O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Experiences in Trusted Cloud Computing

400 visualizações

Publicada em

While trusted computing is a well-known technology, its role has been relatively limited in scope and typically limited to single machines. The advent of cloud computing, its role as critical infrastructure and the requirement for trust between the users of computing resources combines to form a perfect environment for trusted and high-integrity computing. Indeed, the use of trusted computing is an enabling technology over nearly all ‘cyber’ areas: secure supply chain management, privacy and critical data protection, data sovereignty, cyber defense, legal etc. To achieve this, we must fundamentally redefine what we mean by trusted and high-integrity computing. We are required to go beyond boot-time trust and rethink notions of run-time trust, partial trust, how systems are constructed, the trust between management and operations, compute and storage infrastructure and the dynamic provisioning of services by external parties. While attestation technologies, so-called run-time trust and virtualized TPM are being brought to the fore, adopting these does not solve any of the fundamental problems of trust in the cloud

Publicada em: Tecnologia
  • Seja o primeiro a comentar

Experiences in Trusted Cloud Computing

  1. 1. © 2017 Nokia1 Experiences in Trusted Cloud Computing Ian Oliver, Silke Holtmanns, Yoan Miche, Shankar Lal, Leo Hippeläinen, Aapo Kalliola, Sowmya Ravidas Security Research Nokia Bell Labs, Finland NSS 2017, Helsinki 21 Aug 2017
  2. 2. © 2017 Nokia2 Preliminaries 1. NFV
  3. 3. © 2017 Nokia3 Preliminaries 1. NFV 2. Trusted Computing
  4. 4. © 2017 Nokia4 Preliminaries 1. NFV 2. Trusted Computing 1. Integrity checking a. NFVI b. Workload/VNF c. MANO 2. Secure storage a. key/cert storage b. information sealing 3. Secure Delivery and Deployment 4. IdM 5. Workload Placement a. Resource Management b. TPM Pinning c. Mobility
  5. 5. © 2017 Nokia5 NFVI Trust 1. Trusted Boot
  6. 6. © 2017 Nokia6 NFVI Trust 1. Trusted Boot 2. Attestation a. untrusted nodes b. attestation failure
  7. 7. © 2017 Nokia7 NFVI Trust 1. Trusted Boot 2. Attestation a. untrusted nodes b. attestation failure 3. Attestation Placement
  8. 8. © 2017 Nokia8 Workload Trust and Placement
  9. 9. © 2017 Nokia9 Definition A trusted NFV cloud is one that contains at least one boot-time integrity checked and attested NFVI element
  10. 10. © 2017 Nokia10 Further Features 1. TPM Binding
  11. 11. © 2017 Nokia11 Further Features 1. TPM Binding 2. VM Snapshotting a. Trusted VM Transfer (Real-time?)
  12. 12. © 2017 Nokia12 Further Features 1. TPM Binding 2. VM Snapshotting a. Trusted VM Transfer (Real-time?) 3. Intra-VNF Communication
  13. 13. © 2017 Nokia13 Further Features 1. TPM Binding 2. VM Snapshotting a. Trusted VM Transfer (Real-time?) 3. Intra-VNF Communication 4. VPN/SSL/encrypted comms a. In-memory communication (SGX?) b. VM Mobility
  14. 14. © 2017 Nokia14 Further Features 1. TPM Binding 2. VM Snapshotting a. Trusted VM Transfer (Real-time?) 3. Intra-VNF Communication 4. VPN/SSL/encrypted comms a. In-memory communication (SGX?) b. VM Mobility 5. Run-Time Integrity
  15. 15. © 2017 Nokia15 Further Features 1. TPM Binding 2. VM Snapshotting a. Trusted VM Transfer (Real-time?) 3. Intra-VNF Communication 4. VPN/SSL/encrypted comms a. In-memory communication (SGX?) b. VM Mobility 5. Run-Time Integrity 6. Trust Failure Handling a. Hard Trust vs Soft Trust b. Mitigations/Trust as a Safety-Critical Property
  16. 16. © 2017 Nokia16 Horizontal vs Vertical Trust TPM Hardware Hypervisor
  17. 17. © 2017 Nokia17 Horizontal vs Vertical Trust TPM Hardware Hypervisor vTPM
  18. 18. © 2017 Nokia18 Horizontal vs Vertical Trust TPM Hardware Hypervisor vTPM VM
  19. 19. © 2017 Nokia19 Horizontal vs Vertical Trust TPM Hardware Hypervisor VM TPM Hardware Hypervisor VM Hardware Hypervisor VM VNF ?
  20. 20. © 2017 Nokia20 Horizontal vs Vertical Trust TPM Hardware Hypervisor VM TPM Hardware Hypervisor VM Hardware Hypervisor VM VNF ? MANO
  21. 21. © 2017 Nokia21 Horizontal vs Vertical Trust … in time TPM Hardware Hypervisor VM TPM Hardware Hypervisor VM Hardware Hypervisor VM VNF ? MANO time...
  22. 22. © 2017 Nokia22 Trust ...as a resource management aspect
  23. 23. © 2017 Nokia23 Trust ...as a resource management aspect ● Complex to manage resources: ○ vCPU+vMEM+TPM ○ Resource migration ○ Failure/lack of resources hard to manage ○ Failure mitigate strategies are non-existant ● VM Meta-data/VNFD ● Requires robust PKI, Key/Measurement Delivery ● Multiple Roots of Trust ○ HSM adds an extra layer of indirection ● Provides interesting new attack vectors ○ “Green” data centers ○ Prior knowledge of Critical workload placement
  24. 24. © 2017 Nokia24 Trust ...as an identity management aspect
  25. 25. © 2017 Nokia25 Trust ...as an identity management aspect
  26. 26. © 2017 Nokia26 Trust ...as an identity management aspect ● Element Identity ○ NFVI element, VM, VNF, MANO, Device (IoT) etc ○ Service and Authority Identification ● Multiple roots of trust => Web of Trust ● Identity Distribution ○ Global & Unique vs Local Identity ○ Compound Identity ● Service Notarisation ○ Integrity values, constraints and parameters ● Updates as Transactions ● Trust Reasoning ● Trust Fabric
  27. 27. © 2017 Nokia27 Summary ● Trust can be “cloudified” ● 1 TPM-1 MCH -> n TPM-[n vTPM]-n MCH ● Trust as Integrity -> Resource Mgmnt -> IdM ● Trust as Boolean -> Trust as Continuum of Values ● Reasoning/Semantics ● Hard Problem, but, some easy wins

×