SlideShare ist ein Scribd-Unternehmen logo

Lund security workshop_presentation

N
npaladi

Presentation for the Trusted Computing Security workshop 2013 organized in Lund, Sweden by the SICS secure systems lab

Technologie
1 von 21
How to Secure Infrastructure Clouds with Trusted Computing Technologies Nicolae Paladi Swedish Institute of Computer Science
2 Contents 1. Infrastructure-as-a-Service 2. Security challenges of IaaS 3. Trusted Computing and TPM 4. Trusted VM launch 5. InfraCloud 6. Future work
3 Infrastructure-as-a-Service • A 'cloud computing' service model (NIST:2011):  Provision processing, storage, networks.  Deploy and run arbitrary software.  No control over underlying cloud infrastructure.  Control over OS, storage, deployed applications.  Limited control of select networking components.
4 Infrastructure-as-a-Service architectural overview OpenStack architectural overview https://wiki.openstack.org/wiki/ArchitecturalOverview
5 Infrastructure-as-a-Service security issues  2011: Vulnerabilities in the AWS management console (XSS and XML wrapping attacks) OpenStack architectural overview https://wiki.openstack.org/wiki/ArchitecturalOverview
6 Infrastructure-as-a-Service security issues  2011: Vulnerabilities in the AWS management console (XSS and XML wrapping attacks)  2012: Cross-VM Side Channels can be used to extract private keys. OpenStack architectural overview https://wiki.openstack.org/wiki/ArchitecturalOverview
7 Infrastructure-as-a-Service security issues  2011: Vulnerabilities in the AWS management console (XSS and XML wrapping attacks)  2012: Cross-VM Side Channels can be used to extract private keys  2012: Rackspace’s “dirty disks” OpenStack architectural overview https://wiki.openstack.org/wiki/ArchitecturalOverview
8 Can we help it?
9 Introducing the TPM  Trusted platform module v1.2 as specified by TCG.  v2.0 is currently under review.  Tamper-evident.  16+ PCRs for volatile storage.  Four operations: Signing / Binding / Sealing / Sealed-sign.
10 Introducing the TPM: output • Produces integrity measurements of the firmware at boot time.  Can produce integrity measurements of the loaded kernel modules (sample below).
11 Introducing the TPM: usage • Microsoft BitLocker • Google Chromium OS • Citrix XenServer • Oracle’s X- and T-Series Systems • HP ProtectTools • Others
12 Securing IaaS environments with trusted computing • Virtualization security. • Storage protection in IaaS environments. • Computing security in IaaS environments. • Remote host software integrity attestation. • Runtime host software integrity attestation. • Encryption key management in IaaS environments.
13 Computing security in IaaS environments: Problem Setting • “Consumer is able to deploy and run arbitrary software, which can include operating systems and applications.”  Client can launch VMs for sensitive computations.  Trusted VM launch – the correct VM is launched in a IaaS platform on a host with a known software stack verified to not have been modified by malicious actors.  IaaS security with trusted computing.  How do we ensure a trusted VM launch in an untrusted IaaS environment?
14 Attack scenario 1 Remote attacker (Ar) Scheduler (S) Ar could schedule the VM instance to be launched on a compromised host Trusted Compute Compute Host Host (CH) (CH) Hardware Hardware Hardware Client (C)
15 Attack scenario 2 Remote attacker (Ar) Scheduler (S) Trusted Compute Compute Compute Host Host Host (CH) (CH) (CH) Ar could compromise the VM image prior to Hardware Hardware Hardware launch Client (C)
16 Trusted VM launch protocol • Ensure VM image launched on a trusted host. • Ensure communication with VM launched on a trusted CH rather than a random VM. • Compute host to verify the integrity VM image to be launched. • Minimum implementation footprint on the IaaS codebase. • Transparent view of the secure launch procedures.
Protocol: birds-eye view 3. (S) 1. 4. 5. 2. 6. CH CH CH HW HW HW + Client (C) TPM
18 Prototype implementation • OpenStack cluster deployed on 3 nodes (TPM-equipped) • Code extensions: • Changes OpenStack launch procedure. • Implementation of an OpenStack–TPM communication “glue”. • Implementation of a TTP (interpretation of attestation info) • Implementation of client-side functionality (token generation, trusted launch verification).
19 Securing IaaS with InfraCloud: The project • Ongoing project in collaboration between Region Skåne, Ericsson Research and SICS. • Aim: proof of concept design and deployment of one of the region’s medical journaling systems in a hardened and trustworthy IaaS environment. • Prototype implementation based on earlier research, as well as solutions to newly identified challenges.
20 Securing IaaS with InfraCloud: The challenges Numerous new research challenges have been identified already in the early stages of the project: • Storage protection in untrusted IaaS environments. • Verification and protection of a deployment’s network configuration. • Runtime VM instance protection (prevent memory dumping, cloning). • Secure key handling mechanisms in untrusted IaaS deployments. • Update and patch deployment on guest VM instances. • Interpretation of TPM attestation data.
21 Conclusion • Out-of-the-box public IaaS probably not acceptable for most organizations handling sensitive data. • A comprehensive solution for data protection in public IaaS environments has not been found yet. • SICS Secure Systems lab works with various aspects of guest protection in untrusted IaaS. • Trusted Computing Technologies allow to address some of the issues with IaaS security. • Participation in the InfraCloud project and practical application of protocols reveal multiple new research challenges.

