SlideShare ist ein Scribd-Unternehmen logo

Lund security workshop_presentation

N
npaladi

Presentation for the Trusted Computing Security workshop 2013 organized in Lund, Sweden by the SICS secure systems lab

Technologie
1 von 21
How to Secure Infrastructure Clouds with Trusted Computing Technologies Nicolae Paladi Swedish Institute of Computer Science
2 Contents 1. Infrastructure-as-a-Service 2. Security challenges of IaaS 3. Trusted Computing and TPM 4. Trusted VM launch 5. InfraCloud 6. Future work
3 Infrastructure-as-a-Service • A 'cloud computing' service model (NIST:2011):  Provision processing, storage, networks.  Deploy and run arbitrary software.  No control over underlying cloud infrastructure.  Control over OS, storage, deployed applications.  Limited control of select networking components.
4 Infrastructure-as-a-Service architectural overview OpenStack architectural overview https://wiki.openstack.org/wiki/ArchitecturalOverview
5 Infrastructure-as-a-Service security issues  2011: Vulnerabilities in the AWS management console (XSS and XML wrapping attacks) OpenStack architectural overview https://wiki.openstack.org/wiki/ArchitecturalOverview
6 Infrastructure-as-a-Service security issues  2011: Vulnerabilities in the AWS management console (XSS and XML wrapping attacks)  2012: Cross-VM Side Channels can be used to extract private keys. OpenStack architectural overview https://wiki.openstack.org/wiki/ArchitecturalOverview
7 Infrastructure-as-a-Service security issues  2011: Vulnerabilities in the AWS management console (XSS and XML wrapping attacks)  2012: Cross-VM Side Channels can be used to extract private keys  2012: Rackspace’s “dirty disks” OpenStack architectural overview https://wiki.openstack.org/wiki/ArchitecturalOverview
8 Can we help it?
9 Introducing the TPM  Trusted platform module v1.2 as specified by TCG.  v2.0 is currently under review.  Tamper-evident.  16+ PCRs for volatile storage.  Four operations: Signing / Binding / Sealing / Sealed-sign.
10 Introducing the TPM: output • Produces integrity measurements of the firmware at boot time.  Can produce integrity measurements of the loaded kernel modules (sample below).
11 Introducing the TPM: usage • Microsoft BitLocker • Google Chromium OS • Citrix XenServer • Oracle’s X- and T-Series Systems • HP ProtectTools • Others
12 Securing IaaS environments with trusted computing • Virtualization security. • Storage protection in IaaS environments. • Computing security in IaaS environments. • Remote host software integrity attestation. • Runtime host software integrity attestation. • Encryption key management in IaaS environments.
13 Computing security in IaaS environments: Problem Setting • “Consumer is able to deploy and run arbitrary software, which can include operating systems and applications.”  Client can launch VMs for sensitive computations.  Trusted VM launch – the correct VM is launched in a IaaS platform on a host with a known software stack verified to not have been modified by malicious actors.  IaaS security with trusted computing.  How do we ensure a trusted VM launch in an untrusted IaaS environment?
14 Attack scenario 1 Remote attacker (Ar) Scheduler (S) Ar could schedule the VM instance to be launched on a compromised host Trusted Compute Compute Host Host (CH) (CH) Hardware Hardware Hardware Client (C)
15 Attack scenario 2 Remote attacker (Ar) Scheduler (S) Trusted Compute Compute Compute Host Host Host (CH) (CH) (CH) Ar could compromise the VM image prior to Hardware Hardware Hardware launch Client (C)
16 Trusted VM launch protocol • Ensure VM image launched on a trusted host. • Ensure communication with VM launched on a trusted CH rather than a random VM. • Compute host to verify the integrity VM image to be launched. • Minimum implementation footprint on the IaaS codebase. • Transparent view of the secure launch procedures.
Protocol: birds-eye view 3. (S) 1. 4. 5. 2. 6. CH CH CH HW HW HW + Client (C) TPM
18 Prototype implementation • OpenStack cluster deployed on 3 nodes (TPM-equipped) • Code extensions: • Changes OpenStack launch procedure. • Implementation of an OpenStack–TPM communication “glue”. • Implementation of a TTP (interpretation of attestation info) • Implementation of client-side functionality (token generation, trusted launch verification).
19 Securing IaaS with InfraCloud: The project • Ongoing project in collaboration between Region Skåne, Ericsson Research and SICS. • Aim: proof of concept design and deployment of one of the region’s medical journaling systems in a hardened and trustworthy IaaS environment. • Prototype implementation based on earlier research, as well as solutions to newly identified challenges.
20 Securing IaaS with InfraCloud: The challenges Numerous new research challenges have been identified already in the early stages of the project: • Storage protection in untrusted IaaS environments. • Verification and protection of a deployment’s network configuration. • Runtime VM instance protection (prevent memory dumping, cloning). • Secure key handling mechanisms in untrusted IaaS deployments. • Update and patch deployment on guest VM instances. • Interpretation of TPM attestation data.
21 Conclusion • Out-of-the-box public IaaS probably not acceptable for most organizations handling sensitive data. • A comprehensive solution for data protection in public IaaS environments has not been found yet. • SICS Secure Systems lab works with various aspects of guest protection in untrusted IaaS. • Trusted Computing Technologies allow to address some of the issues with IaaS security. • Participation in the InfraCloud project and practical application of protocols reveal multiple new research challenges.

