Upload File

trusted computing and openstack

15
Trusted Computing & OpenStack Steve Weis PrivateCore OpenStack Security Meetup July 2014

Upload: buinga

Post on 01-Jan-2017

229 views

Category:

Documents


4 download

Report

TRANSCRIPT

Page 1: Trusted Computing and OpenStack

Trusted Computing & OpenStack

Steve Weis! PrivateCore!

!

OpenStack Security Meetup!July 2014

Page 2: Trusted Computing and OpenStack

How safe are bare-metal clouds?

Page 3: Trusted Computing and OpenStack

Attacks in the wild

Page 4: Trusted Computing and OpenStack

Exploit all the things!• Operating Systems

• BIOS / EFI

• Device firmware / Option ROMs

• Master boot records

• Keyboard controllers

• Management engines and controllers

Page 5: Trusted Computing and OpenStack

“Provide for the recovery of an !information system to a known state”

Source: NIST 800-53

Page 6: Trusted Computing and OpenStack

Trusted Execution Technology

Kernel OS Config

BIOSSINITPlatform Config

Option ROMs

MeasureRemote Attest

CPUTPM

Firmware and software needed to boot

Page 7: Trusted Computing and OpenStack

Example Measurements

OS

Credentials

MLE☚Config☚

ACM☚

BIOS☚

Page 8: Trusted Computing and OpenStack

Gaps in Trusted Execution

Spoof CPU

PastHypotheticalCurrent

Kernel OS Config

BIOSSINITPlatform Config

Option ROMs

CPUTPM

Overflow

ForgeProvenance

Extract Keys

Hashcollision

Paperclip

Spoof Bus

Page 9: Trusted Computing and OpenStack

Attestation in OpenStack

Page 10: Trusted Computing and OpenStack

Trusted Compute PoolsNova

Scheduler

Attestation Server

UserNova

Compute ANova

Compute B

1. Run my payload on a trusted compute node

2. Which nodes are trusted?

3. TPM Quote

4. Node A is good

5. Run payload on compute node A

Nova Compute A

Nova Compute B

Page 11: Trusted Computing and OpenStack

Implementations

• Open Attestation (OAT): https://01.org/openattestation

• Open source Java attestation server. Mostly developed by Intel.

• Intel Trust Attestation Solution (Mt. Wilson): Enterprise OAT

• PrivateCore vCage: Python / Django / Horizon attestation server

https://01.org/openattestation
Page 12: Trusted Computing and OpenStack

Gaps in Trusted Pool Model

Nova

Attestation Server

Nova ComputeGlanceSwiftCinder

Bad Compute

Compute PoolSeparate Trusted Environment?

Bad nodes already have control plane access?

Nova Compute

Page 13: Trusted Computing and OpenStack

OpenStack Components

Compute Node

Toward a Better Model

Attestation Server

1. AttestOpenStack

Components

Credential Storage 3. Provision

1. Attest

Compute Node🔑

4. Enroll2. Authorize

Trust Perimeter

Page 14: Trusted Computing and OpenStack

Suggested Improvements

1. Attest all servers in OpenStack: Not just compute nodes

2. Cloud providers should provide TPMs and compatible firmware

3. Vendors need to provide authoritative lists of measurement values

4. CPU vendors should ultimately remove dependency on TPMs

Page 15: Trusted Computing and OpenStack

Thank you!Questions?!

!

[email protected]!@sweis


Trusted Computing and OpenStack - saweis.net › pdfs › weis-trusted-computing-openstack.pdf · Trusted Computing & OpenStack Steve Weis! PrivateCore!! OpenStack Security Meetup!

463.6.1 Trusted Computing - Gang Wang › class › cs463 › 463.6.1... · 2020-02-13 · The concept of Trusted Computing is developed and promoted by the Trusted Computing Group

Trusted Computing Platform Alliance (TCPA) Trusted Platform Module

Trusted Computing Base

Trusted Computing & Trusted Computing Group · 2008-02-19 · Trusted Computing: Today’s Positioning • Helps create a safer computing environment – Different paradigm from prevailing

Towards trusted cloud computing

[Viet openstack] cloud computing - openstack meetup v2

SysSec Trusted Computing - EURECOMs3.eurecom.fr › ~aurel › syssec › syssec_7_trusted_computing.pdf · Un-trusted Prover “P” Trusted Verifier “V ... Trusted Computing Platform

Consumerization of - Trusted Computing Group · ABSTRACT: Consumerization of Trusted Computing . Consumerization of I.T. Easy to use . Transparent . Robust . Inexpensive . Trusted

Sensors Expo Workshop - Trusted Computing Group · • TPM v2.0/TSS v2.0 provide support infrastructure for trusted computing • Trusted computing- enabled firmware building a “transitive

Trusted Computing, Trusted Third Parties, and Verified ...abadi/Papers/verif.pdf · Trusted Computing, Trusted Third Parties, and Verified Communications Mart´ın Abadi University

Rhoton - OpenStack Cloud Computing eBook

OPENSTACK & CLOUD COMPUTING - Huihoodocs.huihoo.com/.../OpenStack-Cloud-Computing... · Enterprise Cloud Adoption Path 20 ... OpenStack Cloud Computing by John Rhoton is an introduction

Trusted Docker Containers and Trusted VMs in OpenStack · Trusted Docker Containers and Trusted VMs in OpenStack ... o Reference Architecture with OpenStack ... Docker Engine –Runtime

Consumerization of Trusted Computing

The OpenStack Cloud Computing Framework and Ecosystemblog.zhaw.ch/icclab/files/2012/06/2013-04-OpenStack-DCDynamics-13_tmb.pdf · The OpenStack Cloud Computing Framework and Ecosystem

Securing OpenStack with Intel Trusted Computing

TCG: Trusted Computing Group

Trusted Computing & Trusted Computing Group

TRUSTED COMPUTING GROUP TRUSTED STORAGE SPECIFICATION · TRUSTED COMPUTING GROUP TRUSTED STORAGE SPECIFICATION. Jason Cox, Seagate Technology

Trusted Computing Platform Alliance (TCPA) Trusted ...€¦ · Title: Trusted Computing Platform Alliance (TCPA) Trusted Platform Module Protection Profile (TPM PP) Assurance Level:

Trusted Computing and Linux - The Linux Kernel Archives · 92 • Trusted Computing and Linux a section on future work. 2 Goals of Trusted Computing The Trusted Computing Group (TCG)

TRUSTED COMPUTING - TU Dresden

Cisco cloud computing deploying openstack

Creating the Complete Trusted Computing Ecosystem · Creating the Complete Trusted Computing Ecosystem: FEBRUARY 2018. Creating the Complete Trusted Computing Ecosystem: ... type

Trusted Computing

OpenStack Technology Breaking the Enterprise Barrierdocs.media.bitpipe.com/io_11x/io_119169/item... · computing solution that is open, trusted, and reliable, we wrote this book for

Trusted Computing and Securing Devices · 2017-04-06 · ©2017 Trusted Computing Group 2017 International Trusted Computing and Security Innovation Summit April 6, 2017, Beijing

OpenStack : Cloud Computing Platform Tutorial

Workshop - Openstack, Cloud Computing, Virtualization

SUSTAINABLE TRUSTED COMPUTING - CORE

Cloud computing with Openstack - hpcadvisorycouncil.com · Openstack Cloud computing with Openstack Lugano, 23/03/2016 Saverio Proto [email protected]

Securing OpenStack with Intel Trusted Computing OpenStack Summit Atlanta 2014 12 May 2014 Christian Huebner Cloud Architect [email protected]@mirantis.com

Cloud computing và OpenStack - blogit.edu.vn · Cloud computing và OpenStack Tháng 4/2012 Page 1 Giới thiệu Cloud computing và triển khai trên OpenStack Thực hiện:

Cloud Computing using OpenStack