Skip to main content

Hardware-Enhanced Security for Cloud Computing

Abstract

Cloud computing has ushered in an era where cloud customers are able to rapidly access on-demand computing resources made available by third party cloud providers. The cloud providers who maintain these computing resources and lease them out to customers leverage economies of scale and sharing of resources to be able to provide these resources to customers at favorable prices. Cloud computing and this sharing of resources, however, introduces a number of security concerns. These concerns include other, potentially malicious, customers who are co-located on the same system as the customer; or even untrusted system software running on the remote systems where a customer’s code and data execute or reside. To tackle these security concerns, we explore how secure hardware architectures can provide more protections to a customer’s code and data in a cloud computing setting. In particular, we want to show that with hardware enhancements we can make computing in the cloud as secure as in your own dedicated facilities.

Keywords

  • Cloud Computing Security
  • Cloud Providers
  • Trusted Software Module (TSMs)
  • Page Mapping Table
  • Guest Physical Address

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-1-4614-9278-8_3
  • Chapter length: 20 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   109.00
Price excludes VAT (USA)
  • ISBN: 978-1-4614-9278-8
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   139.00
Price excludes VAT (USA)
Hardcover Book
USD   169.99
Price excludes VAT (USA)
Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Notes

  1. 1.

    Note that the hardware checks that the page is not in use, so it is automatically not accessible to other VMs.

  2. 2.

    If the VM suspend reason is a hypercall then the registers are not encrypted as they are used to pass arguments to the hypercall.

References

  1. ARM, TrustZone. http://www.arm.com/products/processors/technologies/trustzone.php, accessed April 2013.

  2. VMWare. http://www.vmware.com/, accessed April 2013.

  3. Xen. http://www.xen.org, accessed May 2013.

  4. David Champagne. Scalable Security Architecture for Trusted Software. PhD thesis, Princeton University, 2010.

    Google Scholar 

  5. David Champagne and Ruby B. Lee. Scalable architectural support for trusted software. In Proceedings of the 16th International Symposium on High Performance Computer Architecture, HPCA, pages 1–12, 2010.

    Google Scholar 

  6. Jeffrey S. Dwoskin and Ruby B. Lee. Hardware-rooted trust for secure key management and transient trust. In Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS ’07, pages 389–400, 2007.

    Google Scholar 

  7. Joan G. Dyer, Mark Lindemann, Ronald Perez, Reiner Sailer, Leendert van Doorn, Sean W. Smith, and Steve Weingart. Building the IBM 4758 Secure Coprocessor. Computer, 34:57–66, 2001.

    Google Scholar 

  8. Tal Garfinkel, Ben Pfaff, Jim Chow, Mendel Rosenblum, and Dan Boneh. Terra: A virtual machine-based platform for trusted computing. SIGOPS Oper. Syst. Rev., 37(5):193–206, 2003.

    Google Scholar 

  9. Tal Garfinkel and Mendel Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings Network and Distributed Systems Security Symposium, pages 191–206, 2003.

    Google Scholar 

  10. Ruby B. Lee, Peter Kwan, John Patrick McGregor, Jeffrey Dwoskin, and Zhenghong Wang. Architecture for protecting critical secrets in microprocessors. In Proceedings of the International Symposium on Computer Architecture, ISCA, pages 2–13, 2005.

    Google Scholar 

  11. Chunxiao Li, Anand Raghunathan, and Niraj K. Jha. Secure virtual machine execution under an untrusted management OS. In Proceedings Conference on Cloud Computing (CLOUD), pages 172–179, 2010.

    Google Scholar 

  12. David Lie, John C. Mitchell, Chandramohan A. Thekkath, and Mark Horowitz. Specifying and verifying hardware for tamper-resistant software. In Proceedings of Symposium on Security and Privacy, S&P, pages 166–177, 2003.

    Google Scholar 

  13. Ryan Riley, Xuxian Jiang, and Dongyan Xu. Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In Richard Lippmann, Engin Kirda, and Ari Trachtenberg, editors, Recent Advances in Intrusion Detection, volume 5230 of Lecture Notes in Computer Science, pages 1–20. Springer Berlin Heidelberg, 2008.

