Interoperable Node Integrity Verification for Confidential Machines Based on AMD SEV-SNP
JOURNAL OF INTERNET SERVICES AND APPLICATIONS(2024)
摘要
Confidential virtual machines (CVMs) are cloud providers' most recent security offer, providing confidentiality and integrity features. Although confidentiality protects the machine from the host operating system, firmware, and cloud operators, integrity protection is even more useful, enabling protection for a wider range of security issues. Unfortunately, CVM integrity verification depends on remote attestation protocols, which are not trivial for operators and differ largely among cloud providers. We propose an approach for abstracting CVM attestation that leverages an Our approach can integrate smoothly even when applications are unaware of CVMs or the SPIFFE standard. Nevertheless, our implementation inherits SPIFFE flexibility for empowering access control when applications support SPIFFE. In terms of performance, CVMs incur an additional 1.3 s to 21.9 s in boot times (it varies with the cloud environment), a marginal degradation for CPU, RAM, and IO workloads (maximum degradation of 2.6%), and low but not imperceptible degradation for database workloads (between 3.6% to 7.13%). Finally, we provide usability mechanisms and a threat analysis to help users navigate cloud providers' different CVM implementations and resulting guarantees.
更多查看译文
关键词
Confidential virtual machines,Confidential Computing,Cloud computing,Attestation,Interoperability,AMD SEV-SNP
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要