[KSCI] Korea Science Citation Index Service

http://dx.doi.org/10.3837/tiis.2014.01.018

DTSTM: Dynamic Tree Style Trust Measurement Model for Cloud Computing

Zhou, Zhen-Ji (Institute of Command Information System, PLA University of Science and Technology)
Wu, Li-Fa (Institute of Command Information System, PLA University of Science and Technology)
Hong, Zheng (Institute of Command Information System, PLA University of Science and Technology)
Xu, Ming-Fei (Institute of Command Information System, PLA University of Science and Technology)
Pan, Fan (Institute of Command Information System, PLA University of Science and Technology)

Publication Information

KSII Transactions on Internet and Information Systems (TIIS) / v.8, no.1, 2014 , pp. 305-325 More about this Journal

Abstract

In cloud computing infrastructure, current virtual machine trust measurement methods have many shortcomings in dynamism, security and concurrency. In this paper, we present a new method to measure the trust of virtual machine. Firstly, we propose "behavior trace" to describe the state of virtual machine. Behavior trace is a sequence of behaviors. The measurement of behavior trace is conducted on the basis of anticipated trusted behavior, which not only ensures security of the virtual machine during runtime stage but also reduces complexity of the trust measurement. Based on the behavior trace, we present a Dynamic Tree Style Trust Measurement Model (DTSTM). In this model, the measurement of system domain and user domain is separated, which enhances the extensibility, security and concurrency of the measurement. Finally, based on System Call Interceptor (SCI) and Virtual Machine Introspection (VMI) technology, we implement a DTSTM prototype system for virtual machine trust measurement. Experimental results demonstrate that the system can effectively verify the trust of virtual machine and requires a relatively low performance overhead.

Keywords

trust measurement; trusted computing; cloud computing; virtual machine; behavior trace;

Citations & Related Records

Reference

1	B. Zhao, H. G. Zhang, J. Li and S. Wen, "The system architecture and security structure of trusted PDA," Chinese Journal of Computers, vol. 31, no.1, pp. 82-93, January, 2010.
2	W. Sam, A. Paul and P. Amit, "A software flaw taxonomy: aiming tools at security," in Proc. of the 2005 workshop on Software Engineering for secure system, pp. 1-7, January, 2005.
3	A. Dinaburg, P. Royal, M. Sharif and W. Lee, "Ether: Malware analysis via hardware virtualization extensions," in Proc. of the 15th ACM conference on Computer and Communication Security, pp. 51-62, October, 2008.
4	T. Garfinkel and M. Rosemblum, "A Virtual Machine Introspection Based Architecture for Intrusion Detection," in Proc. of the 2003 Network and Distributed Systems Security Symposium, pp. 191-206, February, 2003.
5	LibVMI. https://code.google.com/p/vmitools/
6	Poison ivy - remote administration tool. http://www.poisonivy-rat.com/
7	J. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor and A. Perrig, "TrustVisor: Efficient TCB Reduction and Attestation," in Proc. of the 2010 IEEE Symposium on Security and Privacy, pp. 143-158, May, 2010.
8	D. G. Feng and Y. Qin, "Research on Attestation Method for Trust Computing Environment," Chinese Journal of Computers, vol. 31, no. 9, pp. 1640-1652, September, 2008.
9	N. Petroni and T. Fraser, "Copilot-A coprocessor-based kernel runtime integrity monitor," in Proc. of the 13th conference on USENIX Security Symposium, pp. 179-194, August, 2004.
10	Hacker defender. http://en.pudn.com/download46/sourcecode/hack/detail154363_en.html
11	Linux rootkit 5. http://www.ussrback.com/UNIX/penetration/rootkits/
12	Adore-ng rootkit. http://stealth.openwall.net/rootkits/
13	T. Jaeger, R. Sailer and U. Shankar, "PRIMA: policy-reduced integrity measurement architecture," in Proc. of the 11th ACM Symposium on Access Control Models, pp.19-28, June, 2005.
14	R. Neisse, D. Holling and A. Pretschner, "Implementing trust in cloud infrastructures," in proc. of 11th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, pp. 524-533 , May, 2011.
15	S. Butt, C. H. Lagar, A. Srivastava and V. Ganapathy, "Self-service cloud computing," in Proc. of the 2012 ACM conference on Computer and communications security, pp. 253-264, October, 2012.
16	N. Santos, R. Rodrigues, K. Gummadi and S. Saroiu, "Policy-sealed data: A new abstraction for building trusted cloud services," in Proc. of the 2012 USENIX Security, August, 2012.
17	TCG Specification Architecture Overview. https://www.trustedcomputinggroup.org/
18	R. Perez, R. Sailer and L. Van-Doorn, "vTPM: Virtualizing the Trusted Platform Module," in Proc. of the 15th USENIX Security Symposium, pp. 305-320, July, 2006.
19	T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum and D. Boneh, "Terra: A Virtual Machine-Based Platform for Trusted Computing," ACM SIGOPS Operating System Review, vol. 37, no. 5, pp. 193-206, October, 2003. DOI ScienceOn
20	E. Shi, A. Perrig and L. V. Doorn, "BIND: A Fine-Grained Attestation Service for Secure Distributed Systems," in Proc. of the 2005 IEEE Symposium on Security and Privacy, pp. 154-168, May, 2005.
21	S. Berger, R. Caceres, D. Pendarakis, R. Sailer, E. Valdez, R. Perez, W. Schildhauer and D. Srinivasan, "TVDc: managing security in the trusted virtual datacenter," ACM SIGOPS Operating Systems Review, vol. 42, no. 1, pp. 40-47, January, 2008. DOI
22	S. Reiner, X. L. Zhang, T. Jaeger and L. Van-Doorn, "Design and implementation of a TCG-based integrity measurement architecture," in Proc. of the 13th USENIX Security Symposium, pp. 16-32, August, 2004.
23	A. Sadeghi and C. Stble, "Property-based attestation for computing platforms: caring about properties, not mechanisms," in Proc. of the 2004 workshop on New security paradigms, pp. 67-77, September, 2004.
24	L. Chen, R. Landfermann, H. Loehr, M. Rohe, A. Sadeghi and C. Stble, "A Protocol for Property-Based Attestation," in Proc. of the 1st ACM Workshop on Scalable Trusted Computing, pp. 7-16, November, 2006.
25	D. G. Feng, M. Zhang, Y. Zhang and Z Xu, "Study on cloud computing security," Journal of Software, vol. 22, no. 1, pp. 71-83, January, 2011. DOI
26	J. McCune, B. Parno, A. Perrig, M. Reiter and H. Isozaki, "Flicker: An Execution Infrastructure for TCB Minimization," ACM SIGOPS Operation System Review, vol. 42, no. 4, pp. 315-328, April, 2008. DOI
27	Top Threats to Cloud Computing. http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
28	Y. Chen, V. Paxson and R. H. Katz, "What's New About Cloud Computing Security," University of California, Berkeley, Tech, vol. 20, January, 2010.
29	N. Santos, K. Gummadi and R. Rodrigues, "Towards trusted cloud computing," in Proc. of the 2009 conference on Hot topics in cloud computing, September, 2009.
30	J. K. Frank, "Private virtual infrastructure for cloud computing," in Proc. of the 2009 conference on Hot topics in cloud computing, September, 2009.
31	J. Schiffman, T. Moyer, H. Vijayakumar, T. Jaeger and P. McDaniel, "Seeding clouds with trust anchors," in Proc. of the 2010 ACM workshop on Cloud computing security workshop, pp. 43-46, October, 2010.