skip to main content
research-article

Providing secure services for a virtual infrastructure

Published: 01 January 2009 Publication History

Abstract

Virtualization brings exibility to the data center and enables separations allowing for better security properties. For these security properties to be fully utilized, virtual machines need to be able to connect to secure services such as networking and storage. This paper addresses the problems associated with managing the cryptographic keys upon which such services rely by ensuring that keys remain within the trusted computing base. Here we describe a general architecture for managing keys tied to the underlying virtualized systems, with a specific example given for secure storage.

References

[1]
M. Anderson, M. Moffie, and C. Dalton. Towards trustworthy virtualisation environments: Xen library os security services. Technical Report HPL-2007-69, HP Labs, 2007.
[2]
A. Baldwin and S. Shiu. Encryption and key management in a san. In SISW '02: Proceedings of the First International IEEE Security in Storage Workshop. IEEE Computer Society, 2002.
[3]
A. Baldwin and S. Shiu. Hardware encapsulation of security services. In ESORICS, volume 2808 of LNCS. Springer, 2003.
[4]
A. Baldwin and S. Shiu. Enabling shared audit data. Int. J. Inf. Secur., 4(4):263--276, 2005.
[5]
P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In SOSP '03: Proceedings of the 19th ACM symposium on Operating systems principles. ACM, 2003.
[6]
M. Bellare and B. Yee. Forward integrity for audit logs. Technical report, UCSD tech report, 1997.
[7]
S. Berger, K. G. Ramón Ćaceres, R. Perez, R. Sailer, and L. van Doorn. vtpm: Virtualizing the trusted platform module. Technical Report RC23879, IBM Research, 2006.
[8]
S. Cabuk, C. I. Dalton, H. Ramasamy, and M. Schunter. Towards automated provisioning of secure virtualized networks. In CCS '07: Proceedings of the 14th ACM conference on Computer and communications security, pages 235--245. ACM, 2007.
[9]
S. Cabuk, D. Plaquin, T. Hong, and D. Murray. Improving policy verification capabilities of trusted platforms. Technical Report HPL-2008-71, HP Labs, 2007.
[10]
T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: a virtual machine-based platform for trusted computing. SIGOPS Oper. Syst. Rev., 37(5):193--206, 2003.
[11]
C. Gebhardt and A. Tomlinson. Secure virtual disk images for grid computing. In APTC '08: Proceedings of the 3rd Asia-Pacofoc Trusted Infrastructure Technologies Conference, 2008.
[12]
M. Kallahalla, M. Uysal, R. Swaminathan, D. E. Lowell, M. Wray, T. Christian, N. Edwards, C. I. Dalton, and F. Gittler. Softudc: A software-based data center for utility computing. Computer, 37(11):38--46, 2004.
[13]
K. Kostienko. Securing access of virtual resources to a shared storage facility based on tcg. Master's thesis, University of Birmingham, October 2007.
[14]
D. Kuhlmann, R. Landfermann, H. Ramasamy, M. Schunter, G. Ramunni, and D. Vernizzi. An open trusted computing architecture - secure virtual machines enabling userdefined policy enforcement. Technical Report RZ 3655, IBM Research, 2006.
[15]
R. Merkle. Protocols for public key cryptography. In IEEE Symposium on Security and Privacy, 1980.
[16]
C. Mitchell. Trusted Computing (Professional Applications of Computing. IEE Press, 2005.
[17]
D. G. Murray, G. Milos, and S. Hand. Improving xen security through disaggregation. In VEE '08: Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, pages 151--160. ACM, 2008.
[18]
Q. Rajpoot. Key management for secure storage in a virtualised data center. Master's thesis, University of Birmingham, October 2007.
[19]
RSA Labs. Pkcs#11 v2.11 cryptographic token interface standard, 2001.
[20]
R.Sailer, T. Jaeger, E. Valdez, R. Perez, S. Berger, J. L. Griffin, and L. van Doorn. Building a mac-based security architecture for the xen opensource hypervisor. Technical Report RC23629, IBM Research, 2005.
[21]
F. Stumpf, P. R. O. Tafreschi and, and C. Eckert. A robust integrity reporting protocol for remote attestation. In Proceedings of the Second Workshop on Advances in Trusted Computing, 2006.
[22]
Trusted Computing Group. TCG pc specific implementation specification, 2003.

Cited By

View all
  • (2018)A Protocol for Preventing Insider Attacks in Untrusted Infrastructure-as-a-Service CloudsIEEE Transactions on Cloud Computing10.1109/TCC.2016.25601616:4(942-954)Online publication date: 1-Oct-2018
  • (2016)A Trusted IaaS Environment with Hardware Security ModuleIEEE Transactions on Services Computing10.1109/TSC.2015.23920999:3(343-356)Online publication date: 1-May-2016
  • (2014)Programming Interfaces for the TPMTrusted Computing for Embedded Systems10.1007/978-3-319-09420-5_1(3-32)Online publication date: 3-Nov-2014
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM SIGOPS Operating Systems Review
ACM SIGOPS Operating Systems Review  Volume 43, Issue 1
January 2009
97 pages
ISSN:0163-5980
DOI:10.1145/1496909
Issue’s Table of Contents

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 January 2009
Published in SIGOPS Volume 43, Issue 1

Check for updates

Author Tags

  1. TCG
  2. key management
  3. storage
  4. virtualization

Qualifiers

  • Research-article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)1
  • Downloads (Last 6 weeks)0
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2018)A Protocol for Preventing Insider Attacks in Untrusted Infrastructure-as-a-Service CloudsIEEE Transactions on Cloud Computing10.1109/TCC.2016.25601616:4(942-954)Online publication date: 1-Oct-2018
  • (2016)A Trusted IaaS Environment with Hardware Security ModuleIEEE Transactions on Services Computing10.1109/TSC.2015.23920999:3(343-356)Online publication date: 1-May-2016
  • (2014)Programming Interfaces for the TPMTrusted Computing for Embedded Systems10.1007/978-3-319-09420-5_1(3-32)Online publication date: 3-Nov-2014
  • (2013)VirtualizationACM Computing Surveys10.1145/2431211.243121645:2(1-39)Online publication date: 12-Mar-2013
  • (2012)A network policy model for virtualized systems2012 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC.2012.6249376(000680-000683)Online publication date: Jul-2012
  • (2012)Towards designing secure virtualized systems2012 Second International Conference on Digital Information and Communication Technology and it's Applications (DICTAP)10.1109/DICTAP.2012.6215385(250-255)Online publication date: May-2012
  • (2012)Enterprise Information Risk Management: Dealing with Cloud ComputingPrivacy and Security for Cloud Computing10.1007/978-1-4471-4189-1_8(257-291)Online publication date: 27-Jun-2012
  • (2012)Specification and Standardization of a Java Trusted Computing APISoftware—Practice & Experience10.1002/spe.109542:8(945-965)Online publication date: 1-Aug-2012
  • (2011)Locking the sky: a survey on IaaS cloud securityComputing10.1007/s00607-010-0140-x91:1(93-118)Online publication date: 1-Jan-2011

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media