Realizing Trusted Clouds

Realizing Trusted Clouds

with Trusted Computing and SCAP

SICS Security Seminar

Outline



Cloud Computing



Trusted Clouds



Cloud Audit & Certification



Problems in existing approaches



Solutions

Cloud Computing

Lack of Visibility



Cloud Infrastructure managed

by the CSP



User cannot see the internal

details

◦

Data Security/Location

◦

Identity & Access Management

◦

Cloud Platform Integrity

(applications and their settings)



Result:

Lack of Visibility



Cloud Infrastructure managed

by the CSP



User cannot see the internal

details

◦

Data Security/Location

◦

Identity & Access Management

◦

Cloud Platform Integrity

(applications and their settings)



Result:

Lack of Visibility



Cloud Infrastructure managed

by the CSP



User cannot see the internal

details

◦

Data Security/Location

◦

Identity & Access Management

◦

Cloud Platform Integrity

(applications and their settings)



Result:

◦

Cannot Trust Cloud Service

What is a Correct Platform?



Correct Software Stack

◦

BIOS, Bootloader, OS, Applications, etc.



Correct Configuration of every software

◦

SE Linux enforcing, Firewall config., etc.



What is a “Secure” Platform Configuration

◦

Different for different scenarios

◦

Examples:



Payment Card Industry -> PCI DSS



Health Insurance Portability and Accountability Act -> HIPAA

Audit & Certification



Audit

by a Trusted Third Party

◦

Evaluation of implemented security controls

(e.g. NIST SP 800-153A in FISMA)

◦

Compared against defined Security

Requirements

(e.g. NIST SP 800-153 in FISMA)



Certification

given to the

organization



Example: Federal Risk and Authorization

Management Program (FedRAMP)

Shortcomings of existing approaches

Scheduled over

months (quarterly,

Audit & Certification

Scheduled over

months (quarterly,

biannual, etc)

Incomplete (only a

subset is verified)

Vulnerable to new

_exploits

Frequent

&

Audit & Certification

Scheduled over

months (quarterly,

biannual, etc)

Incomplete (only a

subset is verified)

Vulnerable to new

_exploits

Frequent

&

Random

Platform

Level

Certification

Audit & Certification

Scheduled over

months (quarterly,

biannual, etc)

Incomplete (only a

subset is verified)

Vulnerable to new

_exploits

Frequent

&

Random

Platform

Level

Certification

Continuous

Vulnerability

management

Cloud Security Alliance

Cloud Security Alliance

Cloud Security Alliance

Towards Solutions



Summing up the requirements

◦

Trustworthy (IaaS) Cloud -> Integrity of Cloud

Platform -> Check Correctness of the Platform

-> Software Stack + Software Configuration



Solution properties

◦

Automated Assessment

◦

Continuous audit -> Platform Certification

◦

Remote Platforms

Approach

Remotely Certify the Correctness of a

Remote Platform

Verify the Software Stack Integrity

(i.e. only approved/known software)

Remote Platform Verification



A three phase remote platform

verification, assessment and certification

solution

◦

Phase-I:

Traditional Remote Attestation

◦

Phase-II:

Assess platform for known vulnerabilities

Phase-I : Software Stack Integrity

Reference Measurements Database

Remote Verifier ( R V )

Local Reference

Measurements DB

Software Vendor

Hash(SW)

CompareHash(SW)

CompareHash(SW)

Attestation Request (N)

+ Bindkey Request

Integrity Report(TPM_Quote, IML)

+ Bindkey(PublicKey, CertifyInfo)

Hypervisor

User

VM

Mgt

VM

ST

User

VM

Target Platform ( T P )

Trusted

Phase-II : Vulnerability Analysis

- Security Labs

- S/W Vendors

- Researchers

Public Vulnerability Database

(CPE, CVE, CVSS, CCSS)

Remote Verifier ( R V )

Security

Advisory

Local Vulnerability

Database

SW Vulnerability Status(CPE)