Empfohlen

VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)Aditya K Sood
 
Es xi 4.1 migration guide
Es xi 4.1 migration guideEs xi 4.1 migration guide
Es xi 4.1 migration guideesarakaitis
 
Juniper and VMware: Taking Data Centre Networks to the Next Level
Juniper and VMware: Taking Data Centre Networks to the Next LevelJuniper and VMware: Taking Data Centre Networks to the Next Level
Juniper and VMware: Taking Data Centre Networks to the Next LevelJuniper Networks
 
Processor Virtualization Comparison VMWare ESXi vs Microsoft Hyper-V
Processor Virtualization Comparison VMWare ESXi vs Microsoft Hyper-VProcessor Virtualization Comparison VMWare ESXi vs Microsoft Hyper-V
Processor Virtualization Comparison VMWare ESXi vs Microsoft Hyper-VBlesson Babu
 
Crash course on open source cloud computing
Crash course on open source cloud computingCrash course on open source cloud computing
Crash course on open source cloud computingLorscheider Santiago
 
Nexus 1010 Overview and Deployment
Nexus 1010 Overview and DeploymentNexus 1010 Overview and Deployment
Nexus 1010 Overview and DeploymentSal Lopez
 
State of virtualisation -- 2012
State of virtualisation -- 2012State of virtualisation -- 2012
State of virtualisation -- 2012Jonathan Sinclair
 
Windows 2008 R2 Virtualization
Windows 2008 R2 VirtualizationWindows 2008 R2 Virtualization
Windows 2008 R2 VirtualizationEduardo Castro
 

Empfohlen

VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)Aditya K Sood
 
Es xi 4.1 migration guide
Es xi 4.1 migration guideEs xi 4.1 migration guide
Es xi 4.1 migration guideesarakaitis
 
Juniper and VMware: Taking Data Centre Networks to the Next Level
Juniper and VMware: Taking Data Centre Networks to the Next LevelJuniper and VMware: Taking Data Centre Networks to the Next Level
Juniper and VMware: Taking Data Centre Networks to the Next LevelJuniper Networks
 
Processor Virtualization Comparison VMWare ESXi vs Microsoft Hyper-V
Processor Virtualization Comparison VMWare ESXi vs Microsoft Hyper-VProcessor Virtualization Comparison VMWare ESXi vs Microsoft Hyper-V
Processor Virtualization Comparison VMWare ESXi vs Microsoft Hyper-VBlesson Babu
 
Crash course on open source cloud computing
Crash course on open source cloud computingCrash course on open source cloud computing
Crash course on open source cloud computingLorscheider Santiago
 
Nexus 1010 Overview and Deployment
Nexus 1010 Overview and DeploymentNexus 1010 Overview and Deployment
Nexus 1010 Overview and DeploymentSal Lopez
 
State of virtualisation -- 2012
State of virtualisation -- 2012State of virtualisation -- 2012
State of virtualisation -- 2012Jonathan Sinclair
 
Windows 2008 R2 Virtualization
Windows 2008 R2 VirtualizationWindows 2008 R2 Virtualization
Windows 2008 R2 VirtualizationEduardo Castro
 
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...The Linux Foundation
 
Scale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorScale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorThe Linux Foundation
 
Unikraft Landing Page Master Slides
Unikraft Landing Page Master SlidesUnikraft Landing Page Master Slides
Unikraft Landing Page Master SlidesThe Linux Foundation
 