Empfohlen

VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)Aditya K Sood
 
Es xi 4.1 migration guide
Es xi 4.1 migration guideEs xi 4.1 migration guide
Es xi 4.1 migration guideesarakaitis
 
Juniper and VMware: Taking Data Centre Networks to the Next Level
Juniper and VMware: Taking Data Centre Networks to the Next LevelJuniper and VMware: Taking Data Centre Networks to the Next Level
Juniper and VMware: Taking Data Centre Networks to the Next LevelJuniper Networks
 
Processor Virtualization Comparison VMWare ESXi vs Microsoft Hyper-V
Processor Virtualization Comparison VMWare ESXi vs Microsoft Hyper-VProcessor Virtualization Comparison VMWare ESXi vs Microsoft Hyper-V
Processor Virtualization Comparison VMWare ESXi vs Microsoft Hyper-VBlesson Babu
 
Crash course on open source cloud computing
Crash course on open source cloud computingCrash course on open source cloud computing
Crash course on open source cloud computingLorscheider Santiago
 
Nexus 1010 Overview and Deployment
Nexus 1010 Overview and DeploymentNexus 1010 Overview and Deployment
Nexus 1010 Overview and DeploymentSal Lopez
 
State of virtualisation -- 2012
State of virtualisation -- 2012State of virtualisation -- 2012
State of virtualisation -- 2012Jonathan Sinclair
 
Windows 2008 R2 Virtualization
Windows 2008 R2 VirtualizationWindows 2008 R2 Virtualization
Windows 2008 R2 VirtualizationEduardo Castro
 

Empfohlen

VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)Aditya K Sood
 
Es xi 4.1 migration guide
Es xi 4.1 migration guideEs xi 4.1 migration guide
Es xi 4.1 migration guideesarakaitis
 
Juniper and VMware: Taking Data Centre Networks to the Next Level
Juniper and VMware: Taking Data Centre Networks to the Next LevelJuniper and VMware: Taking Data Centre Networks to the Next Level
Juniper and VMware: Taking Data Centre Networks to the Next LevelJuniper Networks
 
Processor Virtualization Comparison VMWare ESXi vs Microsoft Hyper-V
Processor Virtualization Comparison VMWare ESXi vs Microsoft Hyper-VProcessor Virtualization Comparison VMWare ESXi vs Microsoft Hyper-V
Processor Virtualization Comparison VMWare ESXi vs Microsoft Hyper-VBlesson Babu
 
Crash course on open source cloud computing
Crash course on open source cloud computingCrash course on open source cloud computing
Crash course on open source cloud computingLorscheider Santiago
 
Nexus 1010 Overview and Deployment
Nexus 1010 Overview and DeploymentNexus 1010 Overview and Deployment
Nexus 1010 Overview and DeploymentSal Lopez
 
State of virtualisation -- 2012
State of virtualisation -- 2012State of virtualisation -- 2012
State of virtualisation -- 2012Jonathan Sinclair
 
Windows 2008 R2 Virtualization
Windows 2008 R2 VirtualizationWindows 2008 R2 Virtualization
Windows 2008 R2 VirtualizationEduardo Castro
 
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...The Linux Foundation
 
Scale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorScale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorThe Linux Foundation
 
Unikraft Landing Page Master Slides
Unikraft Landing Page Master SlidesUnikraft Landing Page Master Slides
Unikraft Landing Page Master SlidesThe Linux Foundation
 