Software_CVSS

_S

te

p

2

Policy

Phase-II : Vulnerability Analysis

- Security Labs

- S/W Vendors

- Researchers

Public Vulnerability Database

(CPE, CVE, CVSS, CCSS)

Remote Verifier ( R V )

Security

Advisory

Local Vulnerability

Database

SW Vulnerability Status(CPE)

Software_CVSS

_S

te

p

2

Policy

SCAP

–

Security Content Automation Protocol

CPE –

Common Platform Enumeration

CVE –

Common Vulnerability Exposure

CVSS

–

Common Vulnerability Scoring System

Phase-II : Vulnerability Analysis

- Security Labs

- S/W Vendors

- Researchers

Public Vulnerability Database

(CPE, CVE, CVSS, CCSS)

Remote Verifier ( R V )

Security

Advisory

Local Vulnerability

Database

SW Vulnerability Status(CPE)

Software_CVSS

_S

te

p

2

Policy

Phase-II : Vulnerability Analysis

- Security Labs

- S/W Vendors

- Researchers

Public Vulnerability Database

(CPE, CVE, CVSS, CCSS)

Remote Verifier ( R V )

Security

Advisory

Local Vulnerability

Database

SW Vulnerability Status(CPE)

Software_CVSS

_S

te

p

2

Policy

SCAP

–

Security Content Automation Protocol

CPE –

Common Platform Enumeration

CVE –

Common Vulnerability Exposure

CVSS

–

Common Vulnerability Scoring System

Phase-III : Configuration Compliance

Remote Verifier

Request Configuration

Analysis(xccdf)

Signed

bindkey

(compliance_report)

Trusted

- Industry Standard

- Govt Defined Config

Config

Policy

Recommended Configurations

(software, hypervisor, OS)

Hardware/CPU

TPM

Hypervisor

User

VM

Mgt

VM

ST

User

VM

Target Platform ( T P )

xccdf

checklist

compliance

TPM

Config

Analysis

(

MgtVM,

Hypervisor

)

Sign

signed

report

ST

Phase-III : Configuration Compliance

Remote Verifier

Request Configuration

Analysis(xccdf)

Signed

bindkey

(compliance_report)

Trusted

- Industry Standard

- Govt Defined Config

Config

Policy

Recommended Configurations

(software, hypervisor, OS)

Hardware/CPU

TPM

Hypervisor

User

VM

Mgt

VM

ST

User

VM

Target Platform ( T P )

xccdf

checklist

compliance

TPM

Config

Analysis

(

MgtVM,

Hypervisor

)

Sign

signed

report

ST

Phase-III : Configuration Compliance

Remote Verifier

Request Configuration

Analysis(xccdf)

Signed

bindkey

(compliance_report)

Trusted

- Industry Standard

- Govt Defined Config

Config

Policy

Recommended Configurations

(software, hypervisor, OS)

Hardware/CPU

TPM

Hypervisor

User

VM

Mgt

VM

ST

User

VM

Target Platform ( T P )

xccdf

checklist

compliance

TPM

Config

Analysis

(

MgtVM,

Hypervisor

)

Sign

signed

report

ST

ASArP: Automated Security Assessment &

Audit of Remote Platforms

Reference Measurements Database

- Industry Standard - Govt Defined Config

- Security Labs - S/W Vendors - Researchers

Public Vulnerability Database (CPE, CVE, CVSS, CCSS)

Remote Verifier (Auditor, Platform

Certification Authority, etc.)

Hardware/CPU TPM Hypervisor User VM Mgt VM ST User VM

Phase I – Software Stack Integrity

Security Advisory ST: SCAP Tool Local Vulnerability Database Local Reference Measurements DB Recommended Platform Configurations Software Vendor

Internet

Phase III – Software Configuration Compliance

Certified

Software WFN including SHA1

Trusted Comlementary Whitelist

(drivers, lib, proprietary sw )

Policy

Local Admin

Target Platform

Phase II – Software Stack Vulnerability Assessment

ASArP: Automated Security Assessment &

Audit of Remote Platforms

Reference Measurements Database

- Industry Standard - Govt Defined Config

- Security Labs - S/W Vendors - Researchers

Public Vulnerability Database (CPE, CVE, CVSS, CCSS)

Remote Verifier (Auditor, Platform

Certification Authority, etc.)

