Daonity: Grid Security via Two Levels of Virtualization - PowerPoint PPT Presentation

1 / 13
About This Presentation
Title:

Daonity: Grid Security via Two Levels of Virtualization

Description:

Hardware architecture (in x86 chipset) TPM. Non-Volatile. Storage. Platform ... (x86 chipset) int 0x80 interrupt occurs when a process calls for resources; ... – PowerPoint PPT presentation

Number of Views:39
Avg rating:3.0/5.0
Slides: 14
Provided by: astf3
Category:

less

Transcript and Presenter's Notes

Title: Daonity: Grid Security via Two Levels of Virtualization


1
Daonity(??) Grid Security via Two Levels of
Virtualization
  • Wenbo Mao
  • EMC Research China
  • Work reported here was conducted while with HP
  • An open-source grid security project with
    ChinaGrid
  • In collaboration with
  • Fudan University
  • Huazhong Univ of Science and Technology
  • Wuhan University

2
Virtualization I _at_ resource level for high
performance and dependability
  • Grid is a big virtual machine, called Virtual
    Organization (VO), of unbounded pool of computing
    storage resources

Farms
Knowledgeable Broker
Registering
Credential
3
Portal
manager
1
User
1
2
5
eg, MyProxy
Submitting
Keywords Heterogeneity Delegation
4
6
Data job manager
3
An abstract of resource level virtualization
  • In reality, a VO is ad hoc constructed for a user
    (Alice), involving, e.g.,
    dedicated or under-utilized servers in real
    organizations
  • Any physical part in a VO can be off, but Alices
    science must be on
  • How? Grid Security Infrastructure (GSI) Proxy
    credential
  • My proxy, use this credential and work on my
    behalf! Bye-bye.
  • (a credential is a crypto key)

Alice creates a cred
If a proxy wants to go, it creates a new
for Proxy 1 to use.
proxy cred to be used by a new proxy.
Then she goes.
CA
Proxy
1
Proxy n
Alice
receiving chained
sign
sign
sign
certificates
Proxy Certificates
Proxy Certificate
Identity Certificate
Certificates
Certificates
4
Trusted Computing
  • Trusted Computing Group (TCG), COTS and standard
    technologies www.trustedcomputinggroup.org
  • Hardware based solutions to creating a Trusted
    Computing Base (TCB) in an open-platform computer
  • The hardware TCB (trusted 3rd party agent)
    Trusted Platform Module (TPM)
  • Roots of Trust for (i) Measurement, (ii) Storage
    and (iii) Reporting

5
Hardware architecture (in x86 chipset)

TPM eavesdrops on LPC Bus
6
Trusted Computing slice 3
  • Roots of Trust for
  • Measurement (how eavesdropping is done)
  • SHA-1 hashing of the software which are loaded
    on to the platform, e.g.,
  • PCR ? SHA-1(PCR BIOS) PCR ? SHA-1(PCR
    OS)
  • Storage
  • TPM stores a private key called Storage Root
    Key (SRK)
  • Reporting
  • A remote querier can demand a TPM to attest
    the measurement result (i.e., to check a PCR
    value)

7
Same architecture, new realization
  • Alice creates a VO cred in TPM and migrates it
    within TPMs of the VO members
  • Server, still use this cred to work on my
    behalf!! (but now the cred is in TPMs)
  • Behaviour ConformityAlices safehands in
    platforms afar, TPMs can enforce VO members to
    comply with Alices policy (new to GSI)

Migrating credential
If a server wants to go, it migrates the same
between TPMs
credential to the TPM of another server, so on
CA
Alices TPM
Serve-1s TPM
Server-ns TPM
receiving certificate
receiving certificate
sign
Certificate for Server-1
Certificate for Server-n
Certificate for Alice
8
Policy enforcement afar (no oracle service!)
To decrypt or not to decrypt, that is the question
Is outside safe?
outside software environment
loaded onto the platform so far
  • Crux TPM can perform a conditional crypto
    services (eg, decrypt)
  • Pseudo code for Alice to instruct a remote TPM to
    serve conditionally
  • CreatWrapKey( PCR-Setting, Migratable
    )
  • This means to create a key pair in Alices TPM
    the private key satisfies
  • It is migratable to another remote TPM (on
    Alices permit)
  • The remote TPM can use the private key only if
    the locally eavesdropped PCR value matches
    PCR-Setting by Alice
  • I.e.,
  • to provide crypto services only to software
    environment of Alices approval

9
Virtualization II _at_ platform level
  • Virtualization I is done at grid middleware which
    is above OS
  • Operating System is still a weak part needing
    strengthening
  • Conformity and High-Assurance within Operating
    Systems (CHAOS)
  • Goal
  • To extend the tamper-resistant property of TPM
    to conformed behavior in an Untrusted operating
    system, using a trusted virtual machine monitor
    (VMM)
  • Requirements
  • Backward Compatible with existing applications
  • Minimal OS changes
  • No need of dedicated hardware (apart from TPM)

10
Architecture VMM is part of TCB
Why? Because VMM is capable of intercepting all
privileged operations from all processes through
operating systems to hardware resources (memory,
disk and other peripherals) (zigzagged
software are to be eavesdropped)
11
Approach
  • Interrupt interception using VMM to intercept
    system calls and interrupts from a trusted
    process such a call occurs whenever the process
    asks for resources (either as a result of
    inter-process interactions or hardware usage)
  • (this presentation describes this only)
  • Memory isolation prevention of un-trusted parts
    from tampering the CPU execution context and
    memory locations for a trusted process
  • Persistent data sealing all persistent data
    input to/output from a trusted process will be
    decrypted/encrypted by VMM
  • These are achieved by modifying the open source
    VMM Xen version 3.0.2 (adding security to Xen)

12
Implementation for interception (case
study)(good man in the middle attack)
(x86 chipset) int 0x80 interrupt occurs when a
process calls for resources we use int 0x81 to
imp interrupt from trusted process (soft/w of
Alice approval) which will always be intercepted
by the VMM for special treatments
13
Conclusion
  • Whats novel
  • Fine-grained trust vs. All-or-none trust
  • Trust individual processes, not trust the whole
    OS
  • OS serves as a service provider, not security
    broker
  • a trusted (ie, integrity protected) VMM is a
    security broker
  • Comparing existing All-or-none trust systems
  • NGSCB (Msoft), Terra (Stanford), OpenTC (an EU
    Project)
  • Software-based instead of dedicated hardware
  • Compared to secure-coprocessor and architectural
    approaches
  • Backward compatible with existing software
  • Retain functionality, no porting efforts for
    software
  • Whats more to be done
  • Grid standardization (involving TCG, Globus,
    virtualization) hard!
  • Generalization to other software hardware
    platforms a lot work!
Write a Comment
User Comments (0)
About PowerShow.com