Presentation cloud orchestration
Presentation cloud orchestrationPresentation cloud orchestration
Presentation cloud orchestrationxKinAnx
 
ttec vSphere 5
ttec vSphere 5ttec vSphere 5
ttec vSphere 5Marco van der Hart
 
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...The Linux Foundation
 
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...The Linux Foundation
 
Security in a Virtualised Environment
Security in a Virtualised EnvironmentSecurity in a Virtualised Environment
Security in a Virtualised EnvironmentPeter Wood
 
Vsp 40 admin_guide
Vsp 40 admin_guideVsp 40 admin_guide
Vsp 40 admin_guideVenkata Ramana
 
Windows server 2012 failover clustering improvements
Windows server 2012 failover clustering improvementsWindows server 2012 failover clustering improvements
Windows server 2012 failover clustering improvementsSusantha Silva
 
Cloud security
Cloud securityCloud security
Cloud securityinsoonjo
 
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixLCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixThe Linux Foundation
 
2009 Cms Conference VMware overview
2009 Cms Conference VMware overview2009 Cms Conference VMware overview
2009 Cms Conference VMware overviewbostomk
 
CloudStack Performance Testing
CloudStack Performance TestingCloudStack Performance Testing
CloudStack Performance Testingbuildacloud
 
Hitchhiker's Guide to Open Source Cloud Computing
Hitchhiker's Guide to Open Source Cloud ComputingHitchhiker's Guide to Open Source Cloud Computing
Hitchhiker's Guide to Open Source Cloud ComputingMark Hinkle
 
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...The Linux Foundation
 
Presentation cloud orchestration solution overview
Presentation cloud orchestration solution overviewPresentation cloud orchestration solution overview
Presentation cloud orchestration solution overviewxKinAnx
 
Hypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong KongHypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong KongRobert Clark
 
Hcx intro preso v2
Hcx intro preso v2Hcx intro preso v2
Hcx intro preso v2Parashar Singh
 
Cloud Computing Hypervisors and Comparison Xen KVM
Cloud Computing Hypervisors and Comparison Xen KVM Cloud Computing Hypervisors and Comparison Xen KVM
Cloud Computing Hypervisors and Comparison Xen KVM cloudresearcher
 
Anatomy of a Build Server Attack
Anatomy of a Build Server AttackAnatomy of a Build Server Attack
Anatomy of a Build Server AttackDevOps.com
 
Rutgers Cloud Seminar 2017
Rutgers Cloud Seminar 2017Rutgers Cloud Seminar 2017
Rutgers Cloud Seminar 2017▫️Canturk▫️ ▪️Isci▪️
 

Weitere ähnliche Inhalte

Was ist angesagt?

CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...The Linux Foundation
 
Scale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorScale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorThe Linux Foundation
 
Unikraft Landing Page Master Slides
Unikraft Landing Page Master SlidesUnikraft Landing Page Master Slides
Unikraft Landing Page Master SlidesThe Linux Foundation
 
Presentation cloud orchestration
Presentation cloud orchestrationPresentation cloud orchestration
Presentation cloud orchestrationxKinAnx
 
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...The Linux Foundation
 
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...The Linux Foundation
 
Security in a Virtualised Environment
Security in a Virtualised EnvironmentSecurity in a Virtualised Environment
Security in a Virtualised EnvironmentPeter Wood
 
Windows server 2012 failover clustering improvements
Windows server 2012 failover clustering improvementsWindows server 2012 failover clustering improvements
Windows server 2012 failover clustering improvementsSusantha Silva
 
Cloud security
Cloud securityCloud security
Cloud securityinsoonjo
 
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixLCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixThe Linux Foundation
 
2009 Cms Conference VMware overview
2009 Cms Conference VMware overview2009 Cms Conference VMware overview
2009 Cms Conference VMware overviewbostomk
 
CloudStack Performance Testing
CloudStack Performance TestingCloudStack Performance Testing
CloudStack Performance Testingbuildacloud
 
Hitchhiker's Guide to Open Source Cloud Computing
Hitchhiker's Guide to Open Source Cloud ComputingHitchhiker's Guide to Open Source Cloud Computing
Hitchhiker's Guide to Open Source Cloud ComputingMark Hinkle
 
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...The Linux Foundation
 
Presentation cloud orchestration solution overview
Presentation cloud orchestration solution overviewPresentation cloud orchestration solution overview
Presentation cloud orchestration solution overviewxKinAnx
 
Hypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong KongHypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong KongRobert Clark
 
