当前位置: X-MOL 学术Comput. Secur. › 论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
Remote attestation and integrity measurements with Intel SGX for virtual machines
Computers & Security ( IF 4.8 ) Pub Date : 2021-04-22 , DOI: 10.1016/j.cose.2021.102300
Michał Kucab , Piotr Boryło , Piotr Chołda

With response to the emerging virtualization trend, we focus on a Virtual Machine (VM) remote attestation process assuming that it is running in an uncontrolled and untrusted cloud infrastructure.

We present a solution that is able to establish a chain of trust in a cloud environment. Our solution is based on a set of CPU instructions and it does not need any additional components to track host modifications. Our solution enables integrity verification of a filesystem. Additionally, it ensures trust level assessment for remote VMs during their startup or while triggered manually at any point in time afterwards.

We identify security properties for our solution and show how it meets them. The security analysis shows that with necessary countermeasures, the proposed model can ensure the required level of security. Additionally, We evaluate the performance impact of the prototype and virtualization overhead for a real-life scenario. Here, we assume that small configuration files, binaries, and executables are most critical. The results show that important filesystem components can be verified with a minimum impact on a startup time. This way, the whole proposal allows for making VM a part of a trusted compute resource pool.



中文翻译:

使用英特尔SGX进行虚拟机的远程认证和完整性测量

针对新兴的虚拟化趋势,我们假定虚拟机(VM)在不受控制且不受信任的云基础架构中运行,因此着重于该过程。

我们提出了一种能够在云环境中建立信任链的解决方案。我们的解决方案基于一组CPU指令,不需要任何其他组件即可跟踪主机修改。我们的解决方案可以对文件系统进行完整性验证。此外,它可以确保在远程VM启动期间或之后的任何时间手动触发远程VM的信任级别评估。

我们为解决方案确定安全属性,并说明如何满足这些要求。安全分析表明,通过采取必要的对策,所提出的模型可以保证所要求的安全级别。此外,我们评估了现实情况下原型和虚拟化开销对性能的影响。在这里,我们假设小型配置文件,二进制文件和可执行文件是最关键的。结果表明,可以验证重要的文件系统组件,而对启动时间的影响最小。这样,整个提议可以使VM成为可信计算资源池的一部分。

更新日期:2021-05-08
down
wechat
bug