2013 13th IEEE/ACM International Symposium on Cluster, Cloud, and Grid Computing

Secure Storage Service for IaaS Cloud Users

Jinho Seol, Seongwook Jin, and Seungryoul Maeng
Computer Science Department, KAIST, Daejeon, Korea
{jhseol,swjin}@calab.kaist.ac.kr, maeng@cs.kaist.ac.kr

Abstract—Cloud computing enables to reduce operating costs and

Mgmt. VM Guest VM
maximize resource utilization. However, current cloud infrastructure
is insufficient to guarantee the confidentiality of classified information
for cloud users because one of administrators with privilege or remote Storage
hackers compromising management tools can leak the information. Terminal Driver

This paper addresses storage issues in cloud computing and proposes a in Cloud
secure storage service where stored user data are protected even against
Hypervisor
a malicious administrator and compromised software. We describe the
architecture of proposed design and discuss the security issues of the
design.
Local
Remote
Storage
Storage Cloud Node
I. I NTRODUCTION
Cloud computing refers the computing paradigm where software Privileged Access Illigal Access with Privilege
and hardware are provided as a service. Cloud computing is in
the spotlight because it is possible to reduce operating costs and Fig. 1. Threat Model
maximize resource utilization as pay-as-you-go model is a basic
philosophy of cloud computing. Cloud computing provides attractive
environment in that physical servers don’t have to be managed III. S ECURE S TORAGE R EQUIREMENTS
directly by cloud users and elasticity against scalability problem is A. Assumption & Threat Models
also provided. Cloud systems consist of lots of software components. Among
Nevertheless, companies regarding the security as the first principle them, hypervisor and a management OS coexist with guest VMs
of governance are reluctant to use cloud computing service. The in a single cloud node. When the hypervisor is compromised, the
main reason is anxiety about the security of their VMs. As plenty confidentiality of guest VMs cannot be guaranteed. However, the
of stakeholders including a cloud provider and cloud users co-exist code size of the hypervisor is smaller than that of traditional OS, and
in cloud computing environment, the VMs allocated to a cloud user thus the hypervisor has relatively less security holes[2].
are influenced by hypervisor, a management OS, which means the A management OS is an important attack point of remote hackers
OS of a management VM, or other VMs even in a single cloud or a malicious administrator. The management OS can access its own
node. Furthermore, cloud administrators have privileges to control memory even though the memory of guest VM prevents from being
the VMs. It means a malicious administrator can easily leak the user accessed[2], [3]. It means information leakage by means of observing
data using management tools[4]. As a result, the virtual machines are I/O of guest VMs via split drivers in management OS is still possible.
more vulnerable to information leakage than the physical machines. Therefore, the main threat of this work is information leakage by
In this paper we propose secure storage architecture using crypto- accessing local storage via the management OS or direct access to
processors for cloud users. User data are encrypted and even a remote storage with privilege. We also assume defense mechanisms
malicious administrator cannot access the cryptographic keys, and the against hardware attacks are well-equipped and thus hardware attacks
decrypted data are isolated from the management OS. Accordingly, are inexecutable.
user data are protected from cloud administrators and other users.
More secure cloud computing environment is guaranteed in the B. Requirements
proposed architecture, and thus it is expected to migrate from server The requirements for secure storage summarized as follows.
hosting service to cloud computing service more and more.
• Isolated cryptographic operation: A malicious administrator or
II. BACKGROUND remote hackers can have control over the management OS.
There are three entities to protect the confidentiality of guest Therefore, when plain text or decrypted data are loaded in the
VMs: processing, memory, and I/O. Processing and memory can be memory of the management OS, they can be leaked by using
protected by H/W such as VT-x and AMD-V and S/W techniques privileged operations in the management OS. As a result, the
such as [2], [3]. If processing and memory are protected, the guest result of cryptographic operations should be isolated from the
virtual machine is safe as far as no I/O operation is involved. management OS.
However, transferring the input or output data of computation is an • Infrastructure cryptographic operation: Key delivery from cloud

essential process in cloud computing environment. That’s why the users involves connection to outside cloud systems. It means ad-
last entity, I/O should be protected in cloud computing. Generally, all ditional service is needed for key delivery. Thus, cryptographic
network traffics can be encrypted within a guest virtual machine and keys should exist in the cloud system. Moreover, full-disk
thus, they are safe during transfer. However, it implies an assumption encryption is implementable because guest OS is uninvolved.
that the cryptographic keys are protected safely. The cryptographic • Key protection: To protect the keys perfectly, we need a key

keys are generally stored in the storage. Therefore, protecting storage storage service where the keys are inaccessible even with
is the basic foundation of all other I/O devices. privileged access.