Cloud Computing Hypervisors and Comparison Xen KVM
Cloud Computing Hypervisors and Comparison Xen KVM Cloud Computing Hypervisors and Comparison Xen KVM
Cloud Computing Hypervisors and Comparison Xen KVM cloudresearcher
 

Was ist angesagt? (20)

CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
 
Scale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorScale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen Hypervisor
 
Unikraft Landing Page Master Slides
Unikraft Landing Page Master SlidesUnikraft Landing Page Master Slides
Unikraft Landing Page Master Slides
 
Presentation cloud orchestration
Presentation cloud orchestrationPresentation cloud orchestration
Presentation cloud orchestration
 
ttec vSphere 5
ttec vSphere 5ttec vSphere 5
ttec vSphere 5
 
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...
 
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
 
Security in a Virtualised Environment
Security in a Virtualised EnvironmentSecurity in a Virtualised Environment
Security in a Virtualised Environment
 
Vsp 40 admin_guide
Vsp 40 admin_guideVsp 40 admin_guide
Vsp 40 admin_guide
 
Windows server 2012 failover clustering improvements
Windows server 2012 failover clustering improvementsWindows server 2012 failover clustering improvements
Windows server 2012 failover clustering improvements
 
Cloud security
Cloud securityCloud security
Cloud security
 
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixLCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
 
2009 Cms Conference VMware overview
2009 Cms Conference VMware overview2009 Cms Conference VMware overview
2009 Cms Conference VMware overview
 
CloudStack Performance Testing
CloudStack Performance TestingCloudStack Performance Testing
CloudStack Performance Testing
 
Hitchhiker's Guide to Open Source Cloud Computing
Hitchhiker's Guide to Open Source Cloud ComputingHitchhiker's Guide to Open Source Cloud Computing
Hitchhiker's Guide to Open Source Cloud Computing
 
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
 
Presentation cloud orchestration solution overview
Presentation cloud orchestration solution overviewPresentation cloud orchestration solution overview
Presentation cloud orchestration solution overview
 
Hypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong KongHypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong Kong
 
Hcx intro preso v2
Hcx intro preso v2Hcx intro preso v2
Hcx intro preso v2
 
Cloud Computing Hypervisors and Comparison Xen KVM
Cloud Computing Hypervisors and Comparison Xen KVM Cloud Computing Hypervisors and Comparison Xen KVM
Cloud Computing Hypervisors and Comparison Xen KVM
 

Ähnlich wie Lund security workshop_presentation

Anatomy of a Build Server Attack
Anatomy of a Build Server AttackAnatomy of a Build Server Attack
Anatomy of a Build Server AttackDevOps.com
 
Rutgers Cloud Seminar 2017
Rutgers Cloud Seminar 2017Rutgers Cloud Seminar 2017
Rutgers Cloud Seminar 2017Canturk Isci
 
Openstack Diablo Survey
Openstack Diablo SurveyOpenstack Diablo Survey
Openstack Diablo SurveyPjack Chen
 
Learn OpenStack from trystack.cn ——Folsom in practice
Learn OpenStack from trystack.cn ——Folsom in practiceLearn OpenStack from trystack.cn ——Folsom in practice
Learn OpenStack from trystack.cn ——Folsom in practiceOpenCity Community
 
An Intrudction to OpenStack 2017
An Intrudction to OpenStack 2017An Intrudction to OpenStack 2017
An Intrudction to OpenStack 2017Haim Ateya
 
Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security BriefShmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Briefopenfly
 
vBrownBag OpenStack Networking Talk
vBrownBag OpenStack Networking TalkvBrownBag OpenStack Networking Talk
vBrownBag OpenStack Networking Talkmestery
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureCloudVillage
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureJose Hernandez
 
Cloud computing and its job opportunities
Cloud computing and its job opportunities Cloud computing and its job opportunities
Cloud computing and its job opportunities Ramya SK
 
Exploration of eucalyptus_v2.0
Exploration of eucalyptus_v2.0Exploration of eucalyptus_v2.0
Exploration of eucalyptus_v2.0huangwenjun310
 
Triangle OpenStack Meetup
Triangle OpenStack MeetupTriangle OpenStack Meetup
Triangle OpenStack Meetupmestery
 
Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)
Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)
Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)Raul Leite
 
Cloudian_Cassandra Summit 2012
Cloudian_Cassandra Summit 2012Cloudian_Cassandra Summit 2012
Cloudian_Cassandra Summit 2012CLOUDIAN KK
 
OpenStack for VMware Administrators
OpenStack for VMware AdministratorsOpenStack for VMware Administrators
OpenStack for VMware AdministratorsTrevor Roberts Jr.
 
