Architectures for Secure Cloud Computing Servers

Abstract

Cloud computing, enabled by virtualization technologies, has become an important computing paradigm. However, by choosing the cloud computing model the customers give up control, e.g. over the system software, of servers where their code executes and where their data is stored. In this dissertation, we propose to leverage server hardware to provide protections for the code and data inside a customer's virtual machines on the remote cloud servers. In particular, this dissertation explores a threat that has not been addressed by researchers before -- that of the virtualization (system) software becoming compromised or malicious and attacking other virtual machines on the server. The high-level goal is to make code and data executing in a remote virtual machine as secure as if it were executing inside a customer's own office on a dedicated server, despite customer's lack of control over the system software.

The first new research direction that we present is our hypervisor-free virtualization, which is realized in the NoHype architecture. Hypervisor-free virtualization takes a novel approach of removing the need for a virtualization layer during a virtual machine's runtime. This eliminates the attack surface from potentially malicious virtual machines to the virtualization layer and reduces the attackers' means for gaining virtualization layer privileges that they could then use to compromise the rest of the system. The hypervisor-free virtualization can be realized on existing hardware.

The second new research direction that we present is our hypervisor-secure virtualization, which is realized in the HyperWall architecture. The architecture proposes new hardware so that untrusted virtualization layer can dynamically manage server resources, such as memory allocation, but confidentiality and integrity of virtual machines memory is protected. We also present hardware trust evidence mechanisms, which can be used to attest to the customer configuration and enforcement of protections of their virtual machines.

The last part of this dissertation presents a new security verification methodology. Our methodology can be used to help check the correctness of hardware-software security architectures. Performing security verification, which is different from functional verification, can help find security bugs and facilitate committing designs to hardware.