978-0-7695-4996-5/13 $26.00 © 2013 IEEE 190

DOI 10.1109/CCGrid.2013.31
 Mgmt. VM Hypervisor Physical
Device Mgmt. VM Guest VM Memory
Authority TPM Crypto−
Processor Page
Driver Driver
Table

Hypervisor Encrypted
Guest VM Nested Data
Page
Table
Guest Plain
EK PCR AIK EK DA Key Page Data
Table
TPM PCI Device

IOMMU
Cloud Node Page
Table
PCI Device
Fig. 2. Architecture Overview
Encrypted Data Access Plain Data Access

Fig. 3. Plain Text Isolation

IV. S YSTEM D ESIGN
A. Overview
D. Safe system state guarantee
Figure 2 shows the overall architecture of our system. Cloud If a malicious administrator or remote hackers can compromise the
nodes are equipped with a crypto-processor, which plays a role of image of hypervisor and reboot the system, compromised hypervisor
encryption, decryption, and key storage, and Trusted Platform Module will be loaded, and thus there is no guarantee that the hypervisor plays
(TPM), which is used to verify the system state of cloud nodes. As a role of isolation. We design that the crypto-processor activates itself
the crypto-processors are the bare bones of the proposed system, only if the system states are attested to avoid unwanted hypervisor.
they have to be verified by third party called Device Authority (DA). We don’t present details of the activation protocol due to space
System states are measured into Platform Configuration Register limitation.
(PCR) of TPM. Endorsement Key (EK) and Attestation Identity Key
(AIK) in the TPM are used to represents the identity of the TPM. A V. S ECURITY A NALYSIS & D ISCUSSION
PCI crypto-processor also has EK for the identity of itself. DA key The secure system states could be used to activate the crypto-
is used for verifying the signature of DA. processor illegally. The malicious management OS on compromised
hypervisor would try to use the measurement value of attested
B. Challenges hypervisor. Thus, DA needs an a-priori list of pairs, which comprise
EK of TPM and EK of crypto-processor from one physical cloud
Even though crypto-processors are operational in cloud node, two
node not to face the unwanted situation. At the last step of activation
main challenges remains to provide a secure storage service. As the
process, DA will attest the system state. During attestation, DA have
device driver of crypto-processor is placed in the management OS, we
to also check whether the system state is from requested node or not.
need to isolate the decrypted (or plain) text from the management OS.
If compromised hypervisor tries to use the system state of another
If the management OS is able to access the result of cryptographic
machine, DA can detect and will refuse the activation request.
operations, the confidentiality of stored data cannot be guaranteed.
The other challenge is to ensure safe system states. Hypervisor is in VI. C ONCLUSION & F UTURE W ORK
charge of access control. Thus, if hypervisor doesn’t protect illegal Security is primary consideration for the users who consider using
access from the management OS, the information leakage of guest cloud services. However, guaranteeing secure cloud computing envi-
VMs is unavoidable. ronment is cumbersome and tortuous. This paper presents a secure
To ensure a secure storage service, the proposed architecture storage service for the users via crypto-processors. The proposed
achieves plain text isolation from the management OS and safe architecture makes the users lighthearted because it is guaranteed
system state guarantee as following two sections. that stored data in cloud systems are encrypted and cannot be leaked
even with privileged accesses. Currently, we are developing a PCI
C. Plain text isolation prototyped board and implementing its functionalities. We plan to
implement a fully functional prototype including PCI device crypto-
Generally, when a guest VM reads stored data block, the man-
processors, device drivers, and the activation server of DA.
agement OS reads the requested block from disk, and afterward,
sends the block to the guest VM. However, as the block is encrypted, ACKNOWLEDGMENT
decrypting process is needed before the block is sent to the guest VM. This work was supported by the IT R&D Program of MKE/KEIT.
At the same time, decrypted text should not be accessed from the [KI002090, Development of Technology Base for Trustworthy Computing]
management OS. To achieve this goal, hypervisor manipulates page
tables to block unauthorized accesses. Figure 3 shows the mapping of R EFERENCES
the management OS, guest VM and crypto-processor. Once encrypted [1] AMD. I/O virtualization technology (IOMMU) specification, 2011.
data are loaded to memory by the management OS, the crypto- [2] C. Li, A. Raghunathan, and N. Jha. Secure virtual machine execution
under an untrusted management OS. In Cloud Computing (CLOUD),
processor is in charge of decryption. The device will access the 2010 IEEE 3rd International Conference on, pages 172–179, 2010.
encrypted data and write plain data to other part of memory after [3] D. G. Murray, G. Milos, and S. Hand. Improving xen security through
decrypting. Hypervisor manipulates page table of the management OS disaggregation. In Proceedings of the fourth ACM SIGPLAN/SIGOPS
and the IOMMU (I/O Memory Management Unit)[1] page table of international conference on Virtual execution environments, VEE ’08,
page 151160, New York, NY, USA, 2008. ACM. ACM ID: 1346278.
the crypto-processor, thus, the device is able to access both encrypted [4] B. D. Payne, M. D. de Carbone, and W. Lee. Secure and flexible
and decrypted data whereas the management OS can access only monitoring of virtual machines. In Computer Security Applications
the encrypted data. As a result, the data of guest VM can preserve Conference, 2007. ACSAC 2007. Twenty-Third Annual, pages 385–397.
confidentiality from the management OS. IEEE, Dec. 2007.

191