    Google Scholar 

  14. Reiner Sailer, Enriquillo Valdez, Trent Jaeger, Ronald Perez, Leendert Van Doorn, John Linwood Griffin, Stefan Berger, Reiner Sailer, Enriquillo Valdez, Trent Jaeger, Ronald Perez, Leendert Doorn, John Linwood, and Griffin Stefan Berger. sHype: Secure Hypervisor Approach to Trusted Virtualized Systems. Technical Report RC23511, IBM Research, 2005.

    Google Scholar 

  15. Arvind Seshadri, Mark Luk, Ning Qu, and Adrian Perrig. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. SIGOPS Oper. Syst. Rev., 41(6):335–350, 2007.

    Google Scholar 

  16. Monirul I. Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi. Secure in-vm monitoring using hardware virtualization. In Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS ’09, pages 477–487, 2009.

    Google Scholar 

  17. Udo Steinberg and Bernhard Kauer. NOVA: A microhypervisor-based secure virtualization architecture. In European Conference on Computer Systems, pages 209–222, 2010.

    Google Scholar 

  18. G. Edward Suh, Dwaine Clarke, Blaise Gassend, Marten van Dijk, and Srinivas Devadas. AEGIS: Architecture for tamper-evident and tamper-resistant processing. In Proceedings of the 17th annual International Conference on Supercomputing, ICS ’03, pages 160–171, 2003.

    Google Scholar 

  19. Jakub Szefer. Architectures for Secure Cloud Computing Servers. PhD thesis, Princeton University, 2013.

    Google Scholar 

  20. Jakub Szefer and Ruby B. Lee. A Case for Hardware Protection of Guest VMs from Compromised Hypervisors in Cloud Computing. In Proceedings of the Second International Workshop on Security and Privacy in Cloud Computing, SPCC, pages 248–252, 2011.

    Google Scholar 

  21. Jakub Szefer and Ruby B. Lee. Architectural Support for Hypervisor-Secure Virtualization. In Proceedings of International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS, pages 437–450, March 2012.

    Google Scholar 

  22. Trusted Computing Group Trusted Platform Module main specification version 1.2, revision 94. http://www.trustedcomputinggroup.org/resources/tpm_main_specification, accessed April 2013.

  23. Carl A. Waldspurger. Memory resource management in VMware ESX server. In 5th Symposium on Operating Systems Design and Implementation (OSDI), pages 181–194, 2002.

    Google Scholar 

  24. Zhenghong Wang and Ruby B. Lee. New cache designs for thwarting software cache-based side channel attacks. In Proceedings of the 34th annual International Symposium on Computer Architecture, ISCA ’07, pages 494–505, 2007.

    Google Scholar 

  25. Zhenghong Wang and Ruby B. Lee. A novel cache architecture with enhanced performance and security. In Proceedings of the 41st annual IEEE/ACM International Symposium on Microarchitecture, MICRO 41, pages 83–93, 2008.

    Google Scholar 

  26. Zhi Wang and Xuxian Jiang. HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity. In Proceedings of the 2010 IEEE Symposium on Security and Privacy, S&P, pages 380–395, May 2010.

    Google Scholar 

  27. Zhi Wang, Xuxian Jiang, Weidong Cui, and Peng Ning. Countering kernel rootkits with lightweight hook protection. In Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS, pages 545–554, 2009.

    Google Scholar 

Download references

Acknowledgements

This work was supported in part by NSF grants CNS-1218817, CCF-0917134 and EEC-0540832.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Jakub Szefer .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2014 Springer Science+Business Media New York

About this chapter

Cite this chapter

Szefer, J., Lee, R.B. (2014). Hardware-Enhanced Security for Cloud Computing. In: Jajodia, S., Kant, K., Samarati, P., Singhal, A., Swarup, V., Wang, C. (eds) Secure Cloud Computing. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-9278-8_3

Download citation

  • DOI: https://doi.org/10.1007/978-1-4614-9278-8_3

  • Published:

  • Publisher Name: Springer, New York, NY

  • Print ISBN: 978-1-4614-9277-1

  • Online ISBN: 978-1-4614-9278-8

  • eBook Packages: Computer ScienceComputer Science (R0)