Enriquillo Valdez

Building a MAC-based security architecture for the Xen open-source hypervisor

We present the sHype hypervisor security architecture and examine in detail its mandatory access control facilities. While existing hypervisor security approaches aiming at high assurance have been proven useful for high-security environments that prioritize security over performance and code reuse, our approach aims at commercial security where near-zero performance overhead, non-intrusive implementation, and usability are of paramount importance. sHype enforces strong isolation at the granularity of a virtual machine, thus providing a robust foundation on which higher software layers can enact finer-grained controls. We provide the rationale behind the sHype design and describe and evaluate our implementation for the Xen open-source hypervisor

TVDc: managing security in the trusted virtual datacenter

Virtualization technology is becoming increasingly common in datacenters, since it allows for collocation of multiple workloads, consisting of operating systems, middleware and applications, in different virtual machines (VMs) on shared physical hardware platforms. However, when coupled with the ease of VM migration, this trend increases the potential surface for security attacks. Further, the simplified management of VMs, including creation, cloning and migration, makes it imperative to monitor and guarantee the integrity of software components running within VMs. This paper presents the IBM Trusted Virtual Datacenter (TVDc) technology developed to address the need for strong isolation and integrity guarantees, thus significantly enhancing security and systems management capabilities, in virtualized environments. It signifies the first effort to incorporate trusted computing technologies directly into virtualization and systems management software. We present and discuss various components that constitute TVDc: the Trusted Platform Module (TPM), the virtual TPM, the IBM hypervisor security architecture (sHype) and the associated systems management software.

Security for the cloud infrastructure: trusted virtual data center implementation

The trusted virtual data center (TVDc) is a technology developed to address the need for strong isolation and integrity guarantees in virtualized environments. In this paper, we extend previous work on the TVDc by implementing controlled access to networked storage based on security labels and by implementing management prototypes that demonstrate the enforcement of isolation constraints and integrity checking. In addition, we extend the management paradigm for the TVDc with a hierarchical administration model based on trusted virtual domains and describe the challenges for future research.

Retrofitting the IBM POWER Hypervisor to Support Mandatory Access Control

Server virtualization more readily enables the collocation of disparate workloads on a shared physical platform. When employed on systems across a data center, the result can be a dramatic increase in server utilization and a decrease in overall power, cooling and floor space requirements. However, in an environment where workloads share the underlying platforms, achieving other desirable workload goals, such as availability and security, becomes a challenge. In particular, enforcing isolation between workloads in a large, dynamic, and virtualized data center requires strong yet easily configurable controls on the sharing of resources at the virtualization layer. Commercial hypervisors usually offer reasonable isolation of individual virtual machines (VMs). However, on hypervisor-based platforms, one cannot currently define a single policy that automatically enforces restrictions on the sharing of resources between multiple VMs or request an air gap between workloads. In this paper, we describe the design and implementation of a Hypervisor-based Mandatory Access Control (MAC) that achieves policy-driven distributed workload isolation for the IBM Power Hypervisor (PHYP). We discuss our experiences and lessons learned and examine the implications and trade-offs involved in providing MAC on a production- level, commercially-available hypervisor. Our goal is to simplify the security management of data centers through centralized security management and policy- driven distributed access control and data protection.

Scalable Attestation: A Step Toward Secure and Trusted Clouds

In this work we present Scalable Attestation, a method which combines both secure boot and trusted boot technologies, and extends them up into the host, its programs, and up into the guests operating system and workloads, to both detect and prevent integrity attacks. Anchored in hardware, this integrity appraisal and attestation protects persistent data (files) from remote attack, even if the attack is root privileged. As an added benefit of a hardware rooted attestation, we gain a simple hardware based geolocation attestation to help enforce regulatory requirements. This design is implemented in multiple cloud test beds based on the QEMU/KVM hypervisor, Open Stack, and Open Attestation, and is shown to provide significant additional integrity protection at negligible cost.

Matchbox: secure data sharing

Homeland security requires that organizations share sensitive data, but both suppliers and users must typically restrict data access for security, legal, or business reasons. Matchbox database servers provide highly secure, fine-grained access control using digitally cosigned contracts to enforce sharing restrictions. To handle security operations, Matchbox uses the tamper-responding, programmable IBM 4758 cryptographic coprocessor. Matchbox servers can be distributed on a network for high availability, and parties can communicate with Matchbox over public networks - including hostile environments with untrusted hardware, software, and administrators.

Security intelligence for cloud management infrastructures

cloud management infrastructures S. Berger S. Garion Y. Moatti D. Naor D. Pendarakis A. Shulman-Peleg J. R. Rao E. Valdez Y. Weinsberg In this paper, we address the problem of protecting cloud infrastructures and customer workloads via smart auditing and logging, satisfying regulatory and compliance requirements. We observe that traditional approaches of logging and auditing events in cloud-scale infrastructures will not be effective without taking into account other controls. We introduce the concept of Cloud Security Intelligence (CSI), a new systematic approach for collecting, aggregating, correlating, and analyzing data from management, control, and data planes of cloud infrastructures, using a closed-loop architecture. Our approach cross-correlates control and data plane events, automatically deriving rules for monitoring and audits. Specifically, it sets dynamic rules concerning what and how to audit, adapting the logging accordingly, while comparing the data access patterns and configurations with the desired privileges and specifications. We have implemented CSI on two OpenStack-based systems: a closed loop network protection scheme and a cloud storage audit and risk analysis scheme for monitoring data access. In order to make cloud security approaches effective and scalable, we suggest that it is essential to use an intelligent approach such as correlating cloud logic from multiple cloud layers and components-e.g., IaaS (Infrastructure as a Service) or PaaS (Platform as a Service)-providing workload context that is maintained by cloud management systems, and using analytics on historical logs.

Scalable Attestation: A Step toward Secure and Trusted Clouds

Scalable attestation combines secure boot and trusted boot technologies, and extends them up into the host, its programs, and into the guests operating system and workloads, to both detect and prevent integrity attacks. Anchored in hardware, this integrity appraisal and attestation protects persistent data (files) from remote attack, even if the attack is root privileged. As an added benefit of a hardware rooted attestation, the authors gain a simple hardware-based geolocation attestation to help enforce regulatory requirements. This design is implemented in multiple cloud testbeds based on the QEMU/KVM hypervisor, OpenStack, and OpenAttestation, and is shown to provide significant additional integrity protection at negligible cost.