A Security-Enhanced vTPM 2.0 for Cloud Computing

  • Juan Wang
  • Feng Xiao
  • Jianwei Huang
  • Daochen Zha
  • Chengyang Fan
  • Wei Hu
  • Huanguo Zhang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10631)

Abstract

Virtual Trusted Platform Module is required in cloud due to the scalability and migration of virtual machine. Through allocating a vTPM (Virtual Trusted Platform Module) to a VM (Virtual Machine), users of VM can use the vTPM’s crypto and measurement function, like using the physical TPM. However, current vTPM still faces some key challenges, such as lacking runtime protection for the vTPM keys and code, lacking the mechanism of vTPM keys management, and lacking the support for the new TPM 2.0 specification. To address these limitations, we design vTPM 2.0 system and then propose a runtime protection approach for vTPM 2.0 based on SGX. Furthermore, we present vTPM key distribution and protection mechanism. We have implemented vTPM 2.0 system and the security-enhanced protection mechanism. As far as we know, the vTPM 2.0 system based on KVM and its security-enhanced mechanism are designed and implemented for the first time.

Keywords

vTPM Trusted computing Intel SGX KMC Cloud security 

Notes

Acknowledgment

This work is sponsored by the National Basic Research Program of China (973 Program) granted No. 2014CB340600, National Natural Science Foundation of China granted No. 61402342, 61173138 and 61103628, and the Huawei Technologies Co., Ltd. collaborative research project.

References

  1. 1.
    Trusted Computing Group. TPM Rev 2.0 Part1. Architecture. Family 2.0, Level 00. Revision 16 Jan 2014Google Scholar
  2. 2.
    Trusted Computing Group. TPM Rev 2.0 Part2. Structures. Family 2.0, Level 00. Revision 16 Jan 2014Google Scholar
  3. 3.
    Trusted Computing Group. TPM Rev 2.0 Part3. Commands. Family 2.0, Level 00. Revision 16 Jan 2014Google Scholar
  4. 4.
    Trusted Computing Group. TPM Rev 2.0 Part4. Supporting. Routines. Family 2.0, Level 00. Revision 16 Jan 2014Google Scholar
  5. 5.
    Trusted Computing Group. Trusted Platform Module Specification Family 2.0, Level 00. Revision 00.99 (2014)Google Scholar
  6. 6.
    Santos, N., Rodrigues, R., Gummadi, K.P., Saroiu, S.: Policy-sealed data: a new abstraction for building trusted cloud services. In: Proceedings of 21th USENIX Security Symposium on USENIX Security Symposium (2012)Google Scholar
  7. 7.
    Chen, C., Raj, H., Saroiu, S., Wolman, A.: cTPM: a cloud TPM for cross-device trusted applications. In: Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation (2014)Google Scholar
  8. 8.
    Bates, A., Tian, D., Kevin, R.B.: Trustworthy whole-system provenance for the Linux Kernel. In: Proceedings of 24th USENIX Security Symposium on USENIX Security Symposium (2015)Google Scholar
  9. 9.
    Berger, S., Cáceres, R., Goldman, K.A., et al.: vTPM: virtualizing the trusted platform module. In: Proceedings of the 15th Conference on USENIX Security Symposium, vol. 15, p. 21. USENIX Association (2006)Google Scholar
  10. 10.
    Anati, I., Gueron, S., Johnson, S., Scarlata, V.: Innovative technology for CPU based attestation and sealing. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, vol. 13 (2013)Google Scholar
  11. 11.
    Sadeghi, A.-R., Stüble, C., Winandy, M.: Property-based TPM virtualization. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 1–16. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-85886-7_1CrossRefGoogle Scholar
  12. 12.
    Hoekstra, M., Lal, R., Pappachan, P., Phegade, V., Del Cuvillo, J.: Using innovative instructions to create trustworthy software solutions. In: HASP@ ISCA, pp. 11–17 (2013)Google Scholar
  13. 13.
    Garfinkel, T., Pfaff, B., Chow, J., et al.: Terra: a virtual machine-based platform for trusted computing. ACM SIGOPS Operating Syst. Rev. 37(5), 193–206 (2003)CrossRefGoogle Scholar
  14. 14.
    Krautheim, F.J., Phatak, D.S., Sherman, A.T.: Introducing the trusted virtual environment module: a new mechanism for rooting trust in cloud computing. In: Acquisti, A., Smith, S.W., Sadeghi, A.-R. (eds.) Trust 2010. LNCS, vol. 6101, pp. 211–227. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13869-0_14CrossRefGoogle Scholar
  15. 15.
    England, P., Loeser, J.: Para-virtualized TPM sharing. In: Lipp, P., Sadeghi, A.-R., Koch, K.-M. (eds.) Trust 2008. LNCS, vol. 4968, pp. 119–132. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-68979-9_9CrossRefGoogle Scholar
  16. 16.
    Yang, Y., Yan, F., Mao, J.: Ng-vTPM: a next generation virtualized TPM architecture. J. Wuhan Univ. (Nat. Sci. Ed.) 2, 103–111 (2015)Google Scholar
  17. 17.
    Yan, F., Yu, Z., Zhang, L., et al.: vTSE: a solution of SGX-based vTPM secure enhancement. Adv. Eng. Sci. 49(2), 133–139 (2017)Google Scholar
  18. 18.
    Scarlata, V., Rozas, C., Wiseman, M., Grawrock, D., Vishik, C.: TPM virtualization: building a general framework. In: Pohlmann, N., Reimer, H. (eds.) Trusted Computing. Vieweg+Teubner (2008)Google Scholar
  19. 19.
    Danev, B., Masti, R.J., Karame, G.O., et al.: Enabling secure VM-vTPM migration in private clouds. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 187–196. ACM (2011)Google Scholar
  20. 20.
    Zhang, Q., Zhao, S., Qin, Y., et al.: Formal analysis of TPM 2.0 key management APIs. Chin. Sci. Bull. 59(32), 4210–4224 (2014)CrossRefGoogle Scholar
  21. 21.
    NIST, Recommendation for Key Management–Part 1: General (Revision 3), Special Publication 800–57Google Scholar
  22. 22.
  23. 23.
  24. 24.
  25. 25.
    Arthur, W., Challener, D.: Practical Guide to TPM 2.0 Using the Trusted Platform Module in the New Age of Security. Willey (2015)Google Scholar
  26. 26.
    Mckeen, F., Alexandrovich, I., Berenzon, A., et al.: Innovative instructions and software model for isolated execution (2013)Google Scholar
  27. 27.
    Intel Software Guard Extensions, https://software.intel.com/en-us/sgx
  28. 28.
    Sinha, R., Rajamani, S., Seshia, S., Vaswani, K.: Moat: verifying confidentiality of enclave programs. In: ACM Sigsac Conference on Computer and Communications Security, pp. 1169–1184 (2015)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Juan Wang
    • 1
    • 2
  • Feng Xiao
    • 1
  • Jianwei Huang
    • 1
  • Daochen Zha
    • 1
  • Chengyang Fan
    • 1
    • 2
  • Wei Hu
    • 1
    • 2
  • Huanguo Zhang
    • 1
    • 2
  1. 1.School of ComputerWuhan UniversityWuhanChina
  2. 2.Key Laboratory of Aerospace Information Security and Trusted Computing Ministry of EducationWuhanChina

Personalised recommendations