一种抵御内部人员攻击的云租户密钥保护方法

Translated title of the contribution: A Method of Protecting Tenants' Secret Keys against Insider Attacks

Yun He, Xiaoqi Jia, Peng Liu, Weijuan Zhang

Research output: Contribution to journalArticlepeer-review

Abstract

Cloud computing has been seen as the next innovative computing model and has made a tremendous impact on the traditional Information Technology (IT) architecture over the past years. However, cloud computing also faces new security challenges. For example, the cryptographic keys or passwords in the guest VM's memory are vulnerable to memory-based attacks (e.g., memory dump attacks) launched by malicious insiders. A rogue cloud operator can take a memory dump of the guest VMs by executing simple commands, then extracts sensitive data (e.g., plaintext of secret keys) from the memory dump files. In this paper, to protect the customer's secret keys against memory dump attacks, we proposed an approach named HCoper, which implements all cryptographic computations entirely within the CPU, without any secret keys loaded into the RAM. HCoper is a key-encryption-key architecture performing dynamic scheduling of secret keys to support multiple keys for multiple applications. The master key is stored in CPU registers, the data-encryption keys are encrypted by the master key and then stored as cipher-text in the RAM. When HCoper is working, the data-encryption keys will be decrypted and then directly loaded into CPU registers for encryption computation. We implement HCoper as a kernel module of Xen to prevent other malicious processes from accessing the CPU registers that hold the master key or data-encryption keys. HCoper provides the tenants with cryptographic computation services that are secure against memory dump attacks launched by malicious insiders. Meanwhile, experiments demonstrate that our implementation of HCoper defends against insider threats effectively and it only introduces reasonable performance overhead.

Translated title of the contributionA Method of Protecting Tenants' Secret Keys against Insider Attacks
Original languageChinese (Traditional)
Pages (from-to)187-201
Number of pages15
JournalJournal of Cyber Security
Volume6
Issue number3
DOIs
StatePublished - May 2021

All Science Journal Classification (ASJC) codes

  • Software
  • Information Systems
  • Safety Research
  • Hardware and Architecture
  • Computer Science Applications
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'A Method of Protecting Tenants' Secret Keys against Insider Attacks'. Together they form a unique fingerprint.

Cite this