Adrian Baldwin
Abstract
Virtualization brings exibility to the data center and enables separations allowing for better security properties. For these security properties to be fully utilized, virtual machines need to be able to connect to secure services such as networking and storage. This paper addresses the problems associated with managing the cryptographic keys upon which such services rely by ensuring that keys remain within the trusted computing base. Here we describe a general architecture for managing keys tied to the underlying virtualized systems, with a specific example given for secure storage.
- M. Anderson, M. Moffie, and C. Dalton. Towards trustworthy virtualisation environments: Xen library os security services. Technical Report HPL-2007-69, HP Labs, 2007.Google Scholar
- A. Baldwin and S. Shiu. Encryption and key management in a san. In SISW '02: Proceedings of the First International IEEE Security in Storage Workshop. IEEE Computer Society, 2002. Google ScholarDigital Library
- A. Baldwin and S. Shiu. Hardware encapsulation of security services. In ESORICS, volume 2808 of LNCS. Springer, 2003.Google Scholar
- A. Baldwin and S. Shiu. Enabling shared audit data. Int. J. Inf. Secur., 4(4):263--276, 2005. Google ScholarDigital Library
- P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In SOSP '03: Proceedings of the 19th ACM symposium on Operating systems principles. ACM, 2003. Google ScholarDigital Library
- M. Bellare and B. Yee. Forward integrity for audit logs. Technical report, UCSD tech report, 1997.Google Scholar
- S. Berger, K. G. Ramón Ćaceres, R. Perez, R. Sailer, and L. van Doorn. vtpm: Virtualizing the trusted platform module. Technical Report RC23879, IBM Research, 2006.Google Scholar
- S. Cabuk, C. I. Dalton, H. Ramasamy, and M. Schunter. Towards automated provisioning of secure virtualized networks. In CCS '07: Proceedings of the 14th ACM conference on Computer and communications security, pages 235--245. ACM, 2007. Google ScholarDigital Library
- S. Cabuk, D. Plaquin, T. Hong, and D. Murray. Improving policy verification capabilities of trusted platforms. Technical Report HPL-2008-71, HP Labs, 2007.Google Scholar
- T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: a virtual machine-based platform for trusted computing. SIGOPS Oper. Syst. Rev., 37(5):193--206, 2003. Google ScholarDigital Library
- C. Gebhardt and A. Tomlinson. Secure virtual disk images for grid computing. In APTC '08: Proceedings of the 3rd Asia-Pacofoc Trusted Infrastructure Technologies Conference, 2008. Google ScholarDigital Library
- M. Kallahalla, M. Uysal, R. Swaminathan, D. E. Lowell, M. Wray, T. Christian, N. Edwards, C. I. Dalton, and F. Gittler. Softudc: A software-based data center for utility computing. Computer, 37(11):38--46, 2004. Google ScholarDigital Library
- K. Kostienko. Securing access of virtual resources to a shared storage facility based on tcg. Master's thesis, University of Birmingham, October 2007.Google Scholar
- D. Kuhlmann, R. Landfermann, H. Ramasamy, M. Schunter, G. Ramunni, and D. Vernizzi. An open trusted computing architecture - secure virtual machines enabling userdefined policy enforcement. Technical Report RZ 3655, IBM Research, 2006.Google Scholar
- R. Merkle. Protocols for public key cryptography. In IEEE Symposium on Security and Privacy, 1980.Google Scholar
- C. Mitchell. Trusted Computing (Professional Applications of Computing. IEE Press, 2005. Google ScholarDigital Library
- D. G. Murray, G. Milos, and S. Hand. Improving xen security through disaggregation. In VEE '08: Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, pages 151--160. ACM, 2008. Google ScholarDigital Library
- Q. Rajpoot. Key management for secure storage in a virtualised data center. Master's thesis, University of Birmingham, October 2007.Google Scholar
- RSA Labs. Pkcs#11 v2.11 cryptographic token interface standard, 2001.Google Scholar
- R.Sailer, T. Jaeger, E. Valdez, R. Perez, S. Berger, J. L. Griffin, and L. van Doorn. Building a mac-based security architecture for the xen opensource hypervisor. Technical Report RC23629, IBM Research, 2005.Google Scholar
- F. Stumpf, P. R. O. Tafreschi and, and C. Eckert. A robust integrity reporting protocol for remote attestation. In Proceedings of the Second Workshop on Advances in Trusted Computing, 2006.Google Scholar
- Trusted Computing Group. TCG pc specific implementation specification, 2003.Google Scholar
Index Terms
- Providing secure services for a virtual infrastructure
Recommendations
Efficient live migration of virtual machines using shared storage
VEE '13: Proceedings of the 9th ACM SIGPLAN/SIGOPS international conference on Virtual execution environmentsLive migration of virtual machines (VM) across distinct physical hosts is an important feature of virtualization technology for maintenance, load-balancing and energy reduction, especially so for data centers operators and cluster service providers. ...
Enabling Instantaneous Relocation of Virtual Machines with a Lightweight VMM Extension
CCGRID '10: Proceedings of the 2010 10th IEEE/ACM International Conference on Cluster, Cloud and Grid ComputingWe are developing an efficient resource management system with aggressive virtual machine (VM) relocation among physical nodes in a data center. Existing live migration technology, however, requires a long time to change the execution host of a VM, it ...
Efficient live migration of virtual machines using shared storage
VEE '13Live migration of virtual machines (VM) across distinct physical hosts is an important feature of virtualization technology for maintenance, load-balancing and energy reduction, especially so for data centers operators and cluster service providers. ...
Comments