skip to main content
research-article

TVDc: managing security in the trusted virtual datacenter

Published: 01 January 2008 Publication History

Abstract

Virtualization technology is becoming increasingly common in datacenters, since it allows for collocation of multiple workloads, consisting of operating systems, middleware and applications, in different virtual machines (VMs) on shared physical hardware platforms. However, when coupled with the ease of VM migration, this trend increases the potential surface for security attacks. Further, the simplified management of VMs, including creation, cloning and migration, makes it imperative to monitor and guarantee the integrity of software components running within VMs.
This paper presents the IBM Trusted Virtual Datacenter (TVDc) technology developed to address the need for strong isolation and integrity guarantees, thus significantly enhancing security and systems management capabilities, in virtualized environments. It signifies the first effort to incorporate trusted computing technologies directly into virtualization and systems management software. We present and discuss various components that constitute TVDc: the Trusted Platform Module (TPM), the virtual TPM, the IBM hypervisor security architecture (sHype) and the associated systems management software.

References

[1]
J. P. Anderson. Computer Security Technology Planning Study. ESD-TR-73-51, Vols. I and II, Air Force Electronic Division Systems, Hanscom AFB, Bedford, MA, Oct. 1972.
[2]
S. Berger, R. Cáceres, K. Goldman, R. Perez, R. Sailer, and L. van Doorn. vTPM: Virtualizing the Trusted Platform Module. 15th USENIX Security Symposium, July 2006.
[3]
W. E. Boebert and R. Y. Kain. A Practical Alternative to Hierarchical Integrity Policies. 8th National Computer Security Conference, 1985.
[4]
D. F. C. Brewer and M. J. Nash. The Chinese Wall Security Policy. IEEE Symposium on Security and Privacy, May 1989.
[5]
A. Bussani, J. L. Griffin, B. Jasen, K. Julisch, G. Karjoth, H. Maruyama, M. Nakamura, R. Perez, M. Schunter, A. Tanner, L. van Doorn, E. V. Herreweghen, M. Waidner, S. Yoshihama. Trusted Virtual Domains: Secure Foundations for Business and IT Services. Research Report RC23792, IBM Research, November 2005.
[6]
S. Cabuk, C. I. Dalton, H. Ramasamy, and M. Schunter. Towards Automated Provisioning of Secure Virtualized Networks. Research Report RZ3692. IBM Research, June 2007.
[7]
J. L. Griffin, T. Jaeger, R. Perez, R. Sailer, L. van Doorn, and R. Cáceres. Trusted Virtual Domains: Toward Secure Distributed Services. 1st IEEE Workshop on Hot Topics in System Dependability, June 2005.
[8]
IEEE Std. 802.1Q-2003, Virtual Bridged Local Area Networks; ISBN 0-7381-3662-X.
[9]
Intel Corporation. Trusted Execution Technology Preliminary Architecture Specification, August 2007. URL:http://www.intel.com/technology/security/downloads/315168.htm
[10]
T. Jaeger, R. Sailer, and U. Shankar. PRIMA: Policy-Reduced Integrity Measurement Architecture. 11th ACM Symposium on Access Control Models and Technologies (SACMAT), June 2006.
[11]
W. Mao, H. Jin, and A. Martin. Innovations for Grid Security from Trusted Computing. White paper, June 2005.
[12]
W. Mao, F. Yan, and C. Chen. Daonity-Grid Security with Behavior Conformity from Trusted Computing. 1st ACM Workshop on Scalable Trusted Computing (STC 2006).
[13]
H. Maruyama, F. Seliger, N. Nagaratnam, T. Ebringer, S. Munetoh, S. Yoshihama, and T. Nakamura. Trusted Platform on Demand. Technical Report RT0564, IBM, February 2004R.
[14]
Meushaw and D. Simard. NetTop-Commercial Technology in High Assurance Applications. National Security Agency Tech Trend Notes, Fall 2000.
[15]
J. M. McCune, S. Berger, R. Cáceres, T. Jaeger, and R. Sailer. Shamon-A System for Distributed Mandatory Access Control. 22nd Annual Computer Security Applications Conference (ACSAC), December 2006.
[16]
Open Trusted Computing. URL:http://www.opentc.net.
[17]
R. Sailer, T. Jaeger, E. Valdez, R. Cáceres, R. Perez, S. Berger, J. L. Griffin, and L. van Doorn. Building a MAC-based Security Architecture for the Xen Opensource Hypervisor. 21st Annual Computer Security Applications Conference (ACSAC), December 2005.
[18]
R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn. Design and Implementation of a TCG-based Integrity Measurement Architecture. 13th USENIX Security Symposium, August 2004.
[19]
Trusted Computing Group. URL:https//www.trustedcomputinggroup.org.
[20]
E. Valdez, R. Sailer, and R. Perez: Retrofitting the IBM POWER Hypervisor to Support Mandatory Access Control. 23rd Annual Computer Security Applications Conference (ACSAC), December 2007 (Accepted for publication).
[21]
F. Yan, W. Quang, Z. Shen, C. Chen, H. Zhang, and D. Zou. Danoity: An Experience on Enhancing Grid Security by Trusted Computing Technology. ATC, volume 4158 of LNCS, Springer, 2006.
[22]
Xen Users' Guide Chapter 10 for the Xen sHype/Access Control Module: http://www.cl.cam.ac.uk/research/srg/netos/xen/readmes/user/user.html

