Trusted Virtual Disk ImagesCarlo Gebhardt Allan Tomlinson
{c.gebhardt | allan.tomlinson}@rhul.ac.uk
Abstract
Many solutions have been proposed to raise the secu-
integrity Trusted Computing and in particular the
1 Introduction
--
security challenges and concerns also security concerns requires a sophisticated architecture based on solid
security principles as well as ongoing research.
malicious code on the image consumer.
The
trusted system.
2 Related Workassurance virtual machine monitor by
trusted computing. --
images.
images. This
-tems. Hardware based disk encryption on the other hand such as Intel’s Danbury are tightly bound to
operating
--
ments.
3 Background 3.1 Motivation
by the hosting environment to the guest system and represented as a physical hard-drive. The handling
-gitimate owner. As a result, an image could be manipulated or replaced completely. Thus sensitive data
malicious code injected and executed without the user’s awareness.
-
3.2 AssumptionsTrusted
Additionally, we utilise the trustworthy
model, as well as reducing the trusted code base.
3.3 Design Principles
an end-to-end basis and thus enable the image owner to stay in control over the image content through-
system as well to the user.
Our current trusted virtual disk image approach is based on the existing virtual disk image driver im-
represent lower privileged virtual machines.
-
Our design targets to a minimum.
3.4 Trusted Computing
-scribed by the Trusted Computing Group.
The
public key operations.
200
-
initial state and its input. Integrity measurements are stored in special purpose registers within the
was sealed.
bound to a single
security properties may be created by the
whereby an entity other than the
3.5 Driver modelAs mentioned in section 3.3, we base our implementation on the existing blktap driver model. The
existing userspace tools and libraries, which minimises implementation overhead while at the same time remains compatibility.
4 Trusted Vitual Disk Images
4.1 Integrity Protection--
operations in parallel.
--
4.1.1 Generating integrity metrics
-
Figure 1:
4.2 Checking Integrity-
as libaio is used to write out the data.
202
. Existing libraries such
4.2.1 Checking integrity before operation
-
4.2.2 Checking integrity during operation-
are consequently carried out by libcrypto.
4.2.3 Policy model
-
4.2.4 Recovery from integrity failure
changes to program code may render the virtual machine un-operational. To mitigate this issue a virtual
as
previous section.
203
4.3 -
potentially, insecure legacy storage and communication structures may be used.
4.4 -
-
Hypervisor, userspace control programs, libraries, etc. Hence the
be updated and sealed.
le. A small
changed. A large chunk size on the other hand would result in an increased execution time, as the
-ing hard-drive or
<sampleImage><header>...
<SHA256>894f435gd ... fas32dag</SHA256><EncryptionKey>3b23894f ... fce3bc95</EncryptionKey><EncryptionAlgorithm>AES</EncryptionAlgorithm><ChunkSize>16777216</ChunkSize><ImageSize>536870912000</ImageSize><NextFreeChunk>123</NextFreeChunk><SnapshotVersion>2</SnapshotVersion>
</header>...<chunk.122>
<SnapshotVersion>2</SnapshotVersion><BlockAddress>00040000</BlockAddress><ChunkPath>/sampleImage/chunk.122</ChunkPath><SHA256>dc460da4ad72c ... 6899d54ef98b5</SHA256>...
</chunk.122></sampleImage>
Listing 1:
4.5 Trust Control
trusted virtual disk image implementation is correct and trustworthy. It will do so by measuring each
-chine is being moved.
5 Life cycle 5.1 Initialisation
at the same time it allows the image to dynamically grow during operation. However, it is still necessary operating
trusted computing sealing mecha-
205
5.2 Backup
sealing it to a -rity checks as integrity metrics may be outdated.
5.3 Migration
-sume a
machines to establish mutual trust and a secure link. During this phase the remote machine attests its state to the source machine, which will then decide weather the remote state is
5.4 Snapshots
to be taken during normal operation, thus while a virtualised guest is running. Chunks that do not hold
5.5 Deletion
206
6 Conclusion
trusted computing concepts to enhance security while at the same applying those security properties -
age location or transport mechanism without compromising could be hosted over the internet.
-
attributes at all.
7 Future Work
-
References -
Security Symposium,
-Security Symposium (Berkeley,
virtualiza-
security challenges in virtual ma-
Operating Systems (Berkeley, [6] Carl Gebhardt and Allan Tomlinson,
-tian Stuble, Enhancing grid security using trusted
207
Security and
-
-
trustworthy system architecture using and
Trusted
Trusted
Trusted Comput-