Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing.

Published byHeather Bayliss Modified over 9 years ago

Similar presentations

Presentation on theme: "Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing."— Presentation transcript:

1 Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing

2 Securing Clouds 2/14/2011en.600.412 Spring 2011 Lecture 3 | JHU | Ragib Hasan2 Goal: Learn about different techniques for protecting a cloud against insider adversaries Review Assignment #2 Santos et al., Towards Trusted Cloud Computing, HotCloud 2009

3 Recap From last class: Hey You, Get off of my Cloud. CCS 2009 – Things you liked? – Limitations? – Ideas? 2/14/2011en.600.412 Spring 2011 Lecture 3 | JHU | Ragib Hasan3

4 The IaaS security problem 2/14/2011en.600.412 Spring 2011 Lecture 3 | JHU | Ragib Hasan4 The cloud acts as a big black box, nothing inside the cloud is visible to the clients Clients have no idea or control over what happens inside a cloud Even if the cloud provider is honest, it can have malicious sys admins who can tamper with the VMs and violate confidentiality and integrity

5 How to ensure that the cloud is not tampered with? Naïve Approach 1: Just trust the cloud provider – Why won’t work: Provider may be honest, sys admins may not be so Naïve Approach 2: As the cloud provider to allow auditing of the cloud by the client – Why won’t work: Providers are not willing to open their system to outside audits Workable Approach 3: Ask cloud provider for unforgeable proof/attestation – Why may work: A third party proof not revealing other information may be enough for both client and provider 2/14/2011en.600.412 Spring 2011 Lecture 3 | JHU | Ragib Hasan5

6 How to audit with a third party? Allow third party access to cloud? Use trusted hardware 2/14/2011en.600.412 Spring 2011 Lecture 3 | JHU | Ragib Hasan6

7 Trusted Platform Module (TPM) 2/14/2011en.600.412 Spring 2011 Lecture 3 | JHU | Ragib Hasan7 TPMs are inexpensive chips now included in most laptops Can be the building block for a trusted computing base Can bootstrap trust in a system Endorsement Key: A private (RSA) key that identifies the chip Platform Configuration Register (PCR) : Can contain hashes of system configurations Cannot (easily) be compromised to get the keys

8 Trusted Cloud Computing Platform by Santos et al., HotCloud 09 2/14/2011en.600.412 Spring 2011 Lecture 3 | JHU | Ragib Hasan8 Problem Insiders with root access can compromise confidentiality of client virtual machines Possible solution?: Encrypt virtual machines, but sooner or later, it has to be decrypted to run Possible Solution?: Only allow nodes running trustworthy software to decrypt the VM

9 Threat Model Attacker – A malicious insider with root level access to cloud nodes (i.e., can install new software, modify existing software etc., inspect VMs running on a node) – Does not have physical access to machine 2/14/2011en.600.412 Spring 2011 Lecture 3 | JHU | Ragib Hasan9

10 How determine if a node is trustworthy? Major events that causes changes – Node start, VM Launch, VM migration How to determine trustworthiness? – A node is trustworthy if it has a trustworthy configuration (e.g., h/w, software etc.) – Remote attestation can help in verifying configurations 2/14/2011en.600.412 Spring 2011 Lecture 3 | JHU | Ragib Hasan10

11 TCCP Architecture Nodes run Trusted Virtual Machine Monitors (TVMM), and TVVM configuration can be certified by TPMs External Trusted Entity (ETE) or the Trusted Coordinator (TC) is the trusted third party that verifies the node 2/14/2011en.600.412 Spring 2011 Lecture 3 | JHU | Ragib Hasan11

12 Key ideas Attackers have access to regular cloud nodes But Attackers DO NOT have access to the trusted co-ordinator (TC) 2/14/2011en.600.412 Spring 2011 Lecture 3 | JHU | Ragib Hasan12

13 TCCP Protocols 2/14/2011en.600.412 Spring 2011 Lecture 3 | JHU | Ragib Hasan13 Node registration

14 TCCP Protocols 2/14/2011en.600.412 Spring 2011 Lecture 3 | JHU | Ragib Hasan14 VM Launch

15 TCCP Protocols 2/14/2011en.600.412 Spring 2011 Lecture 3 | JHU | Ragib Hasan15 VM Migrate

16 TCCP limitations Any single point of failure? Will it increase the attack surface? How about cost-effectiveness? 2/14/2011en.600.412 Spring 2011 Lecture 3 | JHU | Ragib Hasan16

17 2/14/201117en.600.412 Spring 2011 Lecture 3 | JHU | Ragib Hasan Further Reading TPM Reset Attack http://www.cs.dartmouth.edu/~pkilab/sparks/http://www.cs.dartmouth.edu/~pkilab/sparks/ Halderman et al., Lest We Remember: Cold Boot Attacks on Encryption Keys, USENIX Security 08, http://citp.princeton.edu/memory/http://citp.princeton.edu/memory/

Download ppt "Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 3 02/14/2010 Security and Privacy in Cloud Computing."

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Trusted Platform Module

Trusted Platform Module
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 3 02/15/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 3 02/15/2010 Security and Privacy in Cloud Computing.
Vpn-info.com.

Vpn-info.com.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 8 04/04/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 8 04/04/2011 Security and Privacy in Cloud Computing.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 8 04/11/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 8 04/11/2011 Security and Privacy in Cloud Computing.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.
Accountability in Hosted Virtual Networks Eric Keller, Ruby B. Lee, Jennifer Rexford Princeton University VISA 2009.

Accountability in Hosted Virtual Networks Eric Keller, Ruby B. Lee, Jennifer Rexford Princeton University VISA 2009.
Slide credits: Ragib Hasan, Johns Hopkins University CS573 Data privacy and security in the cloud.

Slide credits: Ragib Hasan, Johns Hopkins University CS573 Data privacy and security in the cloud.
 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.

 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 1 01/25/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 1 01/25/2010 Security and Privacy in Cloud Computing.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2011 Lecture 10 09/15/2011 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2011 Lecture 10 09/15/2011 Security and Privacy in Cloud Computing.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 11 04/25/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 11 04/25/2011 Security and Privacy in Cloud Computing.
Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.

Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.
 Max Planck Institute for Software Systems Towards trusted cloud computing Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues MPI-SWS.

 Max Planck Institute for Software Systems Towards trusted cloud computing Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues MPI-SWS.
1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.

1 Bootstrapping Trust in a “Trusted” Platform Carnegie Mellon University November 11, 2008 Bryan Parno.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 7 03/29/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 7 03/29/2010 Security and Privacy in Cloud Computing.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

Similar presentations

Ads by Google