machine (VM) (e.g., IP address). Therefore, once the password is leaked, the attacker could invoke the cryptographic service in the victim VM. Moreover, sophisticated attackers can exploit vulnerabilities in the guest OS kernel and stealthily invoke cryptographic services. In this paper, we propose a new scheme named En-ACCI to improve the security of cryptographic service invocation in the cloud and achieve better access controls as well as auditing by leveraging the rich VM context provided by virtual machine introspection (VMI). To the best of our knowledge, we are the first in the literature to discuss these security issues involved in the invocation of cryptographic services in the cloud. We address the challenges by using an access control mechanism atop a set of optimization to VMI. We have implemented a prototype of En-ACCI, and our evaluation demonstrates that En-ACCI effectively addresses the authorization and audit issues in the cloud-based cryptographic service and the introduced performance overhead is modest.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aliyun cryption service. https://www.aliyun.com/product/hsm
Aliyun Key Management Service. https://www.aliyun.com/product/kms
Amazon aws cloudhsm. https://amazonaws-china.com/cloudhsm/
Amazon aws key management service kms. https://amazonaws-china.com/kms/
Aws cloudtrail. https://amazonaws-china.com/cn/cloudtrail
Intel corporation, intel software guard extensions. https://software.intel.com/en-us/sgx
Kernel based virtual machine. http://www.linux-kvm.org/page/Main_Page
Microsoft key vault. https://www.azure.cn/home/features/key-vault/
Qemu open source processor emulator. http://wiki.qemu.org/Main_Page
Tencentyun key management service kms. https://cloud.tencent.com/product/kms
The volatility framework. https://code.google.com/archive/p/volatility/
Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., Rhee, J., Xu, D.: DKSM: subverting virtual machine introspection for fun and profit. In: 2010 IEEE Symposium on Reliable Distributed Systems, pp. 82–91 (2010)
Biedermann, S., Katzenbeisser, S., Szefer, J.: Leveraging virtual machine introspection for hot-hardening of arbitrary cloud-user applications. In: 6th USENIX Workshop on Hot Topics in Cloud Computing, HotCloud 2014, Philadelphia, PA, USA, 17–18 June 2014 (2014)
Chen, P., Xu, D., Mao, B.: Clouder: a framework for automatic software vulnerability location and patching in the cloud. In: 7th ACM Symposium on Information, Compuer and Communications Security, ASIACCS 2012, Seoul, Korea, 2–4 May 2012, p. 50 (2012)
TIS Committee et al.: Tool interface standard (tls) executable and linking format (elf) specification version 1.2. TIS Committee (1995)
Intel Corporation: Chapter 8: Intel transactional memory synchronization extensions. In: Intel Architecture Instruction Set Extensions Programming Reference (2013)
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2003, San Diego, California, USA (2003)
Goyette, R.: A review of vTPM: virtualizing the trusted platform module. In: Proceedings of Network Security and Cryptography (2007)
Gu, Z., Deng, Z., Xu, D., Jiang, X.: Process implanting: a new active introspection framework for virtualization. In: 30th IEEE Symposium on Reliable Distributed Systems (SRDS 2011), Madrid, Spain, 4–7 October 2011, pp. 147–156 (2011)
Guan, L., Li, F., Jing, J., Wang, J., Ma, Z.: virtio-ct: a secure cryptographic token service in hypervisors. In: Tian, J., Jing, J., Srivatsa, M. (eds.) SecureComm 2014. LNICST, vol. 153, pp. 285–300. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-23802-9_22
Guan, L., Lin, J., Luo, B., Jing, J., Wang, J.: Protecting private keys against memory disclosure attacks using hardware transactional memory. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, 17–21 May 2015, pp. 3–19 (2015)
Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Antfarm: tracking processes in a virtual machine environment. In: Proceedings of the 2006 USENIX Annual Technical Conference, Boston, MA, USA, 30 May–3 June 2006, pp. 1–14 (2006)
Kivity, A.: kvm: the linux virtual machine monitor. In: Linux Symposium, Ottawa, Ontario (2007)
McCune, J.M., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V.D., Perrig, A.: Trustvisor: efficient TCB reduction and attestation. In: 31st IEEE Symposium on Security and Privacy, S&P 2010, 16–19 May 2010, Berleley, Oakland, California, USA, pp. 143–158 (2010)
Seshadri, A., Luk, M., Qu, N., Perrig, A.: Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In: Proceedings of the 21st ACM Symposium on Operating Systems Principles 2007, SOSP 2007, Stevenson, Washington, USA, 14–17 October 2007, pp. 335–350 (2007)
Vogl, S., Kilic, F., Schneider, C., Eckert, C.: X-TIER: kernel module injection. In: Lopez, J., Huang, X., Sandhu, R. (eds.) NSS 2013. LNCS, vol. 7873, pp. 192–205. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38631-2_15
Acknowledgments
This work was partially supported by National Natural Science Foundation of China (No. 61772518).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Jiang, F., Cai, Q., Guan, L., Lin, J. (2018). Enforcing Access Controls for the Cryptographic Cloud Service Invocation Based on Virtual Machine Introspection. In: Chen, L., Manulis, M., Schneider, S. (eds) Information Security. ISC 2018. Lecture Notes in Computer Science(), vol 11060. Springer, Cham. https://doi.org/10.1007/978-3-319-99136-8_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-99136-8_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-99135-1
Online ISBN: 978-3-319-99136-8
eBook Packages: Computer ScienceComputer Science (R0)