Trusted Computing and OpenStack

Preview:

Click to see full reader

Citation preview

Trusted Computing & OpenStack

Steve Weis! PrivateCore!

!

OpenStack Security Meetup!July 2014

How safe are bare-metal clouds?

Attacks in the wild

Exploit all the things!• Operating Systems

• BIOS / EFI

• Device firmware / Option ROMs

• Master boot records

• Keyboard controllers

• Management engines and controllers

“Provide for the recovery of an !information system to a known state”

Source: NIST 800-53

Trusted Execution Technology

Kernel OS Config

BIOSSINITPlatform Config

Option ROMs

MeasureRemote Attest

CPUTPM

Firmware and software needed to boot

Example Measurements

OS

Credentials

MLE☚Config☚

ACM☚

BIOS☚

Gaps in Trusted Execution

Spoof CPU

PastHypotheticalCurrent

Kernel OS Config

BIOSSINITPlatform Config

Option ROMs

CPUTPM

Overflow

ForgeProvenance

Extract Keys

Hashcollision

Paperclip

Spoof Bus

Attestation in OpenStack

Trusted Compute PoolsNova

Scheduler

Attestation Server

UserNova

Compute ANova

Compute B

1. Run my payload on a trusted compute node

2. Which nodes are trusted?

3. TPM Quote

4. Node A is good

5. Run payload on compute node A

Nova Compute A

Nova Compute B

Implementations

• Open Attestation (OAT): https://01.org/openattestation

• Open source Java attestation server. Mostly developed by Intel.

• Intel Trust Attestation Solution (Mt. Wilson): Enterprise OAT

• PrivateCore vCage: Python / Django / Horizon attestation server

https://01.org/openattestation

Gaps in Trusted Pool Model

Nova

Attestation Server

Nova ComputeGlanceSwiftCinder

Bad Compute

Compute PoolSeparate Trusted Environment?

Bad nodes already have control plane access?

Nova Compute

OpenStack Components

Compute Node

Toward a Better Model

Attestation Server

1. AttestOpenStack

Components

Credential Storage 3. Provision

1. Attest

Compute Node🔑

4. Enroll2. Authorize

Trust Perimeter

Suggested Improvements

1. Attest all servers in OpenStack: Not just compute nodes

2. Cloud providers should provide TPMs and compatible firmware

3. Vendors need to provide authoritative lists of measurement values

4. CPU vendors should ultimately remove dependency on TPMs

Thank you!Questions?!

!

steve@privatecore.com!@sweis

Recommended

Cloud computing and OpenStack
Technology
OPENSTACK & CLOUD COMPUTING - Huihoodocs.huihoo.com/.../OpenStack-Cloud-Computing... · Enterprise Cloud Adoption Path 20 ... OpenStack Cloud Computing by John Rhoton is an introduction
Documents
Trusted Computing and OpenStack - saweis.net › pdfs › weis-trusted-computing-openstack.pdf · Trusted Computing & OpenStack Steve Weis! PrivateCore!! OpenStack Security Meetup!
Documents
Trusted Computing
Documents
SysSec Trusted Computing - EURECOMs3.eurecom.fr › ~aurel › syssec › syssec_7_trusted_computing.pdf · Un-trusted Prover “P” Trusted Verifier “V ... Trusted Computing Platform
Documents
Consumerization of - Trusted Computing Group · ABSTRACT: Consumerization of Trusted Computing . Consumerization of I.T. Easy to use . Transparent . Robust . Inexpensive . Trusted
Documents
Rhoton - OpenStack Cloud Computing eBook
Documents
Cloud Computing OpenStack Compute Node
Education
Trusted Computing and Linux - The Linux Kernel Archives · 92 • Trusted Computing and Linux a section on future work. 2 Goals of Trusted Computing The Trusted Computing Group (TCG)
Documents
Trusted Computing Platform Alliance (TCPA) Trusted ...€¦ · Title: Trusted Computing Platform Alliance (TCPA) Trusted Platform Module Protection Profile (TPM PP) Assurance Level:
Documents
Sensors Expo Workshop - Trusted Computing Group · • TPM v2.0/TSS v2.0 provide support infrastructure for trusted computing • Trusted computing- enabled firmware building a “transitive
Documents
OpenStack : Cloud Computing Platform Tutorial
Documents
Trusted Computing, Trusted Third Parties, and Verified ...abadi/Papers/verif.pdf · Trusted Computing, Trusted Third Parties, and Verified Communications Mart´ın Abadi University
Documents
TRUSTED COMPUTING GROUP TRUSTED STORAGE SPECIFICATION … · TRUSTED COMPUTING GROUP TRUSTED STORAGE SPECIFICATION. Jason Cox, Seagate Technology
Documents
Cloud computing with Openstack - hpcadvisorycouncil.com · Openstack Cloud computing with Openstack Lugano, 23/03/2016 Saverio Proto saverio.proto@switch.ch
Documents
Consumerization of Trusted Computing
Documents
463.6.1 Trusted Computing - Gang Wang › class › cs463 › 463.6.1... · 2020-02-13 · The concept of Trusted Computing is developed and promoted by the Trusted Computing Group
Documents
Cisco cloud computing deploying openstack
Technology
Edge Computing - OpenStack
Documents
OpenStack Technology Breaking the Enterprise Barrierdocs.media.bitpipe.com/io_11x/io_119169/item... · computing solution that is open, trusted, and reliable, we wrote this book for
Documents