Trusted Virtual Disk ImagesCarlo Gebhardt Allan Tomlinson

{c.gebhardt | allan.tomlinson}@rhul.ac.uk

Abstract

Many solutions have been proposed to raise the secu-

integrity Trusted Computing and in particular the

1 Introduction

--

security challenges and concerns also security concerns requires a sophisticated architecture based on solid

security principles as well as ongoing research.

malicious code on the image consumer.

The

trusted system.

2 Related Workassurance virtual machine monitor by

trusted computing. --

images.

images. This

-tems. Hardware based disk encryption on the other hand such as Intel’s Danbury are tightly bound to

operating

--

ments.

3 Background 3.1 Motivation

by the hosting environment to the guest system and represented as a physical hard-drive. The handling

-gitimate owner. As a result, an image could be manipulated or replaced completely. Thus sensitive data

malicious code injected and executed without the user’s awareness.

-

3.2 AssumptionsTrusted

Additionally, we utilise the trustworthy

model, as well as reducing the trusted code base.

3.3 Design Principles

an end-to-end basis and thus enable the image owner to stay in control over the image content through-

system as well to the user.

Our current trusted virtual disk image approach is based on the existing virtual disk image driver im-

represent lower privileged virtual machines.

-

Our design targets to a minimum.

3.4 Trusted Computing

-scribed by the Trusted Computing Group.

The

public key operations.

200

-

initial state and its input. Integrity measurements are stored in special purpose registers within the

was sealed.

bound to a single

security properties may be created by the

whereby an entity other than the

3.5 Driver modelAs mentioned in section 3.3, we base our implementation on the existing blktap driver model. The

existing userspace tools and libraries, which minimises implementation overhead while at the same time remains compatibility.

4 Trusted Vitual Disk Images

4.1 Integrity Protection--

operations in parallel.

--

4.1.1 Generating integrity metrics

-

Figure 1:

4.2 Checking Integrity-

as libaio is used to write out the data.

202

. Existing libraries such

4.2.1 Checking integrity before operation

-

4.2.2 Checking integrity during operation-

are consequently carried out by libcrypto.

4.2.3 Policy model

-

4.2.4 Recovery from integrity failure

changes to program code may render the virtual machine un-operational. To mitigate this issue a virtual

as

previous section.

203

4.3 -

potentially, insecure legacy storage and communication structures may be used.

4.4 -

-

Hypervisor, userspace control programs, libraries, etc. Hence the

be updated and sealed.

le. A small

changed. A large chunk size on the other hand would result in an increased execution time, as the

-ing hard-drive or

<sampleImage><header>...

<SHA256>894f435gd ... fas32dag</SHA256><EncryptionKey>3b23894f ... fce3bc95</EncryptionKey><EncryptionAlgorithm>AES</EncryptionAlgorithm><ChunkSize>16777216</ChunkSize><ImageSize>536870912000</ImageSize><NextFreeChunk>123</NextFreeChunk><SnapshotVersion>2</SnapshotVersion>

</header>...<chunk.122>

<SnapshotVersion>2</SnapshotVersion><BlockAddress>00040000</BlockAddress><ChunkPath>/sampleImage/chunk.122</ChunkPath><SHA256>dc460da4ad72c ... 6899d54ef98b5</SHA256>...

</chunk.122></sampleImage>

Listing 1:

4.5 Trust Control

trusted virtual disk image implementation is correct and trustworthy. It will do so by measuring each

-chine is being moved.

5 Life cycle 5.1 Initialisation

at the same time it allows the image to dynamically grow during operation. However, it is still necessary operating

trusted computing sealing mecha-

205

5.2 Backup

sealing it to a -rity checks as integrity metrics may be outdated.

5.3 Migration

-sume a

machines to establish mutual trust and a secure link. During this phase the remote machine attests its state to the source machine, which will then decide weather the remote state is

5.4 Snapshots

to be taken during normal operation, thus while a virtualised guest is running. Chunks that do not hold

5.5 Deletion

206

6 Conclusion

trusted computing concepts to enhance security while at the same applying those security properties -

age location or transport mechanism without compromising could be hosted over the internet.

-

attributes at all.

7 Future Work

-

References -

Security Symposium,

-Security Symposium (Berkeley,

virtualiza-

security challenges in virtual ma-

Operating Systems (Berkeley, [6] Carl Gebhardt and Allan Tomlinson,

-tian Stuble, Enhancing grid security using trusted

207

Security and

-

-

trustworthy system architecture using and

Trusted

Trusted

Trusted Comput-