Professional Documents
Culture Documents
This paper addresses storage issues in cloud computing and proposes a in Cloud
secure storage service where stored user data are protected even against
Hypervisor
a malicious administrator and compromised software. We describe the
architecture of proposed design and discuss the security issues of the
design.
Local
Remote
Storage
Storage Cloud Node
I. I NTRODUCTION
Cloud computing refers the computing paradigm where software Privileged Access Illigal Access with Privilege
and hardware are provided as a service. Cloud computing is in
the spotlight because it is possible to reduce operating costs and Fig. 1. Threat Model
maximize resource utilization as pay-as-you-go model is a basic
philosophy of cloud computing. Cloud computing provides attractive
environment in that physical servers don’t have to be managed III. S ECURE S TORAGE R EQUIREMENTS
directly by cloud users and elasticity against scalability problem is A. Assumption & Threat Models
also provided. Cloud systems consist of lots of software components. Among
Nevertheless, companies regarding the security as the first principle them, hypervisor and a management OS coexist with guest VMs
of governance are reluctant to use cloud computing service. The in a single cloud node. When the hypervisor is compromised, the
main reason is anxiety about the security of their VMs. As plenty confidentiality of guest VMs cannot be guaranteed. However, the
of stakeholders including a cloud provider and cloud users co-exist code size of the hypervisor is smaller than that of traditional OS, and
in cloud computing environment, the VMs allocated to a cloud user thus the hypervisor has relatively less security holes[2].
are influenced by hypervisor, a management OS, which means the A management OS is an important attack point of remote hackers
OS of a management VM, or other VMs even in a single cloud or a malicious administrator. The management OS can access its own
node. Furthermore, cloud administrators have privileges to control memory even though the memory of guest VM prevents from being
the VMs. It means a malicious administrator can easily leak the user accessed[2], [3]. It means information leakage by means of observing
data using management tools[4]. As a result, the virtual machines are I/O of guest VMs via split drivers in management OS is still possible.
more vulnerable to information leakage than the physical machines. Therefore, the main threat of this work is information leakage by
In this paper we propose secure storage architecture using crypto- accessing local storage via the management OS or direct access to
processors for cloud users. User data are encrypted and even a remote storage with privilege. We also assume defense mechanisms
malicious administrator cannot access the cryptographic keys, and the against hardware attacks are well-equipped and thus hardware attacks
decrypted data are isolated from the management OS. Accordingly, are inexecutable.
user data are protected from cloud administrators and other users.
More secure cloud computing environment is guaranteed in the B. Requirements
proposed architecture, and thus it is expected to migrate from server The requirements for secure storage summarized as follows.
hosting service to cloud computing service more and more.
• Isolated cryptographic operation: A malicious administrator or
II. BACKGROUND remote hackers can have control over the management OS.
There are three entities to protect the confidentiality of guest Therefore, when plain text or decrypted data are loaded in the
VMs: processing, memory, and I/O. Processing and memory can be memory of the management OS, they can be leaked by using
protected by H/W such as VT-x and AMD-V and S/W techniques privileged operations in the management OS. As a result, the
such as [2], [3]. If processing and memory are protected, the guest result of cryptographic operations should be isolated from the
virtual machine is safe as far as no I/O operation is involved. management OS.
However, transferring the input or output data of computation is an • Infrastructure cryptographic operation: Key delivery from cloud
essential process in cloud computing environment. That’s why the users involves connection to outside cloud systems. It means ad-
last entity, I/O should be protected in cloud computing. Generally, all ditional service is needed for key delivery. Thus, cryptographic
network traffics can be encrypted within a guest virtual machine and keys should exist in the cloud system. Moreover, full-disk
thus, they are safe during transfer. However, it implies an assumption encryption is implementable because guest OS is uninvolved.
that the cryptographic keys are protected safely. The cryptographic • Key protection: To protect the keys perfectly, we need a key
keys are generally stored in the storage. Therefore, protecting storage storage service where the keys are inaccessible even with
is the basic foundation of all other I/O devices. privileged access.
Hypervisor Encrypted
Guest VM Nested Data
Page
Table
Guest Plain
EK PCR AIK EK DA Key Page Data
Table
TPM PCI Device
IOMMU
Cloud Node Page
Table
PCI Device
Fig. 2. Architecture Overview
Encrypted Data Access Plain Data Access
191