DOI QR코드

DOI QR Code

DTSTM: Dynamic Tree Style Trust Measurement Model for Cloud Computing

  • Zhou, Zhen-Ji (Institute of Command Information System, PLA University of Science and Technology) ;
  • Wu, Li-Fa (Institute of Command Information System, PLA University of Science and Technology) ;
  • Hong, Zheng (Institute of Command Information System, PLA University of Science and Technology) ;
  • Xu, Ming-Fei (Institute of Command Information System, PLA University of Science and Technology) ;
  • Pan, Fan (Institute of Command Information System, PLA University of Science and Technology)
  • Received : 2013.09.01
  • Accepted : 2014.01.11
  • Published : 2014.01.30

Abstract

In cloud computing infrastructure, current virtual machine trust measurement methods have many shortcomings in dynamism, security and concurrency. In this paper, we present a new method to measure the trust of virtual machine. Firstly, we propose "behavior trace" to describe the state of virtual machine. Behavior trace is a sequence of behaviors. The measurement of behavior trace is conducted on the basis of anticipated trusted behavior, which not only ensures security of the virtual machine during runtime stage but also reduces complexity of the trust measurement. Based on the behavior trace, we present a Dynamic Tree Style Trust Measurement Model (DTSTM). In this model, the measurement of system domain and user domain is separated, which enhances the extensibility, security and concurrency of the measurement. Finally, based on System Call Interceptor (SCI) and Virtual Machine Introspection (VMI) technology, we implement a DTSTM prototype system for virtual machine trust measurement. Experimental results demonstrate that the system can effectively verify the trust of virtual machine and requires a relatively low performance overhead.

Keywords

References

  1. Top Threats to Cloud Computing. http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
  2. Y. Chen, V. Paxson and R. H. Katz, "What's New About Cloud Computing Security," University of California, Berkeley, Tech, vol. 20, January, 2010.
  3. D. G. Feng, M. Zhang, Y. Zhang and Z Xu, "Study on cloud computing security," Journal of Software, vol. 22, no. 1, pp. 71-83, January, 2011. https://doi.org/10.3724/SP.J.1001.2011.03958
  4. N. Santos, K. Gummadi and R. Rodrigues, "Towards trusted cloud computing," in Proc. of the 2009 conference on Hot topics in cloud computing, September, 2009.
  5. J. K. Frank, "Private virtual infrastructure for cloud computing," in Proc. of the 2009 conference on Hot topics in cloud computing, September, 2009.
  6. J. Schiffman, T. Moyer, H. Vijayakumar, T. Jaeger and P. McDaniel, "Seeding clouds with trust anchors," in Proc. of the 2010 ACM workshop on Cloud computing security workshop, pp. 43-46, October, 2010.
  7. R. Neisse, D. Holling and A. Pretschner, "Implementing trust in cloud infrastructures," in proc. of 11th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, pp. 524-533 , May, 2011.
  8. S. Butt, C. H. Lagar, A. Srivastava and V. Ganapathy, "Self-service cloud computing," in Proc. of the 2012 ACM conference on Computer and communications security, pp. 253-264, October, 2012.
  9. N. Santos, R. Rodrigues, K. Gummadi and S. Saroiu, "Policy-sealed data: A new abstraction for building trusted cloud services," in Proc. of the 2012 USENIX Security, August, 2012.
  10. TCG Specification Architecture Overview. https://www.trustedcomputinggroup.org/
  11. R. Perez, R. Sailer and L. Van-Doorn, "vTPM: Virtualizing the Trusted Platform Module," in Proc. of the 15th USENIX Security Symposium, pp. 305-320, July, 2006.
  12. T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum and D. Boneh, "Terra: A Virtual Machine-Based Platform for Trusted Computing," ACM SIGOPS Operating System Review, vol. 37, no. 5, pp. 193-206, October, 2003. https://doi.org/10.1145/1165389.945464
  13. E. Shi, A. Perrig and L. V. Doorn, "BIND: A Fine-Grained Attestation Service for Secure Distributed Systems," in Proc. of the 2005 IEEE Symposium on Security and Privacy, pp. 154-168, May, 2005.
  14. S. Berger, R. Caceres, D. Pendarakis, R. Sailer, E. Valdez, R. Perez, W. Schildhauer and D. Srinivasan, "TVDc: managing security in the trusted virtual datacenter," ACM SIGOPS Operating Systems Review, vol. 42, no. 1, pp. 40-47, January, 2008. https://doi.org/10.1145/1341312.1341321
  15. S. Reiner, X. L. Zhang, T. Jaeger and L. Van-Doorn, "Design and implementation of a TCG-based integrity measurement architecture," in Proc. of the 13th USENIX Security Symposium, pp. 16-32, August, 2004.
  16. A. Sadeghi and C. Stble, "Property-based attestation for computing platforms: caring about properties, not mechanisms," in Proc. of the 2004 workshop on New security paradigms, pp. 67-77, September, 2004.
  17. L. Chen, R. Landfermann, H. Loehr, M. Rohe, A. Sadeghi and C. Stble, "A Protocol for Property-Based Attestation," in Proc. of the 1st ACM Workshop on Scalable Trusted Computing, pp. 7-16, November, 2006.
  18. J. McCune, B. Parno, A. Perrig, M. Reiter and H. Isozaki, "Flicker: An Execution Infrastructure for TCB Minimization," ACM SIGOPS Operation System Review, vol. 42, no. 4, pp. 315-328, April, 2008. https://doi.org/10.1145/1357010.1352625
  19. J. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor and A. Perrig, "TrustVisor: Efficient TCB Reduction and Attestation," in Proc. of the 2010 IEEE Symposium on Security and Privacy, pp. 143-158, May, 2010.
  20. D. G. Feng and Y. Qin, "Research on Attestation Method for Trust Computing Environment," Chinese Journal of Computers, vol. 31, no. 9, pp. 1640-1652, September, 2008.
  21. N. Petroni and T. Fraser, "Copilot-A coprocessor-based kernel runtime integrity monitor," in Proc. of the 13th conference on USENIX Security Symposium, pp. 179-194, August, 2004.
  22. B. Zhao, H. G. Zhang, J. Li and S. Wen, "The system architecture and security structure of trusted PDA," Chinese Journal of Computers, vol. 31, no.1, pp. 82-93, January, 2010.
  23. W. Sam, A. Paul and P. Amit, "A software flaw taxonomy: aiming tools at security," in Proc. of the 2005 workshop on Software Engineering for secure system, pp. 1-7, January, 2005.
  24. A. Dinaburg, P. Royal, M. Sharif and W. Lee, "Ether: Malware analysis via hardware virtualization extensions," in Proc. of the 15th ACM conference on Computer and Communication Security, pp. 51-62, October, 2008.
  25. T. Garfinkel and M. Rosemblum, "A Virtual Machine Introspection Based Architecture for Intrusion Detection," in Proc. of the 2003 Network and Distributed Systems Security Symposium, pp. 191-206, February, 2003.
  26. LibVMI. https://code.google.com/p/vmitools/
  27. Poison ivy - remote administration tool. http://www.poisonivy-rat.com/
  28. Hacker defender. http://en.pudn.com/download46/sourcecode/hack/detail154363_en.html
  29. Linux rootkit 5. http://www.ussrback.com/UNIX/penetration/rootkits/
  30. Adore-ng rootkit. http://stealth.openwall.net/rootkits/
  31. T. Jaeger, R. Sailer and U. Shankar, "PRIMA: policy-reduced integrity measurement architecture," in Proc. of the 11th ACM Symposium on Access Control Models, pp.19-28, June, 2005.