Skip to main content
SpringerLink
Log in

Enforcing Access Controls for the Cryptographic Cloud Service Invocation Based on Virtual Machine Introspection

  • Conference paper
  • First Online:
Information Security (ISC 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11060))

Included in the following conference series:

  • 1672 Accesses

Abstract

Most cloud providers afford their tenants with cryptographic services that greatly escalate the protection of users’ private keys. Isolated from the guest operating systems (OSes), the keys are kept confidential even if the OS kernel is compromised. However, existing cryptographic services are ineffective in the access control of these critical services. In particular, they enforce controls for the key accesses mainly based on non-cryptographic authentication/authorization information (i.e., the identity and the password). Some platforms leverage other information such as the resource identification of the Virtual machine (VM) (e.g., IP address). Therefore, once the password is leaked, the attacker could invoke the cryptographic service in the victim VM. Moreover, sophisticated attackers can exploit vulnerabilities in the guest OS kernel and stealthily invoke cryptographic services. In this paper, we propose a new scheme named En-ACCI to improve the security of cryptographic service invocation in the cloud and achieve better access controls as well as auditing by leveraging the rich VM context provided by virtual machine introspection (VMI). To the best of our knowledge, we are the first in the literature to discuss these security issues involved in the invocation of cryptographic services in the cloud. We address the challenges by using an access control mechanism atop a set of optimization to VMI. We have implemented a prototype of En-ACCI, and our evaluation demonstrates that En-ACCI effectively addresses the authorization and audit issues in the cloud-based cryptographic service and the introduced performance overhead is modest.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Aliyun cryption service. https://www.aliyun.com/product/hsm

  2. Aliyun Key Management Service. https://www.aliyun.com/product/kms

  3. Amazon aws cloudhsm. https://amazonaws-china.com/cloudhsm/

  4. Amazon aws key management service kms. https://amazonaws-china.com/kms/

  5. Aws cloudtrail. https://amazonaws-china.com/cn/cloudtrail

  6. Intel corporation, intel software guard extensions. https://software.intel.com/en-us/sgx

  7. Kernel based virtual machine. http://www.linux-kvm.org/page/Main_Page

  8. Microsoft key vault. https://www.azure.cn/home/features/key-vault/

  9. Qemu open source processor emulator. http://wiki.qemu.org/Main_Page

  10. Tencentyun key management service kms. https://cloud.tencent.com/product/kms

  11. The volatility framework. https://code.google.com/archive/p/volatility/

  12. Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., Rhee, J., Xu, D.: DKSM: subverting virtual machine introspection for fun and profit. In: 2010 IEEE Symposium on Reliable Distributed Systems, pp. 82–91 (2010)

    Google Scholar 

  13. Biedermann, S., Katzenbeisser, S., Szefer, J.: Leveraging virtual machine introspection for hot-hardening of arbitrary cloud-user applications. In: 6th USENIX Workshop on Hot Topics in Cloud Computing, HotCloud 2014, Philadelphia, PA, USA, 17–18 June 2014 (2014)

    Google Scholar 

  14. Chen, P., Xu, D., Mao, B.: Clouder: a framework for automatic software vulnerability location and patching in the cloud. In: 7th ACM Symposium on Information, Compuer and Communications Security, ASIACCS 2012, Seoul, Korea, 2–4 May 2012, p. 50 (2012)

    Google Scholar 

  15. TIS Committee et al.: Tool interface standard (tls) executable and linking format (elf) specification version 1.2. TIS Committee (1995)

    Google Scholar 

  16. Intel Corporation: Chapter 8: Intel transactional memory synchronization extensions. In: Intel Architecture Instruction Set Extensions Programming Reference (2013)

    Google Scholar 

  17. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2003, San Diego, California, USA (2003)

    Google Scholar 

  18. Goyette, R.: A review of vTPM: virtualizing the trusted platform module. In: Proceedings of Network Security and Cryptography (2007)

    Google Scholar 

  19. Gu, Z., Deng, Z., Xu, D., Jiang, X.: Process implanting: a new active introspection framework for virtualization. In: 30th IEEE Symposium on Reliable Distributed Systems (SRDS 2011), Madrid, Spain, 4–7 October 2011, pp. 147–156 (2011)

    Google Scholar 

  20. Guan, L., Li, F., Jing, J., Wang, J., Ma, Z.: virtio-ct: a secure cryptographic token service in hypervisors. In: Tian, J., Jing, J., Srivatsa, M. (eds.) SecureComm 2014. LNICST, vol. 153, pp. 285–300. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-23802-9_22

    Chapter  Google Scholar 

  21. Guan, L., Lin, J., Luo, B., Jing, J., Wang, J.: Protecting private keys against memory disclosure attacks using hardware transactional memory. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, 17–21 May 2015, pp. 3–19 (2015)

    Google Scholar 

  22. Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Antfarm: tracking processes in a virtual machine environment. In: Proceedings of the 2006 USENIX Annual Technical Conference, Boston, MA, USA, 30 May–3 June 2006, pp. 1–14 (2006)

    Google Scholar 

  23. Kivity, A.: kvm: the linux virtual machine monitor. In: Linux Symposium, Ottawa, Ontario (2007)

    Google Scholar 

  24. McCune, J.M., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V.D., Perrig, A.: Trustvisor: efficient TCB reduction and attestation. In: 31st IEEE Symposium on Security and Privacy, S&P 2010, 16–19 May 2010, Berleley, Oakland, California, USA, pp. 143–158 (2010)

    Google Scholar 

  25. Seshadri, A., Luk, M., Qu, N., Perrig, A.: Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In: Proceedings of the 21st ACM Symposium on Operating Systems Principles 2007, SOSP 2007, Stevenson, Washington, USA, 14–17 October 2007, pp. 335–350 (2007)

    Google Scholar 

  26. Vogl, S., Kilic, F., Schneider, C., Eckert, C.: X-TIER: kernel module injection. In: Lopez, J., Huang, X., Sandhu, R. (eds.) NSS 2013. LNCS, vol. 7873, pp. 192–205. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38631-2_15

    Chapter  Google Scholar 

Download references

Acknowledgments

This work was partially supported by National Natural Science Foundation of China (No. 61772518).

Author information

Authors and Affiliations

  1. Data Assurance and Communication Security Research Center, CAS, Beijing, 100093, China

    Fangjie Jiang, Quanwei Cai & Jingqiang Lin

  2. State Key Laboratory of Information Security, Institute of Information Engineering, CAS, Beijing, 100093, China

    Fangjie Jiang, Quanwei Cai & Jingqiang Lin

  3. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, 100049, China

    Fangjie Jiang & Jingqiang Lin

  4. Pennsylvania State University, State College, USA

    Le Guan

Authors
  1. Fangjie Jiang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Quanwei Cai
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Le Guan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jingqiang Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Quanwei Cai .

Editor information

Editors and Affiliations

  1. University of Surrey, Guildford, United Kingdom

    Liqun Chen

  2. University of Surrey, Guildford, United Kingdom

    Mark Manulis

  3. University of Surrey, Guildford, United Kingdom

    Steve Schneider

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Jiang, F., Cai, Q., Guan, L., Lin, J. (2018). Enforcing Access Controls for the Cryptographic Cloud Service Invocation Based on Virtual Machine Introspection. In: Chen, L., Manulis, M., Schneider, S. (eds) Information Security. ISC 2018. Lecture Notes in Computer Science(), vol 11060. Springer, Cham. https://doi.org/10.1007/978-3-319-99136-8_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-99136-8_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-99135-1

  • Online ISBN: 978-3-319-99136-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation