Advanced
DTSTM: Dynamic Tree Style Trust Measurement Model for Cloud Computing
DTSTM: Dynamic Tree Style Trust Measurement Model for Cloud Computing
KSII Transactions on Internet and Information Systems (TIIS). 2014. Jan, 8(1): 305-325
Copyright © 2014, Korean Society For Internet Information
  • Received : September 01, 2013
  • Accepted : January 11, 2014
  • Published : January 30, 2014
Download
PDF
e-PUB
PubReader
PPT
Export by style
Share
Article
Author
Metrics
Cited by
TagCloud
About the Authors
Zhen-ji Zhou
Institute of Command Information System, PLA University of Science and Technology, No.1 Haifu Street, Nanjing, Jiangsu, China
Li-fa Wu
Institute of Command Information System, PLA University of Science and Technology, No.1 Haifu Street, Nanjing, Jiangsu, China
Zheng Hong
Institute of Command Information System, PLA University of Science and Technology, No.1 Haifu Street, Nanjing, Jiangsu, China
Ming-fei Xu
Institute of Command Information System, PLA University of Science and Technology, No.1 Haifu Street, Nanjing, Jiangsu, China
Fan Pan
Institute of Command Information System, PLA University of Science and Technology, No.1 Haifu Street, Nanjing, Jiangsu, China

Abstract
In cloud computing infrastructure, current virtual machine trust measurement methods have many shortcomings in dynamism, security and concurrency. In this paper, we present a new method to measure the trust of virtual machine. Firstly, we propose “behavior trace” to describe the state of virtual machine. Behavior Behavior trace is a sequence of behaviors. The measurement of behavior trace is conducted on the basis of anticipated trusted behavior, which not only ensures security of the virtual machine during runtime stage but also reduces complexity of the trust measurement. Based on the behavior trace, we present a Dynamic Tree Style Trust Measurement Model (DTSTM). In this model, the measurement of system domain and user domain is separated, which enhances the extensibility, security and concurrency of the measurement. Finally, based on System Call Interceptor (SCI) and Virtual Machine Introspection (VMI) technology, we implement a DTSTM prototype system for virtual machine trust measurement. Experimental results demonstrate that the system can effectively verify the trust of virtual machine and requires a relatively low performance overhead.
Keywords
1. Introduction
V irtualization technologies have been widely applied in cloud computing to package computing, network and storage resources which are provided to tenants. It is curcial to measure whether the cloud computing platform runs buggy, malicous application codes or is improperly configured. Thus, how to build a trustworthy virtual environment has become a key challenge to ensure the security of cloud computing platform [1] and it has attracted wide attention of researchers.
Traditional security management methods for virtual environment usually depend on software level security and lack a trustable base [2] . It is hard to achieve a trusted virtual machine with traditional manner in cloud computing environment. Regarding this problem, an effective solution [3] is to combine trusted computing with cloud computing and provide trusted cloud service in a verifiable manner. Santos [4] initially proposed trusted cloud computing and designed a Trusted Cloud Computing Platform (TCCP). The platform starts from a trusted platform module which built in hardware of cloud platform, and conducts trust measurement level by level. In this way, a trusted virtual environment with ensured security is finally built up. Similar studies were provided by researchers in [5] [6] [7] [8] [9] . These studies are based on the Trust Measurement Scheme by TCG [10] , which is used to ensure trustworthiness of traditional PC platform at booting stage. They do not accommodate a dynamic and multi-tenant virtual environment such as cloud computing. The major defects of these solutions are listed as follows:
  • • Static measurement. In cloud computing, virtual machines are usually used on demand. The programs running in user domains may change trustworthiness of the whole virtual machine. Current methods which use static measurement can only ensure trustworthiness of Virtual Machine Monitor (VMM) during booting stage[11][12]. A method that can accurately describe the state of running virtual machine is needed.
  • • Weak concurrency. A VMM often monitors a system domain and a large number of user domains. Chain style measurement model can hardly deliver real-time and accurate trustworthiness to user domains with complicated structures[11]. Moreover, some user domains may constitute a trust domain according to specific security policy based on business demands[13][14], which results in a more complicated relationship of trust. As a result, an automatic and centralized trust measurement mechanism for virtual machine is required.
  • • Poor security. Traditional trust measurement methods such as IMA[15]can not resist the attack in kernel mode. For example, IMA depends on kernel to ensure the correctness of verification results when adopting Linux Security Model mechanism to implement integrity verification. Thus, measurement of virtual machine trust in cloud computing infrastructure requires the ability of kernel attack resistance.
Regarding the above problems, we present Dynamic Tree Style Trust Measurement Model (DTSTM) for cloud computing. The model measures behavior trace instead of virtual machine state which is difficult to describe, and reduces complexity of virtual machine trust measurement while ensuring its security at runtime stage. Behavior trace is a sequence of behaviors, we formally define it in section 2. In order to solve security and concurrency problems, our model measures system domain and user domain on the basis of configuration and behavior trace. Moreover, DTSTM ensures security of the measurement module itself by separating measurement module from monitored virtual machine through the application of SCI and VMI technology. We leverage real-time monitoring of kernel, key data, configuration and application behavior of user domain to offer dynamic trust measurement of virtual machine.
The remainder of this paper is organized as follows: In Section 2, we formally describe a trust measurement theorem of virtual machine state based on the concept of behavior trace, which builds the theoretical founation of our work. In Section 3, we introduce the structure and workflow of DTSTM and analyze security of this model. Section 4 presents a DTSTM-based trust measurement system and evaluates effectiveness and performance of our implementation. In section 5, we discuss related work. Section 6 draws conclution and summarizes future work.
2. Virtual Machine Trust Validation
In this section, we firstly propose the concept of behavior trace, and then describe virtual machine state on the basis of behavior trace. Thereafter, a measurement method of virtual machine behavior in cloud computing infrastructure is provided. Finally, two virtual machine trust measurement methods are inferred from the virtual machine trust validation theorem.
- 2.1 Description
According to the definition of TCG, trustworthiness of a computing platform state depends on whether the platform’s behavior complies with its anticipated policy [10] , therefore the state of a virtual machine is affected by its behavior. In virtual machine trust measurement, any virtual machine behavior that does not conform to anticipated policy will damage trustworthiness of the virtual machine. Thus, virtual machine trust validation can be realized through measurement of the virtual machine behavior. For the purpose of description, we give relevant definitions as follows.
DEFINITION 1 (Behavior trace) Behavior trace R = b 1 b 2 bn , where b 1 , b 2 , …, bn represents virtual machine behavior. Behavior b B = ( S×O×A ) means an operation initiated by a subject and performed on an object. S = { s 1 , s 2 , …, sn } is a set of behavior subjects including the programs started by the user, O = { o 1 , o 2 , …, on } is a set of behavior objects. A single object o O can be a resource such as a document, a program and an equipment, A = { r, w, e } is a set of access operations such as read, write and execute.
DEFINITION 2 (Trusted behavior) A specific behavior b of virtual machine is trusted means behavior b complies with the anticipated policy of trusted behavior from the inquiry party.
DEFINITION 3 (Virtual machine state) Virtual Machine State Set N = ( R×E×H×F×J ) indicates a collection of active subject behaviors and behavior attributes in a certain state. In the expression, n N indicates a single state within Virtual Machine State Set, and active subjects in State n are denoted as Sn . R indicates behavior trace, and behavior trace of State n is denoted as Rn . E = e 1 , e 2 , … en indicates a set of expected values of system integrity measurement, and a set of expected values for trust in State n is denoted as En . H ( s ) is a function that measures integrity of Active Subject s . F is a function that checks policy conformance of the subject behavior. If Behavior b conforms to security policy, F ( b )= True ; otherwise, F ( b )= False . For example, a policy p contains two rules r 1 and r 2 . r 1 is user a 1 can read file f 1 . r 2 is user a 2 can’t read file f1 . If a 1 reads file f 1 , F determine the behavior complies with p . If a 2 reads file f1 , F determine the behavior does not comply with p . J is a function to determine whether a state is trustable. If State n is trustable J ( n )= Trust ; otherwise, J ( n )= Untrust .
- 2.2 Measurement
Virtual machine platform is composed of various hardwares and softwares with certain functional attributes, which are called components. Thus, to measure virtual machine behavior means acquiring relevant attributes of component behavior. There are two types of components in virtual machine: system component and application component. The former provides basic system service for user components while the latter mainly implements various tasks issued by the user. For different features of these two types, the strategies and methods to measure their behaviors are also different.
1) System component. System component is mainly composed of kernel module, system dynamic link library and relevant configuration files. When a virtual machine starts, system kernel will be loaded first. At this moment, virtual machine state can be regarded as the initial state for absence of user during booting stage. Meanwhile, booting sequence of system kernel, code module and input/output is relatively fixed. Thus, trustworthiness of the state can be determined by integrity. There is a set of Platform Configuration Registers (PCR) within TPM, and each PCR is associated with a specific event state of a certain system during booting stage. When an event occurs, hash values corresponding to the virtual machine program will be calculated and expanded to PCR. After the booting stage, hash values will be used to verify integrity of the system component.
2) Application component. Application component consists of executable program, application dynamic link library and relevant configuration files. Since component has diverse inputs and often executes in a concurrent mode, the composition of operating environment is complicated. Applications implement user task through a series of behaviors which may affect trustworthiness of the system. Therefore, trustworthiness of a behavior lies not only on the integrity of file component itself but also input data and environment. To determine whether a component will cause detrimental effect to system means verifying whether the component can cause damage to virtual machines. In order to determine whether application environment of virtual machine is trustable, it is required to verify the sensitive behaviors of all application components in runtime stage.
However, each component may produce sensitive behaviors that would affect the system. For example, both a trusted component and a malicious one may read and modify sensitive resources of the system. Thus, it is not reasonable to determine whether a component is trustable only on the basis of existence or absence of sensitive behaviors. If the behavior trace of component can be analyzed in a meticulous way and a comprehensive description of behavior trace is provided, it is possible to objectively discover whether a component produces malicious behavior. To precisely measure the state of current virtual machine, a prerequisite is to acquire behavior trace of the components.
- 2.3 Validation
Based on system component and application component behavior, following validation policy is defined to determine whether a virtual machine is trustable.
DEFINITION 4 (Trust validation policy of virtual machine state) In a certain state, if all active subjects in the virtual machine are trusted subjects and the behavior traces of all subjects comply with the security policy, the virtual machine state is trustable, namely:
PPT Slide
Lager Image
The definition indicates that trusted behavior of a trusted subject ensures a trusted virtual machine state. Any untrusted subject or behavior would result in untrusted virtual machine state. To ensure effective implementation of measurement, report and determination mechanism of behavior, all active subjects of trusted virtual machine state must be trusted subjects. Therefore, trusted system behavior will not affect trustworthiness of the virtual machine state.
As previously mentioned, the virtual machine state is affected by system behavior. Transfer function Q ( b, ri) = r i+1 indicates that occurrence of system behavior b renders it possible for virtual machine state to transfer from r 1 to r i+1 . More generally, if R represents a system behavior trace, Q ( R, ri) = r i+1 indicates that occurrence of system behavior trace R renders it possible for virtual machine state to transfer from r 1 to r i+1 . The theorem below can be inferred from Definition 4.
THEOREM (Trust validation theorem of virtual machine state) If virtual machine state rt is trustable at the moment t and each system behavior bi (1 ≤ i n ) within system behavior trace of virtual machine ( R = b 1 b 2 bn ) is trustable after moment t , the virtual machine state r t+1 = Q ( R, rt) after the occurrence of system behavior trace R is trustable.
Since state space of virtual machine is usually infinite, it is difficult to directly determine whether a state is trustable or not. The trust validation theorem only needs to confirm whether the virtual machine state at a certain moment and each system behavior after that moment are trustable. This measurement method is more feasibile in a real system and trust validation can be effectively performed for any system state.
DEFINITION 5 Assuming BT indicates a set of system behaviors related to the trustworthiness of a virtual machine, R 1 and R 2 are two system behavior traces. R 2 is a trust relevant behavior trace of R 1 if the following conditions are simultaneously satisfied.
─ For any system behavior a in R 1 , if a BT , a also belongs to R 2 ;
─ For any system behavior b in R 1 , if b BT , b does not belong to R 2
─ The sequence of system behaviors in R 2 is consistent with those in R 1
For example, BT = { b 1 , b 2 , b 3 }, Ra = b 4 b 2 b 1 b 3 b 5 , Rb = b 2 b 1 b 3 , Rb is a trust relevant behavior trace of Ra . Only b 1 , b 2 and b 3 can affect trustworthiness of the virtual machine state while b 4 and b 5 do not. The behaviors that do not change the trust of virtual machine state can be omitted.
The inference below can be made based on the above definitions and trust validation theorem of virtual machine state.
INFERENCE Assuming Rs is trust relevant behavior trace of system behavior trace R , if virtual machine state rt at the moment t is trustable and all system behaviors in Rs are trustable, virtual machine state r t+1 = Q ( R, rt) after occurrence of system behavior trace R is trustable.
The inference indicates that in case of determining whether a virtual machine state is trustable, it only needs to verify the trustworthiness of the system behavior(e.g., writing system files, updating system policy) which changes the trust of virtual machine state. In the foregoing example, we only have to analyze Rb instead of Ra . This manner makes it possible to reduce the number of objects to be measured and decrease calculation required to verify the virtual machine state.
Based on the trust validation theorem and its inference, two different measuring methods are applied to booting stage and runtime stage of the virtual machine respectively.
1) Integrity-based measuring method. Measure integrity of VMM, relevant executive program of system domain and initial state of configuration file after the booting of platform to determine trustworthiness of the behavior measurement mechanism.
2) Behavior trace based measuring method. Measure state at one moment and system behavior trace after that moment to determine whether the virtual machine state is trustable.
3. Dynamic Tree Style Trust Measurement Model
In this section, we firstly analyze the shortcomings of current measurement schemes, and then provide DTSTM model which combines integrity-based measurement and behavior trace based measurement according to the features of cloud computing infrastructure. Finally we present workflow of the virtual machine measurement and analyze the security of DTSTM.
- 3.1 Challenges
A patch of the system, an upgrade or an alteration of an application, can change trustworthiness of a trust computing platform. A virtual machine which can be trusted at the booting stage may not be trusted at the runtime stage. Thus, dynamic trust measurement is required.
In virtual environment, a real machine is equipped with a VMM component which executes several virtual machines, and a large number of application components execute on the virtual machines. The method provided by TCG specification can only conduct static measurement of traditional PC platform state, and lack the ability to dynamically measure trustworthiness of a running virtual machine. Additionally, trust measurement in the method assumes a one-to-one relationship which can hardly be developed into a one-to-many parallel relationship in virtual environment.
Sadeghi [16] and Chen [17] separately introduced the property-based attestation which employs TPM to measure the security properties without revealing the exact configurations of a target platform, but it is a tough nut to define property in cloud computing infrastructure. A direct solution for dynamic virtual machine measurement in cloud computing infrastructure is to expand a single chain style measurement [18] [19] . When a new user domain is created, we can use Flicker [18] or TrustVisor [19] to restart measurement from bottom. The procedure is shown in Fig. 1 (a). Therein, A is the root node; B to D are component nodes of system domain Dom 0; E 1 to Ei refer to all component nodes within user domain Dom U 1 . The specific procedure goes in this way: Root node A measures nodes B , node B measures nodes C , node C measures nodes D . If they are verified trustable, node D measures nodes E 1 , node E 1 measures node E 2 and so on. However, in cloud computing environment, events such as boot of virtual machine and load of module rarely occur, while creation and deletion of user domains are frequent. For this reason, the simple expansion method assumes low efficiency, and simultaneous measurement of several user domains may fail [20] (e.g. during measurement, Dom U 1 would lock up the whole virtual computing environment from Dom U 2 to Dom U n ).
PPT Slide
Lager Image
Chain Style and Star Style Measurement Model
If a trust domain is built up based on star style model [21] [22] , all measurement is to be finished by one node, as shown in Fig. 1 (b). Node A is center node responsible for all measurement, and it would first measure B, C and D . If the nodes are verified trustable, node A will then measure Ei to Nj . However, there are a great variety of components operating in multi-tenant environment. To measure all the other nodes, center node would become complicated with poor expandability, as the center node A must accurately identify all components in Dom U 1 to Dom U n . The implementation is extremely difficult in a multi-tenant environment like cloud computing.
To sum up, there are two challenges for measuring the trust of virtual machine in cloud computing infrastructure: (1) dynamism of measurement. If software and hardware configuration and the state of the virtual machine change during runtime stage, it should be guaranteed that trustworthiness of the changed virtual machine will be measured; (2) concurrency of measurement. There are multiple operating virtual machines that belong to different trust domains. To avoid DoS attack, it should be prohibited to lock up other trust domains for measurement of one virtual machine.
- 3.2 Structure
To address the above problems, we provide a dynamic tree style trust measurement model called DTSTM which separates trust relationship between system domain and user domain. The trustworthiness of user domain will be measured by measurement module within system domain. If both of them are trustable, trust will be delivered to different user domains thus forming a parallel trust relationship. The structure of DTSTM is shown in Fig. 2 .
PPT Slide
Lager Image
The structure of DTSTM
The integrity-based measurement mentioned in last section is adopted during booting stage of virtual machine. Since the loading sequence of modules is fixed, possibility of the module change is low, and the system is relatively stable. Behavior trace based measurement is applied to runtime stage for the users of virtual machine usually execute concurrently and the components change frequently.
DTSTM is mainly composed of two parts. The upper part includes six components which are Core Root of Trust for Measurement (CRTM), BIOS, Boot Loader, System domain Kernel OS 0 and Dynamic Trusted Measurement Agent (DTMA). Before DTMA executes, DTSTM builds up the trust chain based on traditional chain style measurement. When the model starts up, CRTM will first measure the integrity of BIOS. If BIOS is trustable, bootloader and VMM will be measured until the trust boundary is expanded to Dom 0. TPM will store the measuring results for whole process.
The lower part includes components of DTMA, User Domain Kernel OS un and user application component P n . When trust is delivered to DTMA, DTMA will start new Dom U i and dynamically monitor the behavior of User Kernel OS ui and User Component P i . If sensitive behavior is triggered, security attributes of all components will be measured and the results will be stored.
DTMA is a key component of DTSTM. It measures trustworthiness of the user domain from system domain and ensures security of the measurement module itself. DTMA mainly consists of three sub-modules:
(1) MA (Measurement Agent). MA measures integrity of the user components during booting stage of a virtual machine, monitors behavior of the components during runtime stage and conducts trust measurement for relevant components in case of sensitive operation and update of components.
(2) SS (Secure Storage). SS provides secure storage service. To collect trustable evidences for software, it is inevitable to store and transfer evidences. The acquired evidence can be effectively protected using secure storage mechanism of TPM. SS aims to maintain the operating environment of TPM for each virtual machine including virtual machine relevant keys and data, physical PCR bound to each virtual machine and each virtual machine relevant Virtual PCR (VPCR). As for acquired trustable evidence of software, it will be signed by TPM thus verifying the trustworthiness of its source.
(3) CM (Component Manager). CM manages installation, registeration, deletion, unload, upgrade, etc, and stores certificate attributes of the registered components. CM aims to deal with update requests of components in the virtual machine. If the security of the component changes, it will trigger MA to measure the components again. CM uses a component list to store register information and attribute certificate information of components. The same component is shared by multiple virtual machines. If the component is updated, CM will modify the item of component list.
- 3.3 Workflow
When measuring user application components, it is necessary for DTSTM to measure trustworthiness of the relevant components. All components except root component have a parent component and all component logics form a tree structure, as shown in Fig. 3 . When a virtual machine is built on the trusted cloud computing platform, SS will establish a VPCR for this virtual machine to describe configuration and status of associated components while CM will set up a component tree which corresponds to this context. When a virtual machine instance executes, CM will compute the component tree according to the relevant components. Moreover, when a component is updated or the status of a component is changed due to hostile attack, MA will be activated to measure the component tree and update the measurement results.
PPT Slide
Lager Image
The structure of component tree
The measurement process mainly includes construction and measurement of component tree, which is described as follows:
(1) Construction of component tree. The component tree uses a list structure Nodes for storage, with each node structure consisting of component identification ( id ), component level ( level ) , child node pointer array ( children ) and parent node pointer ( parent ). The Nodes is a global variable. When a node is created, we assign an id to it. The id is a number that uniquely identifies a node. The level of root component is 0., the level of the child node will increase by 1 on the basis of its parent’s level when it is created. The children point to all child nodes which originate from a node. The parent point to the node of its parent. The construction algorithm of component tree is shown in Algorithm 1 .
PPT Slide
Lager Image
Input of the algorithm is the component node array ( Nodes ) and the result is root of the component tree ( Root ). Firstly, arrange node array of the component in an ascending sequence according to its node level (Line 2), and then select one node successively. The GetRelateNode function is invoked to get a node’s relevant node array (Lines 3 - 5). Compare level of the relevant nodes with that of the node to be inserted, and if the latter is higher, transfer the node to be the neighbor node of the relevant nodes (Lines 6 - 12), or else, establish relationship between this node with its relevant nodes (Line 14). As shown in Fig. 4 , level of the relevant node
PPT Slide
Lager Image
is lower than that of
PPT Slide
Lager Image
so insert the node below
PPT Slide
Lager Image
and adjust its level to i . Lastly, select the node with lowest level from node array as root of component tree, and return (Lines 18 - 19).
PPT Slide
Lager Image
The construction of component tree
(2) Measurement of component tree. No matter a component update is triggered by a normal user or a hostile attack, the trust of the computing environment alters. DTSTM conducts real-time monitoring of changes of the components. When the status of a component changes, the measurement algorithm of component tree will be invoked to verify its trustworthiness. The measurement algorithm of the component tree is shown in Algorithm 2 .
PPT Slide
Lager Image
Input of the algorithm is the component node array ( Nodes ) and the measurement node ( mNode ). Output is the trustworthiness of the measurement node. Firstly, acquire the root node and all child nodes below the root node, and arrange these nodes in an ascending sequence according to their levels (Lines 2-4). Next, select the node’s child node successively to check its trustworthiness. If the node is not trusted and its level is lower than the measurement node’s level (Lines 8 and 9), measure whether the subject and behavior of the child node are both trusted (Line 11) according to the validation theorem and update trustworthiness of the relevant nodes (Line 12). Lastly, return the measured result.
An example is shown in Fig. 5 . When
PPT Slide
Lager Image
is altered, firstly, measure trustworthiness of the node. Secondly, trace back to bottom node
PPT Slide
Lager Image
through parent node
PPT Slide
Lager Image
and then, measure trustworthiness of
PPT Slide
Lager Image
respectively. In case of any change, update trustworthiness of
PPT Slide
Lager Image
during the backtracking process. Lastly, return the measured result.
PPT Slide
Lager Image
The measurement of component tree
- 3.4 Security Analysis
This section will further make a quantitative security evaluation of DTSTM. For the purpose of formal description of the model, components related to DTSTM are defined in Table 1 :
Main elements
PPT Slide
Lager Image
Note: CRTM, BIOS, BootLoader and VMM is simplificated as RT; OS0 means kernel of system domain and OSU means kernel of user domain
The following formulas are based on these expressions:
PPT Slide
Lager Image
PPT Slide
Lager Image
>
Based on Formula (1) and Formula (2), we obtain that as components in operating environment env grow in number, the security of env decreases gradually. This conclusion can be expressed with the formula below:
PPT Slide
Lager Image
Sam et al. [23] proposed that if software design quality, code complexity and code implementation quality are almost equal, the vulnerability of software p is approximately in direct proportion to Size ( p ) and a security vulnerability remains uncovered every one thousand lines of codes in average. Therefore, P V ( p ) can be simplified as Formula (4) below, where α is an empirical constant.
PPT Slide
Lager Image
As for traditional multi-task operating system (OS), P ( S OS ) can be expressed as the following formula:
PPT Slide
Lager Image
As all components in definition
PPT Slide
Lager Image
are trusted and do not contain any vulnerable codes,
PPT Slide
Lager Image
is omitted in the final results of Formula (5).
The formulas below point out aspects regarding the security of user domain and system domain in DTSTM:
PPT Slide
Lager Image
User domain which consists of various application components may contain malicious codes and thus is untrusted, as shown in Formula (6).
PPT Slide
Lager Image
The system domain of DTSTM only contains verified management components. Most verified codes of the componets do not contain vulnerabilities, so the security of the system domain mainly depends on the components which suffer from vulnerabilities, as shown in Formula (7).
In system operating environment, only DTSTM RT, system domain Dom0 exchange data with other user domains, and following formula can be obtained:
PPT Slide
Lager Image
As DTSTM software is much smaller than a traditional OS in scale, it is superior in reliability. Based on the Formulas (3), (4), (7) and (8), the following inequality can be obtained:
PPT Slide
Lager Image
The focus of DTSTM is the security of system domain. The probability that isolated codes in DTSTM virtual machine lower the security of system domain can be depicted as follows:
PPT Slide
Lager Image
PPT Slide
Lager Image
indicates that components in
PPT Slide
Lager Image
break through the security protection of OSU , OS 0 simultaneously. Based on the Formula (9) and Formula (10), we obtain
PPT Slide
Lager Image
From Inequality (11), it can be seen that DTSTM significantly improves the security of system domain.
4. Implementation and Evaluation
We implement a DTSTM-based system for virtual machine trust measurement on the basis of VMM-level SCI [24] and VMI [25] . The effectiveness of the trust measurement system is verified with four groups of malicious code samples, and the measurement overhead is evaluated with lmbench test set.
- 4.1 System Overview
Fig. 6 . shows the architecture of DTSTM-based system for trust measurement. SCI module intercepts system call events in user domain, reconstructs system call sequence related to the loading of the executable program, and transfers the sequence to DTMA module after comparing it with the white list. DTMA module acquires behavior of the virtual machine based on system call sequence and system call context extracted by VMI module. It verifies whether the called subject file is complete and whether the behavior accords with the anticipated policy. The verification results will be saved to provide trust measurement evidence for user.
PPT Slide
Lager Image
DTSTM-based trust measurement system architecture
- 4.1.1. SCI Module
In modern OS, user program accesses kernel through system call. When user program initiates a system call, it will first move system call parameters to the relevant register and then execute the interrupt instruction to trap into kernel. However, in a virtualization environment, VMM must intercept the system calls before measuring user behavior.
In [24] , hardware virtualization technology is used to intercept system calls at VMM level. We, however, intercept system calls of virtual machine on the basis of [24] and using the white list technology. In DTSTM, SCI is located at Virtual Machine Monitor (VMM) and responsible for intercepting the system calls. It acquires system call events, maintains a white list for system call according to measurement requirements, and matchs system call numbers with the white list to identify whether it is necessary to measure the behavior. The main working steps are listed as follows:
1) SCI turns off direct call of Dom U system call, and Dom U traps into VMM level when initiating a system call. After intercepting the system call, SCI will set entry address of the call as an illegal address and return to Dom U;
2) When executing codes at this address, Dom U will generate a page fault, thus initiate vmexit instructions and trap into VMM level again. SCI will intercept this VMM exception handling process;
3) SCI can acquire system call numbers according to the values of EAX and match them with the white list. If the measurement is necessary, it will send the numbers to MA. MA will identify the behavior by matching the system call IDs and the context;
4) After the execution, entry address of the original system call will be recovered for normal execution of the procedure.
Through the above processes, DTSTM is able to monitor the behaviors in user domain such as load of software module, file read and write, call of sensitive operations and realize measurement of user domain through analysis of their behaviors.
- 4.1.2. VMI Module
In order to ensure the security of measurement module itself and the authenticity of key data, we use VMI to acquire data of user domain. In this way, the measurement module is independent of the security of user domain kernel.
When MA takes control of the system calls, VMI module acquires contextual information of the system calls from user domain. As there is a semantic gap between user domain and system domain, VMI adopts LibVMI [26] to access any physical memory location of the user so as to realize introspection of user space data. LibVMI runs in Dom 0 and accesses the original data of memory of user domain through XenControl.
MA module in Dom 0 makes use of VMI to acquire the memory data of Dom U through following six steps:
1) VMI makes requests to acquire key data of user and kernel spaces;
2) LibVMI finds the requested kernel address and virtual address through System map;
3) VMM maps the kernel page directory (KPD) to the memory space of Dom 0 and makes use of KPD to find the correct page table (PT);
4) VMM maps PT to the memory space of Dom 0 and finds the correct address of data page in PT;
5) VMM maps the data page to the memory address space of Dom 0 and returns it to the LibVMI library;
6) LibVMI returns the pointer and offset of the data sheet with read/write permissions to VMI.
Through the above procedures, MA module can acquire data structures of system kernel symbols in Dom 0, e.g. task_struct. Based on the data structures, MA module acquires the process list, module list and other information to judge whether there is any malicious behavior.
- 4.2 System Evaluation
The security analysis of DTSTM in Section 3.4 shows that this model is superior to traditional chain style model in security. In this section, we verify effectiveness and overhead of our system.
Our prototype system runs on a 2.8GHz Intel Core i5 processor with 4GB memory and a 500G 7200RPM Seagate hard disc. The system is based on a Xen virtualization platform, consisting of tboot1.7.3 (for bootloader), Xen4.1.4 (for VMM) and Linux3.2.0 kernel (for system domain kernel), with both WindowsXP and Ubuntu12.04 virtual machines installed on Xen.
- 4.2.1 Effectiveness
In order to demonstrate the advantages of DTSTM in dynamic measurement, we compare it with Xen and IMA [15] . According to the supported OS and code type, four representative malicious sofewares are selected, i.e. poisonivy-rat [27] , hxdef [28] , lrk5 [29] and adore-ng [30] . The software samples are shown in Table 2 .
Samples for effectiveness test
PPT Slide
Lager Image
Samples for effectiveness test
The results of effectiveness test on DTSTM are shown in Table 3 , where “√” indicates that malicious codes are detectable while “—”, undetectable.
Effectiveness test results
PPT Slide
Lager Image
Effectiveness test results
1) User-level programs. Poisonivy-rat and lrk5, two popular backdoors, are used to verify effectiveness of DTSTM by measuring the integrity of application programs in Windows and Linux environments. Poisonivy-rat and lrk5, realize self-starting by tempering with normal programs, and accept remote connection when executed. In the experiment, Xen does not perform trust verification and thus can not discover all samples. IMA can not detect malicious codes executed in runtime stage though it is able to discover samples in booting stage. DTSTM, however, discovers loading of malicious programs and measures their integrity, and then identifies the programs are malicious by comparing them with the existing fingerprints in fingerprint database, thus directly terminates the loading process.
2) Kernel-level programs. Attacks usually invade kernel of the OS by loading malicious kernel module. We adopt hxdef and adore-ng, two well-known kernel-level rootkits of Windows and Linux, to verify effectiveness of DTSTM kernel module. As in user application program experiments, Xen can not detect malicious codes and IMA can only detect malicious codes during booting of the system, while DTSTM can detect samples during runtime. We add hxdef and adore-ng to white list of DTSTM and load them to kernel. In the experiment, hxdef and adore-ng are detected by DTSTM as soon as they maliciously temper with kernel module after booting, which indicates DTSTM can detect attacks on kernel module both effectively and timely.
- 4.2.2 Performance
In order to evaluate the influence of DTSTM on system performance, we respectively test running of system calls and application programs.
1) System call test. We adopt lmbench as the test set. As DTSTM is implemented based on system call interception and analysis, test indexes associated with system calls are specifically selected from lembench and compared with standard Xen to analyze the performance overhead introduced by DTSTM. Table 4 gives corresponding test results.
System call test results (us)
PPT Slide
Lager Image
System call test results (us)
It is found that DTSTM has little influence on open/close and read/write operations, but the performance overhead is obvious under fork+exec test indexes. The fork+exec consists of three steps, namely system call interception, program path position and program file measurement, and the process of computing hash values of executable files takes a long time. The required time for DTSTM to measure files is almost two times as much as that of standard Xen. However, hash values of executable files are usually computed only once before running and fork+exec operations hold a relatively low proportion in daily programs, and DTSTM can ensure integrity of the programs compared with Xen, the overhead is acceptable.
2) Application program test. In order to further evaluate the performance of DTSTM, performance overhead of 6 common application programs are tested, as shown in Table 5 :
Samples for application program test
PPT Slide
Lager Image
Samples for application program test
Fig. 7 shows the application program test results of Xen and DTSTM. From the point of overall trend, DTSTM exerts some influence on system performance. The main reason is DTSTM needs to intercept system calls at upper level by forcing a page fault to make current execution flow trap into VMM level.
PPT Slide
Lager Image
Application program test results of DTSTM
As DTSTM needs to intercept system calls, the performance overhead of getpid test program is relatively high. For compression and decompression programs which refer to computation-intensive work, DTSTM only introduces 2.7% performance overhead. The file copy requires a relatively large system overhead because it is I/O-intensive and includes a lot of read and write operations and DTSTM intercepts write system calls to prevent modification of loaded software files. The kernel compilation, though taking a long time, brings about a relatively small system overhead as it calls few types of compilation programs. All executable programs of DTSTM verification will be loaded during booting of Linux, so the boot test performs general overhead of DTSTM. It can be seen from the figure that the performance overhead of DTSTM is approximately 1.5%, a relatively low result.
5. Related Work
Trust measurement of virtual machine is considered as one of the key challenges in cloud computing security. Santos et al [4] proposed a trusted cloud computing platform (TCCP) which provides a closed box execution environment to ensure confidentiality of the running virtual machine and allows the users to attest to the IaaS provider and determine whether or not the service is secure before they launch their virtual machines. TCCP has to measure all loaded modules such as configuration information of hardware and software of the platform, thus generating redundancy [31] .
The measurement method proposed in [9] is based on platform attribute to reduce redundancy, but the platform attribute is an abstract concept which is always difficult to describe and define. DTSTM, however, uses behavior trace to describe the status of virtual machine, which is accurate and easy to implement.
Chain style measurement proposed by TCG is applicable to traditional PC platform, with no consideration for virtualization environment. vTPM [11] virtualizes entity TPM and constructs multiple trust chains above VMM layer. The method can be considered as a simple extension on the basis of chain measurement. However, it can not solve the relevance problem of trust relationship between virtual machines in cloud computing environment.
ETPM [23] uses a root node which located at central position to measure other nodes. The star style measurement is complex and poor extensibility, though it improves measurement security. DTSTM, however, adopts tree style measurement according to the characteristics of cloud computing, which improves expansibility and concurrency of measurement.
BonaFides [7] periodically measures integrity of the virtual machine kernel and files. This kind of measurement system lacks flexibility, as its measurement timing is determined by system designer rather than the actual user. If virtual machine is damaged after measurement, the measurement will give wrong results. DTSTM, however, intercepts system calls in real time, thus preventing security problems caused by inconsistency of measurement and running.
6. Conclusions and Future Work
The main approach of implementing secure and trusted cloud computing is to effectively create a trusted virtualization environment, and ensure trustworthiness of the software in virtual machine. In view of the characteristics and requirements in cloud computing environment, we propose a model named DTSTM, which reduces complexity of trust measurement by separating system domain and user domain with different methods. DTSTM solves the problems of traditional measurement schemes in terms of dynamism, security and concurrency, and improves practicability and expandability simutaneously. Moreover, experimental results indicate practicability and high performance of the model.
There are two main directions to which our measurement model can be extended. First, it is necessary to prove the trusted status of platform to user after platform measurement of virtual machine. Traditional attestation scheme mainly aims at a single host machine while a large number of virtual machines are included in cloud computing system, so there are such problems as single point failure and low attestation efficiency. For this reason, it is important to improve the efficiency and security of the attestation. Second, it is crucial to discover security policy violations in the model. In case of violations among these security policy, trustworthiness of the software can not be judged. Therefore, it also requires in-depth study to effectively implement policy violation discovery in cloud computing infrastructure.
BIO
Zhen-ji Zhou was born in Shuyang, Jiangsu, China in 1985. He received his B.E. and the M.S degree in computer science and technology from PLA University of Science and Technology in 2008 and 2010 respectively. Now he is a Ph.D. candidate in the university. His research interests include information security and cloud security.
Li-fa Wu was born in Qichun, Hubei, China in 1968. He received his Ph.D. from Nanjing University in 1998. He is currently a professor in PLA University of Science and Technology. His research fields concern network security, protocol engineering and satellite communication.
Zheng Hong was born in Yingtan, Jiangxi, China in 1979. He received his Ph.D. from PLA University of Science and Technology in 2007. Now he is an associate professor in the university. His research fields concern network security and protocol reverse engineering.
Ming-fei Xu was born in Jining, Shandong, China in 1989. He received his B.E. from AnHui University of Science and Technology in 2011. Now he is a M.S candidate in PLA University of Science and Technology. His research interests include network security and trusted computing.
Fan Pan was born in Wuhu, Anhui, China in 1987. He received his B.E. and the M.S degree in network engineering from PLA University of Science and Technology in 2007 and 2009 respectively. Now he is a Ph.D. candidate in the university. His research interests include protocol reverse engineering and software testing.
References
Top Threats to Cloud Computing. http://www.cloudsecurityalliance.org/topthreats/csathreats. v1.0.pdf
Chen Y. , Paxson V. , Katz R. H. 2010 “What’s New About Cloud Computing Security” University of California, Berkeley, Tech Article (CrossRef Link) 20
Feng D. G. , Zhang M. , Zhang Y. , Xu Z 2011 “Study on cloud computing security” Journal of Software Article (CrossRef Link) 22 (1) 71 - 83    DOI : 10.3724/SP.J.1001.2011.03958
Santos N. , Gummadi K. , Rodrigues R. 2009 “Towards trusted cloud computing” in Proc. of the 2009 conference on Hot topics in cloud computing September Article (CrossRef Link)
Frank J. K. 2009 “Private virtual infrastructure for cloud computing” in Proc. of the 2009 conference on Hot topics in cloud computing September Article (CrossRef Link)
Schiffman J. , Moyer T. , Vijayakumar H. , Jaeger T. , McDaniel P. 2010 “Seeding clouds with trust anchors” in Proc. of the 2010 ACM workshop on Cloud computing security workshop October Article (CrossRef Link) 43 - 46
Neisse R. , Holling D. , Pretschner A. 2011 “Implementing trust in cloud infrastructures” in proc. of 11th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing May Article (CrossRef Link) 524 - 533
Butt S. , Lagar C. H. , Srivastava A. , Ganapathy V. 2012 “Self-service cloud computing” in Proc. of the 2012 ACM conference on Computer and communications security October Article (CrossRef Link) 253 - 264
Santos N. , Rodrigues R. , Gummadi K. , Saroiu S. 2012 “Policy-sealed data: A new abstraction for building trusted cloud services” in Proc. of the 2012 USENIX Security August Article (CrossRef Link)
TCG Specification Architecture Overview. https://www.trustedcomputinggroup.org/
Perez R. , Sailer R. , Van-Doorn L. 2006 “vTPM: Virtualizing the Trusted Platform Module” in Proc. of the 15th USENIX Security Symposium July Article (CrossRef Link) 305 - 320
Garfinkel T. , Pfaff B. , Chow J. , Rosenblum M. , Boneh D. 2003 “Terra: A Virtual Machine-Based Platform for Trusted Computing” ACM SIGOPS Operating System Revi Article (CrossRef Link) 37 (5) 193 - 206    DOI : 10.1145/1165389.945464
Shi E. , Perrig A. , Doorn L. V. 2005 “BIND: A Fine-Grained Attestation Service for Secure Distributed Systems” in Proc. of the 2005 IEEE Symposium on Security and Privacy May Article (CrossRef Link) 154 - 168
Berger S. , Caceres R. , Pendarakis D. , Sailer R. , Valdez E. , Perez R. , Schildhauer W. , Srinivasan D. 2008 “TVDc: managing security in the trusted virtual datacenter” ACM SIGOPS Operating Systems Review Article (CrossRef Link) 42 (1) 40 - 47    DOI : 10.1145/1341312.1341321
Reiner S. , Zhang X. L. , Jaeger T. , Van-Doorn L. 2004 “Design and implementation of a TCG-based integrity measurement architecture” in Proc. of the 13th USENIX Security Symposium August Article (CrossRef Link) 16 - 32
Sadeghi A. , Stble C. 2004 “Property-based attestation for computing platforms: caring about properties, not mechanisms” in Proc. of the 2004 workshop on New security paradigms September Article (CrossRef Link) 67 - 77
Chen L. , Landfermann R. , Loehr H. , Rohe M. , Sadeghi A. , Stble C. 2006 “A Protocol for Property-Based Attestation” in Proc. of the 1st ACM Workshop on Scalable Trusted Computing November Article (CrossRef Link) 7 - 16
McCune J. , Parno B. , Perrig A. , Reiter M. , Isozaki H. 2008 “Flicker: An Execution Infrastructure for TCB Minimization” ACM SIGOPS Operation System Review Article (CrossRef Link) 42 (4) 315 - 328    DOI : 10.1145/1357010.1352625
McCune J. , Li Y. , Qu N. , Zhou Z. , Datta A. , Gligor V. , Perrig A. 2010 “TrustVisor: Efficient TCB Reduction and Attestation” in Proc. of the 2010 IEEE Symposium on Security and Privacy May Article (CrossRef Link) 143 - 158
Feng D. G. , Qin Y. 2008 “Research on Attestation Method for Trust Computing Environment” Chinese Journal of Computers Article (CrossRef Link) 31 (9) 1640 - 1652    DOI : 10.3724/SP.J.1016.2008.01640
Petroni N. , Fraser T. 2004 “Copilot-A coprocessor-based kernel runtime integrity monitor” in Proc. of the 13th conference on USENIX Security Symposium August Article (CrossRef Link) 179 - 194
Zhao B. , Zhang H. G. , Li J. , Wen S. 2010 “The system architecture and security structure of trusted PDA” Chinese Journal of Computers Article (CrossRef Link) 31 (1) 82 - 93    DOI : 10.3724/SP.J.1016.2010.00082
Sam W. , Paul A. , Amit P. 2005 “A software flaw taxonomy: aiming tools at security” in Proc. of the 2005 workshop on Software Engineering for secure system January Article (CrossRef Link) 1 - 7
Dinaburg A. , Royal P. , Sharif M. , Lee W. 2008 “Ether: Malware analysis via hardware virtualization extensions” in Proc. of the 15th ACM conference on Computer and Communication Security October Article (CrossRef Link) 51 - 62
Garfinkel T. , Rosemblum M. 2003 “A Virtual Machine Introspection Based Architecture for Intrusion Detection” in Proc. of the 2003 Network and Distributed Systems Security Symposium February Article (CrossRef Link) 191 - 206
LibVMI. https://code.google.com/p/vmitools/
Poison ivy – remote administration tool. http://www.poisonivy-rat.com/
Hacker defender. http://en.pudn.com/download46/sourcecode/hack/detail154363_en.html
Linux rootkit 5. http://www.ussrback.com/UNIX/penetration/rootkits/
Adore-ng rootkit. http://stealth.openwall.net/rootkits/
Jaeger T. , Sailer R. , Shankar U. 2005 “PRIMA: policy-reduced integrity measurement architecture” in Proc. of the 11th ACM Symposium on Access Control Models June Article (CrossRef Link) 19 - 28