Presentation cloud orchestration
Presentation cloud orchestrationPresentation cloud orchestration
Presentation cloud orchestrationxKinAnx
 
ttec vSphere 5
ttec vSphere 5ttec vSphere 5
ttec vSphere 5Marco van der Hart
 
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...The Linux Foundation
 
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...The Linux Foundation
 
Security in a Virtualised Environment
Security in a Virtualised EnvironmentSecurity in a Virtualised Environment
Security in a Virtualised EnvironmentPeter Wood
 
Vsp 40 admin_guide
Vsp 40 admin_guideVsp 40 admin_guide
Vsp 40 admin_guideVenkata Ramana
 
Windows server 2012 failover clustering improvements
Windows server 2012 failover clustering improvementsWindows server 2012 failover clustering improvements
Windows server 2012 failover clustering improvementsSusantha Silva
 
Cloud security
Cloud securityCloud security
Cloud securityinsoonjo
 
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixLCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixThe Linux Foundation
 
2009 Cms Conference VMware overview
2009 Cms Conference VMware overview2009 Cms Conference VMware overview
2009 Cms Conference VMware overviewbostomk
 
CloudStack Performance Testing
CloudStack Performance TestingCloudStack Performance Testing
CloudStack Performance Testingbuildacloud
 
Hitchhiker's Guide to Open Source Cloud Computing
Hitchhiker's Guide to Open Source Cloud ComputingHitchhiker's Guide to Open Source Cloud Computing
Hitchhiker's Guide to Open Source Cloud ComputingMark Hinkle
 
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...The Linux Foundation
 
Presentation cloud orchestration solution overview
Presentation cloud orchestration solution overviewPresentation cloud orchestration solution overview
Presentation cloud orchestration solution overviewxKinAnx
 
Hypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong KongHypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong KongRobert Clark
 
Hcx intro preso v2
Hcx intro preso v2Hcx intro preso v2
Hcx intro preso v2Parashar Singh
 
Cloud Computing Hypervisors and Comparison Xen KVM
Cloud Computing Hypervisors and Comparison Xen KVM Cloud Computing Hypervisors and Comparison Xen KVM
Cloud Computing Hypervisors and Comparison Xen KVM cloudresearcher
 
Anatomy of a Build Server Attack
Anatomy of a Build Server AttackAnatomy of a Build Server Attack
Anatomy of a Build Server AttackDevOps.com
 
Rutgers Cloud Seminar 2017
Rutgers Cloud Seminar 2017Rutgers Cloud Seminar 2017
Rutgers Cloud Seminar 2017▫️Canturk▫️ ▪️Isci▪️
 

Weitere ähnliche Inhalte

Was ist angesagt?

CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...The Linux Foundation
 
Scale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorScale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorThe Linux Foundation
 
Unikraft Landing Page Master Slides
Unikraft Landing Page Master SlidesUnikraft Landing Page Master Slides
Unikraft Landing Page Master SlidesThe Linux Foundation
 
Presentation cloud orchestration
Presentation cloud orchestrationPresentation cloud orchestration
Presentation cloud orchestrationxKinAnx
 
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...The Linux Foundation
 
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...The Linux Foundation
 
Security in a Virtualised Environment
Security in a Virtualised EnvironmentSecurity in a Virtualised Environment
Security in a Virtualised EnvironmentPeter Wood
 
Windows server 2012 failover clustering improvements
Windows server 2012 failover clustering improvementsWindows server 2012 failover clustering improvements
Windows server 2012 failover clustering improvementsSusantha Silva
 
Cloud security
Cloud securityCloud security
Cloud securityinsoonjo
 
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixLCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixThe Linux Foundation
 
2009 Cms Conference VMware overview
2009 Cms Conference VMware overview2009 Cms Conference VMware overview
2009 Cms Conference VMware overviewbostomk
 
CloudStack Performance Testing
CloudStack Performance TestingCloudStack Performance Testing
CloudStack Performance Testingbuildacloud
 
Hitchhiker's Guide to Open Source Cloud Computing
Hitchhiker's Guide to Open Source Cloud ComputingHitchhiker's Guide to Open Source Cloud Computing
Hitchhiker's Guide to Open Source Cloud ComputingMark Hinkle
 
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...The Linux Foundation
 
Presentation cloud orchestration solution overview
Presentation cloud orchestration solution overviewPresentation cloud orchestration solution overview
Presentation cloud orchestration solution overviewxKinAnx
 
Hypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong KongHypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong KongRobert Clark
 
