当前位置:
X-MOL 学术
›
arXiv.cs.OS
›
论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
WELES: Policy-driven Runtime Integrity Enforcement of Virtual Machines
arXiv - CS - Operating Systems Pub Date : 2021-04-30 , DOI: arxiv-2104.14862 Wojciech Ozga, Do Le Quoc, Christof Fetzer
arXiv - CS - Operating Systems Pub Date : 2021-04-30 , DOI: arxiv-2104.14862 Wojciech Ozga, Do Le Quoc, Christof Fetzer
Trust is of paramount concern for tenants to deploy their security-sensitive
services in the cloud. The integrity of VMs in which these services are
deployed needs to be ensured even in the presence of powerful adversaries with
administrative access to the cloud. Traditional approaches for solving this
challenge leverage trusted computing techniques, e.g., vTPM, or hardware CPU
extensions, e.g., AMD SEV. But, they are vulnerable to powerful adversaries, or
they provide only load time (not runtime) integrity measurements of VMs. We propose WELES, a protocol allowing tenants to establish and maintain trust
in VM runtime integrity of software and its configuration. WELES is transparent
to the VM configuration and setup. It performs an implicit attestation of VMs
during a secure login and binds the VM integrity state with the secure
connection. Our prototype's evaluation shows that WELES is practical and incurs
low performance overhead.
中文翻译:
WELES:虚拟机的策略驱动的运行时完整性强制
对于租户而言,在云中部署其对安全性敏感的服务时,信任是最重要的问题。即使存在具有对云的管理访问权限的强大对手,也需要确保在其中部署了这些服务的VM的完整性。解决此挑战的传统方法利用了受信任的计算技术(例如vTPM)或硬件CPU扩展(例如AMD SEV)。但是,它们容易受到强大对手的攻击,或者仅提供VM的加载时间(而不是运行时)完整性度量。我们提出了WELES,一种允许租户建立和维护对软件及其配置的VM运行时完整性的信任的协议。WELES对VM的配置和设置是透明的。它在安全登录期间执行VM的隐式证明,并将VM完整性状态与安全连接绑定。
更新日期:2021-05-03
中文翻译:
WELES:虚拟机的策略驱动的运行时完整性强制
对于租户而言,在云中部署其对安全性敏感的服务时,信任是最重要的问题。即使存在具有对云的管理访问权限的强大对手,也需要确保在其中部署了这些服务的VM的完整性。解决此挑战的传统方法利用了受信任的计算技术(例如vTPM)或硬件CPU扩展(例如AMD SEV)。但是,它们容易受到强大对手的攻击,或者仅提供VM的加载时间(而不是运行时)完整性度量。我们提出了WELES,一种允许租户建立和维护对软件及其配置的VM运行时完整性的信任的协议。WELES对VM的配置和设置是透明的。它在安全登录期间执行VM的隐式证明,并将VM完整性状态与安全连接绑定。