Cited By

View all
  • (2025)Security Implication in VirtualizationEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_797(2293-2304)Online publication date: 8-Jan-2025
  • (2023)Centralized Accessibility of VM for Distributed Trusted Cloud Computing2023 4th International Conference on Computing, Mathematics and Engineering Technologies (iCoMET)10.1109/iCoMET57998.2023.10099351(1-6)Online publication date: 17-Mar-2023
  • (2022)Securing Cloud Virtual Machine Image Using Ethereum BlockchainInternational Journal of Information Security and Privacy10.4018/IJISP.29586816:1(1-22)Online publication date: 1-Apr-2022
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM SIGOPS Operating Systems Review
ACM SIGOPS Operating Systems Review  Volume 42, Issue 1
January 2008
133 pages
ISSN:0163-5980
DOI:10.1145/1341312
Issue’s Table of Contents

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 January 2008
Published in SIGOPS Volume 42, Issue 1

Check for updates

Author Tags

  1. integrity
  2. isolation
  3. mandatory access control
  4. security
  5. virtual trusted platform module
  6. virtualization

Qualifiers

  • Research-article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)25
  • Downloads (Last 6 weeks)1
Reflects downloads up to 25 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)Security Implication in VirtualizationEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_797(2293-2304)Online publication date: 8-Jan-2025
  • (2023)Centralized Accessibility of VM for Distributed Trusted Cloud Computing2023 4th International Conference on Computing, Mathematics and Engineering Technologies (iCoMET)10.1109/iCoMET57998.2023.10099351(1-6)Online publication date: 17-Mar-2023
  • (2022)Securing Cloud Virtual Machine Image Using Ethereum BlockchainInternational Journal of Information Security and Privacy10.4018/IJISP.29586816:1(1-22)Online publication date: 1-Apr-2022
  • (2022)Security Framework for Hosting Systems on the Cloud: Case Study of Jordan E-Government Websites2022 International Conference on Emerging Trends in Computing and Engineering Applications (ETCEA)10.1109/ETCEA57049.2022.10009803(1-6)Online publication date: Nov-2022
  • (2021)5G and beyond telco cloud: architecture and cybersecurity challenges2021 World Automation Congress (WAC)10.23919/WAC50355.2021.9559450(1-6)Online publication date: 1-Aug-2021
  • (2021)A Deep Learning-Based Trust Assessment Method for Cloud UsersSecurity and Communication Networks10.1155/2021/99372292021Online publication date: 1-Jan-2021
  • (2020)Subverting Linux' integrity measurement architectureProceedings of the 15th International Conference on Availability, Reliability and Security10.1145/3407023.3407058(1-10)Online publication date: 25-Aug-2020
  • (2019)Architectural Design of Trusted Platform for IaaS Cloud ComputingCloud Security10.4018/978-1-5225-8176-5.ch019(393-411)Online publication date: 2019
  • (2019)Security Flaws and Design Issues in Cloud InfrastructureDetection and Mitigation of Insider Attacks in a Cloud Infrastructure10.4018/978-1-5225-7924-3.ch004(52-61)Online publication date: 2019
  • (2019)BULUT BİLİŞİMDE GÜVENLIK ZAFİYETLERİ, TEHDİTLERI VE BU TEHDİTLERE YÖNELİK GÜVENLİK ÖNERİLERİUluslararası Bilgi Güvenliği Mühendisliği Dergisi10.18640/ubgmd.5440545:1(8-34)Online publication date: 15-Jun-2019
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media