Cloud and its job oppertunities
Cloud and its job oppertunitiesCloud and its job oppertunities
Cloud and its job oppertunitiesRamya SK
 
What is OpenStack and the added value of IBM solutions
What is OpenStack and the added value of IBM solutionsWhat is OpenStack and the added value of IBM solutions
What is OpenStack and the added value of IBM solutionsSasha Lazarevic
 

Ähnlich wie Lund security workshop_presentation (20)

Anatomy of a Build Server Attack
Anatomy of a Build Server AttackAnatomy of a Build Server Attack
Anatomy of a Build Server Attack
 
Rutgers Cloud Seminar 2017
Rutgers Cloud Seminar 2017Rutgers Cloud Seminar 2017
Rutgers Cloud Seminar 2017
 
Rutgers Cloud Seminar 2017
Rutgers Cloud Seminar 2017Rutgers Cloud Seminar 2017
Rutgers Cloud Seminar 2017
 
Cloud Computing Tools
Cloud Computing ToolsCloud Computing Tools
Cloud Computing Tools
 
Openstack Diablo Survey
Openstack Diablo SurveyOpenstack Diablo Survey
Openstack Diablo Survey
 
Learn OpenStack from trystack.cn ——Folsom in practice
Learn OpenStack from trystack.cn ——Folsom in practiceLearn OpenStack from trystack.cn ——Folsom in practice
Learn OpenStack from trystack.cn ——Folsom in practice
 
An Intrudction to OpenStack 2017
An Intrudction to OpenStack 2017An Intrudction to OpenStack 2017
An Intrudction to OpenStack 2017
 
Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security BriefShmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Brief
 
OpenCms Days 2012 - OpenCms on open clouds
OpenCms Days 2012 - OpenCms on open cloudsOpenCms Days 2012 - OpenCms on open clouds
OpenCms Days 2012 - OpenCms on open clouds
 
vBrownBag OpenStack Networking Talk
vBrownBag OpenStack Networking TalkvBrownBag OpenStack Networking Talk
vBrownBag OpenStack Networking Talk
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
 
Cloud computing and its job opportunities
Cloud computing and its job opportunities Cloud computing and its job opportunities
Cloud computing and its job opportunities
 
Exploration of eucalyptus_v2.0
Exploration of eucalyptus_v2.0Exploration of eucalyptus_v2.0
Exploration of eucalyptus_v2.0
 
Triangle OpenStack Meetup
Triangle OpenStack MeetupTriangle OpenStack Meetup
Triangle OpenStack Meetup
 
Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)
Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)
Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)
 
Cloudian_Cassandra Summit 2012
Cloudian_Cassandra Summit 2012Cloudian_Cassandra Summit 2012
Cloudian_Cassandra Summit 2012
 
OpenStack for VMware Administrators
OpenStack for VMware AdministratorsOpenStack for VMware Administrators
OpenStack for VMware Administrators
 
Cloud and its job oppertunities
Cloud and its job oppertunitiesCloud and its job oppertunities
Cloud and its job oppertunities
 
What is OpenStack and the added value of IBM solutions
What is OpenStack and the added value of IBM solutionsWhat is OpenStack and the added value of IBM solutions
What is OpenStack and the added value of IBM solutions
 

Kürzlich hochgeladen

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Kürzlich hochgeladen (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Lund security workshop_presentation

