Abstract:
Today, locally managed computing infrastructures are giving way to shared cloud computing platforms. However, attacks on popular cloud service providers have demonstrated that we cannot blindly trust them to ensure a safe executing environment for their customers. The wide-spread deployment of commodity trusted computing (TC) hardware has made it possible to remotely verify system integrity by gathering information about a system’s configuration (e.g., loaded code and data) to ensure it satisfies expected requirements. The challenge is to design these popular services to be both secure and easily verified. Current verification approaches have focused on examining only a limited view of system integrity and are often too inefficient or inflexible to be practical.
In this talk, I will present novel methods of building, deploying, and verifying the integrity of virtualized and distributed systems similar to popular cloud platforms. First, I will describe a network-based installation technique called the root of trust for installation that leverages recent virtualization and TC hardware to establish a verifiable trusted installation environment, which was not previously possible. I will then introduce my recent work on a Cloud Verifier using an integrity verification proxy (IVP), an extensible monitoring framework that verifies system integrity on behalf of remote clients. Contrary to existing remote verification approaches, the IVP resides on a virtual machine host and monitors the runtime integrity of its hosted VMs through a combination of load time and VM introspection mechanisms. We validated a proof-of-concept IVP’s ability to verify a broad range of integrity requirements and found it imposes only minor overhead on the monitored VM’s performance.
Bio:
Joshua Schiffman is a Member of Technical Staff and Software Security Architect in the Security Architecture R&D group at Advanced Micro Devices, Inc. where he specializes in Virtualization, operating system security, and trusted hardware. He also represents AMD at several Trusted Computing Group and DHS Enduring Security Framework working groups. Schiffman received his PhD in Computer Science from Pennsylvania State University. His research interests include systems and virtualization security, trustworthy computing, and building verifiably secure cloud computing infrastructures. His research experience also spans the areas of networking, mobile phones, web applications, and databases.