Cloud Computing Hypervisors and Comparison Xen KVM
Cloud Computing Hypervisors and Comparison Xen KVM Cloud Computing Hypervisors and Comparison Xen KVM
Cloud Computing Hypervisors and Comparison Xen KVM cloudresearcher
 

Was ist angesagt? (20)

CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
 
Scale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorScale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen Hypervisor
 
Unikraft Landing Page Master Slides
Unikraft Landing Page Master SlidesUnikraft Landing Page Master Slides
Unikraft Landing Page Master Slides
 
Presentation cloud orchestration
Presentation cloud orchestrationPresentation cloud orchestration
Presentation cloud orchestration
 
ttec vSphere 5
ttec vSphere 5ttec vSphere 5
ttec vSphere 5
 
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...
 
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
 
Security in a Virtualised Environment
Security in a Virtualised EnvironmentSecurity in a Virtualised Environment
Security in a Virtualised Environment
 
Vsp 40 admin_guide
Vsp 40 admin_guideVsp 40 admin_guide
Vsp 40 admin_guide
 
Windows server 2012 failover clustering improvements
Windows server 2012 failover clustering improvementsWindows server 2012 failover clustering improvements
Windows server 2012 failover clustering improvements
 
Cloud security
Cloud securityCloud security
Cloud security
 
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixLCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
 
2009 Cms Conference VMware overview
2009 Cms Conference VMware overview2009 Cms Conference VMware overview
2009 Cms Conference VMware overview
 
CloudStack Performance Testing
CloudStack Performance TestingCloudStack Performance Testing
CloudStack Performance Testing
 
Hitchhiker's Guide to Open Source Cloud Computing
Hitchhiker's Guide to Open Source Cloud ComputingHitchhiker's Guide to Open Source Cloud Computing
Hitchhiker's Guide to Open Source Cloud Computing
 
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
 
Presentation cloud orchestration solution overview
Presentation cloud orchestration solution overviewPresentation cloud orchestration solution overview
Presentation cloud orchestration solution overview
 
Hypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong KongHypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong Kong
 
Hcx intro preso v2
Hcx intro preso v2Hcx intro preso v2
Hcx intro preso v2
 
Cloud Computing Hypervisors and Comparison Xen KVM
Cloud Computing Hypervisors and Comparison Xen KVM Cloud Computing Hypervisors and Comparison Xen KVM
Cloud Computing Hypervisors and Comparison Xen KVM
 

Ähnlich wie Lund security workshop_presentation

Anatomy of a Build Server Attack
Anatomy of a Build Server AttackAnatomy of a Build Server Attack
Anatomy of a Build Server AttackDevOps.com
 
Rutgers Cloud Seminar 2017
Rutgers Cloud Seminar 2017Rutgers Cloud Seminar 2017
Rutgers Cloud Seminar 2017Canturk Isci
 
Openstack Diablo Survey
Openstack Diablo SurveyOpenstack Diablo Survey
Openstack Diablo SurveyPjack Chen
 
Learn OpenStack from trystack.cn ——Folsom in practice
Learn OpenStack from trystack.cn ——Folsom in practiceLearn OpenStack from trystack.cn ——Folsom in practice
Learn OpenStack from trystack.cn ——Folsom in practiceOpenCity Community
 
An Intrudction to OpenStack 2017
An Intrudction to OpenStack 2017An Intrudction to OpenStack 2017
An Intrudction to OpenStack 2017Haim Ateya
 
Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security BriefShmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Briefopenfly
 
vBrownBag OpenStack Networking Talk
vBrownBag OpenStack Networking TalkvBrownBag OpenStack Networking Talk
vBrownBag OpenStack Networking Talkmestery
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureCloudVillage
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureJose Hernandez
 
Cloud computing and its job opportunities
Cloud computing and its job opportunities Cloud computing and its job opportunities
Cloud computing and its job opportunities Ramya SK
 
Exploration of eucalyptus_v2.0
Exploration of eucalyptus_v2.0Exploration of eucalyptus_v2.0
Exploration of eucalyptus_v2.0huangwenjun310
 
Triangle OpenStack Meetup
Triangle OpenStack MeetupTriangle OpenStack Meetup
Triangle OpenStack Meetupmestery
 
Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)
Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)
Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)Raul Leite
 
Cloudian_Cassandra Summit 2012
Cloudian_Cassandra Summit 2012Cloudian_Cassandra Summit 2012
Cloudian_Cassandra Summit 2012CLOUDIAN KK
 
OpenStack for VMware Administrators
OpenStack for VMware AdministratorsOpenStack for VMware Administrators
OpenStack for VMware AdministratorsTrevor Roberts Jr.
 
