Virtual Container Attestation:

Customized trusted containers for on-demand computing.

Katelin BaileySenior Thesis 2010Dartmouth College

Department of Computer Science

Where are we going?

•Introduction

•The Problem of Trusted Computing

•Tools: OpenSolaris, TPM, DTrace

•Design & Implementation

•Motivation for the Testing Applications

•Testing Applications.

•Results & Conclusions

The Problem of Trusted Computing

• Why do we need to trust computers?

• How can we develop that trust?

Previous Approaches

• Attestation

• Property-based attestation

• Compartmented attestation

• Virtualization

• Trusted Computing on Demand

Tools used in the implementation...

• Zones (containers)

• DTrace

• Open-source

OpenSolaris

Zones

•OS-level virtualization is lightweight•Global zone’s window into the containers•Zone cloning•Easy configuration•More complete virtualization, not just process isolation

TPM

• Cryptographic Capabilities

• Platform Control Registers

• Trusted Root

• Trusted Boot

• In relation to Trusted Computing

Virtual Container AttestationThe Goals

Uses client-requested containers

1.Interface to local and remote machines

2.Remain usable to client applications

3.Employs property-attributed certificates

4.Monitors attributes of each container

5.Halts zones which do not comply

6.Ensures that revoked zones remain inactive

In summary...

•Flexibility of policy

•Containers on demand

• Isolation

•Policy enforcement•Simple property attestation

Open source software as the basis for the testing applications

Unfortunately, we had to create our own...

Power Grid Software•Input comes from device measurements•Format the incoming data•Process in any (possibly multiple) way•Export for large-scale processing•Format/prepare the outgoing data

Hurdles

• Zone startup times

• TSS stack

Future Work

• Fix the hurdles!

• Varied revocation scheme

• Additional security checks

• Negotiation of security

• Better zone communication

Conclusions

Thank you!