Bootstrapping and Maintaining Trust in the Cloud
MIT Lincoln Laboratory Lexington United States
Pagination or Media Count:
Todays infrastructure as a service IaaS cloud environments rely upon full trust in the provider to bootstrap security. Cloud providers do not offer the ability to create hardware-rooted cryptographic identities for IaaS cloud resources or sufficient information to verify the integrity of systems. Trusted computing protocols and hardware like the TPM have long promised a solution to this problem. However, these technologies have not seen broad adoption because of their complexity of implementation and because they are disconnected from and incompatible with existing security technology like IPsec, Vault, Puppet, or LUKS. In this paper we introduce a scalable trusted cloud key management system called keylime. Our system provides an end-to-end solution for both bootstrapping hardware rooted identities for IaaS machines and for the regular checking of the runtime integrity state of the full cloud stack. The key insights of our system are i a clean separation between the trusted computing layer and the higher level security services that use it, ii a novel key bootstrapping protocol that incorporates both integrity measurement by an external trusted verifier and the owners intent to spawn resources, and iii a full trusted computing architecture implementation that is compatible with IaaS services that offer bare metal, virtual machines, or containers. Our evaluation of keylime shows that its bootstrapping protocol introduces minimal delay in the creation of IaaS resources and that our system can scalably verify the runtime integrity of thousands of cloud nodes with less than 5 seconds of delay in detecting violations.
- Computer Systems