Virtual Container Attestation: Customized trusted containers for on-demand computing.
-
Upload
quinlan-shepherd -
Category
Documents
-
view
27 -
download
3
description
Transcript of Virtual Container Attestation: Customized trusted containers for on-demand computing.
![Page 1: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/1.jpg)
Virtual Container Attestation:
Customized trusted containers for on-demand computing.
Katelin BaileySenior Thesis 2010Dartmouth College
Department of Computer Science
![Page 2: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/2.jpg)
Where are we going?
•Introduction
•The Problem of Trusted Computing
•Tools: OpenSolaris, TPM, DTrace
•Design & Implementation
•Motivation for the Testing Applications
•Testing Applications.
•Results & Conclusions
![Page 3: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/3.jpg)
The Problem of Trusted Computing
• Why do we need to trust computers?
• How can we develop that trust?
![Page 4: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/4.jpg)
Previous Approaches
• Attestation
• Property-based attestation
• Compartmented attestation
• Virtualization
• Trusted Computing on Demand
![Page 5: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/5.jpg)
Tools used in the implementation...
![Page 6: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/6.jpg)
• Zones (containers)
• DTrace
• Open-source
OpenSolaris
![Page 7: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/7.jpg)
Zones
•OS-level virtualization is lightweight•Global zone’s window into the containers•Zone cloning•Easy configuration•More complete virtualization, not just process isolation
![Page 8: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/8.jpg)
![Page 9: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/9.jpg)
TPM
• Cryptographic Capabilities
• Platform Control Registers
• Trusted Root
• Trusted Boot
• In relation to Trusted Computing
![Page 10: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/10.jpg)
Virtual Container AttestationThe Goals
Uses client-requested containers
1.Interface to local and remote machines
2.Remain usable to client applications
3.Employs property-attributed certificates
4.Monitors attributes of each container
5.Halts zones which do not comply
6.Ensures that revoked zones remain inactive
![Page 11: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/11.jpg)
![Page 12: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/12.jpg)
![Page 13: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/13.jpg)
![Page 14: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/14.jpg)
![Page 15: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/15.jpg)
![Page 16: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/16.jpg)
In summary...
•Flexibility of policy
•Containers on demand
• Isolation
•Policy enforcement•Simple property attestation
![Page 17: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/17.jpg)
Open source software as the basis for the testing applications
Unfortunately, we had to create our own...
![Page 18: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/18.jpg)
Power Grid Software•Input comes from device measurements•Format the incoming data•Process in any (possibly multiple) way•Export for large-scale processing•Format/prepare the outgoing data
![Page 19: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/19.jpg)
![Page 20: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/20.jpg)
![Page 21: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/21.jpg)
![Page 22: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/22.jpg)
![Page 23: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/23.jpg)
![Page 24: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/24.jpg)
Hurdles
• Zone startup times
• TSS stack
![Page 25: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/25.jpg)
Future Work
• Fix the hurdles!
• Varied revocation scheme
• Additional security checks
• Negotiation of security
• Better zone communication
![Page 26: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/26.jpg)
Conclusions
![Page 27: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/27.jpg)
Thank you!
![Page 28: Virtual Container Attestation: Customized trusted containers for on-demand computing.](https://reader031.fdocuments.net/reader031/viewer/2022020417/5681354f550346895d9cabe0/html5/thumbnails/28.jpg)