Hardware/CPU TPM Hypervisor User VM Mgt VM ST User VM

Phase I – Software Stack Integrity

Security Advisory ST: SCAP Tool Local Vulnerability Database Local Reference Measurements DB Recommended Platform Configurations Software Vendor

Internet

Phase III – Software Configuration Compliance

Certified

Software WFN including SHA1

Trusted Comlementary Whitelist

(drivers, lib, proprietary sw )

Policy

Local Admin

Target Platform

Phase II – Software Stack Vulnerability Assessment

{

TT

P

ID

Profile

PK_Bind

Time

}

Sign

Platform Certificate (uses)



Aslam, Mudassar and Gehrmann, Christian and Rasmusson, Lars and Björkman, Mats (2012),

Securely Launching Virtual Machines on Trustworthy Platforms in a Public Cloud

. In:

International Conference on Cloud Computing and Services Science, CLOSER 2012, 18 - 21

April 2012, Porto, Portugal.



Paladi, Nicolae and Gehrmann, Christian and Aslam, Mudassar and Morenius, Fredric (2013),

Trusted Launch of Virtual Machine Instances in Public IaaS Environments

. In: 15th Annual

International Conference on Information Security and Cryptology, 28-30 Nov 2012, Seoul, Korea



Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2012)

Security and Trust

Preserving VM Migrations in Public Clouds

. In: The 2nd IEEE International Symposium on

Trust and Security in Cloud Computing, in conjunction with IEEE TrustCom-12, 25-27 June 2012,

Liverpool, UK.

{

TT

P

ID

Profile

Platform Certificate (uses)



Aslam, Mudassar and Gehrmann, Christian and Rasmusson, Lars and Björkman, Mats (2012),

Securely Launching Virtual Machines on Trustworthy Platforms in a Public Cloud

. In:

International Conference on Cloud Computing and Services Science, CLOSER 2012, 18 - 21

April 2012, Porto, Portugal.



Paladi, Nicolae and Gehrmann, Christian and Aslam, Mudassar and Morenius, Fredric (2013),

Trusted Launch of Virtual Machine Instances in Public IaaS Environments

. In: 15th Annual

International Conference on Information Security and Cryptology, 28-30 Nov 2012, Seoul, Korea



Aslam, Mudassar and Gehrmann, Christian and Björkman, Mats (2012)

Security and Trust

Preserving VM Migrations in Public Clouds

. In: The 2nd IEEE International Symposium on

Trust and Security in Cloud Computing, in conjunction with IEEE TrustCom-12, 25-27 June 2012,

Liverpool, UK.

{

TT

P

ID

Profile

ASArP: Automated Security Assessment &

Audit of Remote Platforms

Reference Measurements Database

- Industry Standard - Govt Defined Config

- Security Labs - S/W Vendors - Researchers

Public Vulnerability Database (CPE, CVE, CVSS, CCSS)

Remote Verifier (Auditor, Platform

Certification Authority, etc.)

Hardware/CPU TPM Hypervisor User VM Mgt VM ST User VM

Phase I – Software Stack Integrity

Security Advisory ST: SCAP Tool Local Vulnerability Database Local Reference Measurements DB Recommended Platform Configurations Software Vendor

Internet

Phase III – Software Configuration Compliance

Certified

Software WFN including SHA1

Trusted Comlementary Whitelist

(drivers, lib, proprietary sw )

Policy

Local Admin

Target Platform

Phase II – Software Stack Vulnerability Assessment

ASArP: Automated Security Assessment &

Audit of Remote Platforms

Reference Measurements Database

- Industry Standard - Govt Defined Config

- Security Labs - S/W Vendors - Researchers

Public Vulnerability Database (CPE, CVE, CVSS, CCSS)

Remote Verifier (Auditor, Platform

Certification Authority, etc.)