Cloud and its job oppertunities
Cloud and its job oppertunitiesCloud and its job oppertunities
Cloud and its job oppertunitiesRamya SK
 
What is OpenStack and the added value of IBM solutions
What is OpenStack and the added value of IBM solutionsWhat is OpenStack and the added value of IBM solutions
What is OpenStack and the added value of IBM solutionsSasha Lazarevic
 

Ähnlich wie Lund security workshop_presentation (20)

Anatomy of a Build Server Attack
Anatomy of a Build Server AttackAnatomy of a Build Server Attack
Anatomy of a Build Server Attack
 
Rutgers Cloud Seminar 2017
Rutgers Cloud Seminar 2017Rutgers Cloud Seminar 2017
Rutgers Cloud Seminar 2017
 
Rutgers Cloud Seminar 2017
Rutgers Cloud Seminar 2017Rutgers Cloud Seminar 2017
Rutgers Cloud Seminar 2017
 
Cloud Computing Tools
Cloud Computing ToolsCloud Computing Tools
Cloud Computing Tools
 
Openstack Diablo Survey
Openstack Diablo SurveyOpenstack Diablo Survey
Openstack Diablo Survey
 
Learn OpenStack from trystack.cn ——Folsom in practice
Learn OpenStack from trystack.cn ——Folsom in practiceLearn OpenStack from trystack.cn ——Folsom in practice
Learn OpenStack from trystack.cn ——Folsom in practice
 
An Intrudction to OpenStack 2017
An Intrudction to OpenStack 2017An Intrudction to OpenStack 2017
An Intrudction to OpenStack 2017
 
Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security BriefShmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Brief
 
OpenCms Days 2012 - OpenCms on open clouds
OpenCms Days 2012 - OpenCms on open cloudsOpenCms Days 2012 - OpenCms on open clouds
OpenCms Days 2012 - OpenCms on open clouds
 
vBrownBag OpenStack Networking Talk
vBrownBag OpenStack Networking TalkvBrownBag OpenStack Networking Talk
vBrownBag OpenStack Networking Talk
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
 
Cloud computing and its job opportunities
Cloud computing and its job opportunities Cloud computing and its job opportunities
Cloud computing and its job opportunities
 
Exploration of eucalyptus_v2.0
Exploration of eucalyptus_v2.0Exploration of eucalyptus_v2.0
Exploration of eucalyptus_v2.0
 
Triangle OpenStack Meetup
Triangle OpenStack MeetupTriangle OpenStack Meetup
Triangle OpenStack Meetup
 
Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)
Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)
Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)
 
Cloudian_Cassandra Summit 2012
Cloudian_Cassandra Summit 2012Cloudian_Cassandra Summit 2012
Cloudian_Cassandra Summit 2012
 
OpenStack for VMware Administrators
OpenStack for VMware AdministratorsOpenStack for VMware Administrators
OpenStack for VMware Administrators
 
Cloud and its job oppertunities
Cloud and its job oppertunitiesCloud and its job oppertunities
Cloud and its job oppertunities
 
What is OpenStack and the added value of IBM solutions
What is OpenStack and the added value of IBM solutionsWhat is OpenStack and the added value of IBM solutions
What is OpenStack and the added value of IBM solutions
 

Kürzlich hochgeladen

(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 

Kürzlich hochgeladen (20)

