TY - GEN
T1 - CloudVaults: integrating trust extensions into system integrity verification for cloud-based environments
AU - Larsen, Benjamin
AU - Debes, Heini Bergsson
AU - Giannetsos, Thanassis
PY - 2020
Y1 - 2020
N2 - While the rapid evolution of container-based virtualization technologies, emerging as an integral part of cloud-based environments, brings forth several new opportunities for enabling the provision of distributed, mixed-criticality services, it also raises significant concerns for their security, resilience, and configuration correctness. In this paper, we present CloudVaults for coping with these challenges: a multi-level security verification framework that supports trust aware service graph chains with verifiable evidence on the integrity assurance and correctness of the comprised containers. It is a first step towards a new frontier of security mechanisms to enable the provision of Configuration Integrity Verification (CIV), during both load- and run-time, by providing fine-grained measurements in supporting container trust decisions, thus, allowing for a much more effective verification towards building a global picture of the entire service graph integrity. We additionally provide and benchmark an open-source implementation of the enhanced attestation schemes.
AB - While the rapid evolution of container-based virtualization technologies, emerging as an integral part of cloud-based environments, brings forth several new opportunities for enabling the provision of distributed, mixed-criticality services, it also raises significant concerns for their security, resilience, and configuration correctness. In this paper, we present CloudVaults for coping with these challenges: a multi-level security verification framework that supports trust aware service graph chains with verifiable evidence on the integrity assurance and correctness of the comprised containers. It is a first step towards a new frontier of security mechanisms to enable the provision of Configuration Integrity Verification (CIV), during both load- and run-time, by providing fine-grained measurements in supporting container trust decisions, thus, allowing for a much more effective verification towards building a global picture of the entire service graph integrity. We additionally provide and benchmark an open-source implementation of the enhanced attestation schemes.
KW - Cloud-based environments
KW - Container-based microservices
KW - Configuration integrity verification
KW - Privacy-oriented attestation
U2 - 10.1007/978-3-030-66504-3_12
DO - 10.1007/978-3-030-66504-3_12
M3 - Article in proceedings
SN - 978-3-030-66503-6
T3 - Lecture Notes in Computer Science
SP - 197
EP - 220
BT - Computer Security
PB - Springer
T2 - European Symposium on Research in Computer Security
Y2 - 14 September 2020 through 18 September 2020
ER -