  • 1. How to Secure Infrastructure Clouds with Trusted Computing Technologies Nicolae Paladi Swedish Institute of Computer Science
  • 2. 2 Contents 1. Infrastructure-as-a-Service 2. Security challenges of IaaS 3. Trusted Computing and TPM 4. Trusted VM launch 5. InfraCloud 6. Future work
  • 3. 3 Infrastructure-as-a-Service • A 'cloud computing' service model (NIST:2011):  Provision processing, storage, networks.  Deploy and run arbitrary software.  No control over underlying cloud infrastructure.  Control over OS, storage, deployed applications.  Limited control of select networking components.
  • 4. 4 Infrastructure-as-a-Service architectural overview OpenStack architectural overview https://wiki.openstack.org/wiki/ArchitecturalOverview
  • 5. 5 Infrastructure-as-a-Service security issues  2011: Vulnerabilities in the AWS management console (XSS and XML wrapping attacks) OpenStack architectural overview https://wiki.openstack.org/wiki/ArchitecturalOverview
  • 6. 6 Infrastructure-as-a-Service security issues  2011: Vulnerabilities in the AWS management console (XSS and XML wrapping attacks)  2012: Cross-VM Side Channels can be used to extract private keys. OpenStack architectural overview https://wiki.openstack.org/wiki/ArchitecturalOverview
  • 7. 7 Infrastructure-as-a-Service security issues  2011: Vulnerabilities in the AWS management console (XSS and XML wrapping attacks)  2012: Cross-VM Side Channels can be used to extract private keys  2012: Rackspace’s “dirty disks” OpenStack architectural overview https://wiki.openstack.org/wiki/ArchitecturalOverview
  • 9. 9 Introducing the TPM  Trusted platform module v1.2 as specified by TCG.  v2.0 is currently under review.  Tamper-evident.  16+ PCRs for volatile storage.  Four operations: Signing / Binding / Sealing / Sealed-sign.
  • 10. 10 Introducing the TPM: output • Produces integrity measurements of the firmware at boot time.  Can produce integrity measurements of the loaded kernel modules (sample below).
  • 11. 11 Introducing the TPM: usage • Microsoft BitLocker • Google Chromium OS • Citrix XenServer • Oracle’s X- and T-Series Systems • HP ProtectTools • Others
  • 12. 12 Securing IaaS environments with trusted computing • Virtualization security. • Storage protection in IaaS environments. • Computing security in IaaS environments. • Remote host software integrity attestation. • Runtime host software integrity attestation. • Encryption key management in IaaS environments.
  • 13. 13 Computing security in IaaS environments: Problem Setting • “Consumer is able to deploy and run arbitrary software, which can include operating systems and applications.”  Client can launch VMs for sensitive computations.  Trusted VM launch – the correct VM is launched in a IaaS platform on a host with a known software stack verified to not have been modified by malicious actors.  IaaS security with trusted computing.  How do we ensure a trusted VM launch in an untrusted IaaS environment?
  • 14. 14 Attack scenario 1 Remote attacker (Ar) Scheduler (S) Ar could schedule the VM instance to be launched on a compromised host Trusted Compute Compute Host Host (CH) (CH) Hardware Hardware Hardware Client (C)
  • 15. 15 Attack scenario 2 Remote attacker (Ar) Scheduler (S) Trusted Compute Compute Compute Host Host Host (CH) (CH) (CH) Ar could compromise the VM image prior to Hardware Hardware Hardware launch Client (C)
  • 16. 16 Trusted VM launch protocol • Ensure VM image launched on a trusted host. • Ensure communication with VM launched on a trusted CH rather than a random VM. • Compute host to verify the integrity VM image to be launched. • Minimum implementation footprint on the IaaS codebase. • Transparent view of the secure launch procedures.
  • 17. Protocol: birds-eye view 3. (S) 1. 4. 5. 2. 6. CH CH CH HW HW HW + Client (C) TPM
  • 18. 18 Prototype implementation • OpenStack cluster deployed on 3 nodes (TPM-equipped) • Code extensions: • Changes OpenStack launch procedure. • Implementation of an OpenStack–TPM communication “glue”. • Implementation of a TTP (interpretation of attestation info) • Implementation of client-side functionality (token generation, trusted launch verification).
  • 19. 19 Securing IaaS with InfraCloud: The project • Ongoing project in collaboration between Region Skåne, Ericsson Research and SICS. • Aim: proof of concept design and deployment of one of the region’s medical journaling systems in a hardened and trustworthy IaaS environment. • Prototype implementation based on earlier research, as well as solutions to newly identified challenges.
  • 20. 20 Securing IaaS with InfraCloud: The challenges Numerous new research challenges have been identified already in the early stages of the project: • Storage protection in untrusted IaaS environments. • Verification and protection of a deployment’s network configuration. • Runtime VM instance protection (prevent memory dumping, cloning). • Secure key handling mechanisms in untrusted IaaS deployments. • Update and patch deployment on guest VM instances. • Interpretation of TPM attestation data.
  • 21. 21 Conclusion • Out-of-the-box public IaaS probably not acceptable for most organizations handling sensitive data. • A comprehensive solution for data protection in public IaaS environments has not been found yet. • SICS Secure Systems lab works with various aspects of guest protection in untrusted IaaS. • Trusted Computing Technologies allow to address some of the issues with IaaS security. • Participation in the InfraCloud project and practical application of protocols reveal multiple new research challenges.