(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 

Lund security workshop_presentation

  • 1. How to Secure Infrastructure Clouds with Trusted Computing Technologies Nicolae Paladi Swedish Institute of Computer Science
  • 2. 2 Contents 1. Infrastructure-as-a-Service 2. Security challenges of IaaS 3. Trusted Computing and TPM 4. Trusted VM launch 5. InfraCloud 6. Future work
  • 3. 3 Infrastructure-as-a-Service • A 'cloud computing' service model (NIST:2011):  Provision processing, storage, networks.  Deploy and run arbitrary software.  No control over underlying cloud infrastructure.  Control over OS, storage, deployed applications.  Limited control of select networking components.
  • 4. 4 Infrastructure-as-a-Service architectural overview OpenStack architectural overview https://wiki.openstack.org/wiki/ArchitecturalOverview
  • 5. 5 Infrastructure-as-a-Service security issues  2011: Vulnerabilities in the AWS management console (XSS and XML wrapping attacks) OpenStack architectural overview https://wiki.openstack.org/wiki/ArchitecturalOverview
  • 6. 6 Infrastructure-as-a-Service security issues  2011: Vulnerabilities in the AWS management console (XSS and XML wrapping attacks)  2012: Cross-VM Side Channels can be used to extract private keys. OpenStack architectural overview https://wiki.openstack.org/wiki/ArchitecturalOverview
  • 7. 7 Infrastructure-as-a-Service security issues  2011: Vulnerabilities in the AWS management console (XSS and XML wrapping attacks)  2012: Cross-VM Side Channels can be used to extract private keys  2012: Rackspace’s “dirty disks” OpenStack architectural overview https://wiki.openstack.org/wiki/ArchitecturalOverview
  • 9. 9 Introducing the TPM  Trusted platform module v1.2 as specified by TCG.  v2.0 is currently under review.  Tamper-evident.  16+ PCRs for volatile storage.  Four operations: Signing / Binding / Sealing / Sealed-sign.
  • 10. 10 Introducing the TPM: output • Produces integrity measurements of the firmware at boot time.  Can produce integrity measurements of the loaded kernel modules (sample below).
  • 11. 11 Introducing the TPM: usage • Microsoft BitLocker • Google Chromium OS • Citrix XenServer • Oracle’s X- and T-Series Systems • HP ProtectTools • Others
  • 12. 12 Securing IaaS environments with trusted computing • Virtualization security. • Storage protection in IaaS environments. • Computing security in IaaS environments. • Remote host software integrity attestation. • Runtime host software integrity attestation. • Encryption key management in IaaS environments.
  • 13. 13 Computing security in IaaS environments: Problem Setting • “Consumer is able to deploy and run arbitrary software, which can include operating systems and applications.”  Client can launch VMs for sensitive computations.  Trusted VM launch – the correct VM is launched in a IaaS platform on a host with a known software stack verified to not have been modified by malicious actors.  IaaS security with trusted computing.  How do we ensure a trusted VM launch in an untrusted IaaS environment?
  • 14. 14 Attack scenario 1 Remote attacker (Ar) Scheduler (S) Ar could schedule the VM instance to be launched on a compromised host Trusted Compute Compute Host Host (CH) (CH) Hardware Hardware Hardware Client (C)
  • 15. 15 Attack scenario 2 Remote attacker (Ar) Scheduler (S) Trusted Compute Compute Compute Host Host Host (CH) (CH) (CH) Ar could compromise the VM image prior to Hardware Hardware Hardware launch Client (C)
  • 16. 16 Trusted VM launch protocol • Ensure VM image launched on a trusted host. • Ensure communication with VM launched on a trusted CH rather than a random VM. • Compute host to verify the integrity VM image to be launched. • Minimum implementation footprint on the IaaS codebase. • Transparent view of the secure launch procedures.
  • 17. Protocol: birds-eye view 3. (S) 1. 4. 5. 2. 6. CH CH CH HW HW HW + Client (C) TPM
  • 18. 18 Prototype implementation • OpenStack cluster deployed on 3 nodes (TPM-equipped) • Code extensions: • Changes OpenStack launch procedure. • Implementation of an OpenStack–TPM communication “glue”. • Implementation of a TTP (interpretation of attestation info) • Implementation of client-side functionality (token generation, trusted launch verification).
  • 19. 19 Securing IaaS with InfraCloud: The project • Ongoing project in collaboration between Region Skåne, Ericsson Research and SICS. • Aim: proof of concept design and deployment of one of the region’s medical journaling systems in a hardened and trustworthy IaaS environment. • Prototype implementation based on earlier research, as well as solutions to newly identified challenges.
  • 20. 20 Securing IaaS with InfraCloud: The challenges Numerous new research challenges have been identified already in the early stages of the project: • Storage protection in untrusted IaaS environments. • Verification and protection of a deployment’s network configuration. • Runtime VM instance protection (prevent memory dumping, cloning). • Secure key handling mechanisms in untrusted IaaS deployments. • Update and patch deployment on guest VM instances. • Interpretation of TPM attestation data.
  • 21. 21 Conclusion • Out-of-the-box public IaaS probably not acceptable for most organizations handling sensitive data. • A comprehensive solution for data protection in public IaaS environments has not been found yet. • SICS Secure Systems lab works with various aspects of guest protection in untrusted IaaS. • Trusted Computing Technologies allow to address some of the issues with IaaS security. • Participation in the InfraCloud project and practical application of protocols reveal multiple new research challenges.