Hardware/CPU TPM Hypervisor User VM Mgt VM ST User VM

Phase I – Software Stack Integrity

Security Advisory ST: SCAP Tool Local Vulnerability Database Local Reference Measurements DB Recommended Platform Configurations Software Vendor

Internet

Phase III – Software Configuration Compliance

Certified

Software WFN including SHA1

Trusted Comlementary Whitelist

(drivers, lib, proprietary sw )

Policy

Local Admin

Target Platform

Phase II – Software Stack Vulnerability Assessment

TPM Chip

MongoDB

ASArP: Automated Security Assessment &

Audit of Remote Platforms

Reference Measurements Database

- Industry Standard - Govt Defined Config

- Security Labs - S/W Vendors - Researchers

Public Vulnerability Database (CPE, CVE, CVSS, CCSS)

Remote Verifier (Auditor, Platform

Certification Authority, etc.)

Hardware/CPU TPM Hypervisor User VM Mgt VM ST User VM

Phase I – Software Stack Integrity

Security Advisory ST: SCAP Tool Local Vulnerability Database Local Reference Measurements DB Recommended Platform Configurations Software Vendor

Internet

Phase III – Software Configuration Compliance

Certified

Software WFN including SHA1

Trusted Comlementary Whitelist

(drivers, lib, proprietary sw )

Policy

Local Admin

Target Platform

Phase II – Software Stack Vulnerability Assessment

TPM Chip

MongoDB

cve-search

Enhanced

SCAP Editor

ASArP: Automated Security Assessment &

Audit of Remote Platforms

Reference Measurements Database

- Industry Standard - Govt Defined Config

- Security Labs - S/W Vendors - Researchers

Public Vulnerability Database (CPE, CVE, CVSS, CCSS)

Remote Verifier (Auditor, Platform

Certification Authority, etc.)

Hardware/CPU TPM Hypervisor User VM Mgt VM ST User VM

Phase I – Software Stack Integrity

Security Advisory ST: SCAP Tool Local Vulnerability Database Local Reference Measurements DB Recommended Platform Configurations Software Vendor

Internet

Phase III – Software Configuration Compliance

Certified

Software WFN including SHA1

Trusted Comlementary Whitelist

(drivers, lib, proprietary sw )

Policy

Local Admin

Target Platform

Phase II – Software Stack Vulnerability Assessment

TPM Chip

MongoDB

cve-search

Enhanced

SCAP Editor

Open SCAP

(oscap)

ASArP: Automated Security Assessment &

Audit of Remote Platforms

Reference Measurements Database

- Industry Standard - Govt Defined Config

- Security Labs - S/W Vendors - Researchers

Public Vulnerability Database (CPE, CVE, CVSS, CCSS)

Remote Verifier (Auditor, Platform

Certification Authority, etc.)

Hardware/CPU TPM Hypervisor User VM Mgt VM ST User VM

Phase I – Software Stack Integrity

Security Advisory ST: SCAP Tool Local Vulnerability Database Local Reference Measurements DB Recommended Platform Configurations Software Vendor

Internet

Phase III – Software Configuration Compliance

Certified

Software WFN including SHA1

Trusted Comlementary Whitelist

(drivers, lib, proprietary sw )

Policy

Local Admin

Target Platform

Phase II – Software Stack Vulnerability Assessment

TPM Chip

MongoDB

cve-search

Enhanced

SCAP Editor

Open SCAP

(oscap)

Achievements (in general)



Trusted Cloud Platforms



Platform Level Certification



CSA STAR Continuous Implementation

Proposal



TCG-SCAP Synergy

◦

Use of SCAP promises better ways to interpret TPM

integrity reports to assess the platform security status

Challenges and Summary



TCG Integrity Report does not map

directly to the SCAP framework

◦

no standard implementation/deployment exist



Sealing anything to the runtime state is

not practical

◦

current proposals only use BIOS+IPL