Trust in Lightweight Virtual Machines: Integrating TPMs into Firecracker

Date

Type

Examensarbete för masterexamen
Master's Thesis

Model builders

Journal Title

Journal ISSN

Volume Title

Publisher

Abstract

Due to the rise of service-based software products, cloud computing has seen significant growth in recent years. When software services use cloud providers to run their workloads, they place implicit trust in the cloud provider, without any explicit trust relationship. One way to achieve such explicit trust in a computer system is to use a hardware Trusted Platform Module (TPM), which is a coprocessor for secure cryptographic functionality. However, in the case of managed platform-as-a-service offerings, there is currently no provider exposing the trusted computing capabilities of a TPM. The main goal of this project is to enable system designers to improve trust by providing access to a TPM within a cloud-based environment. This was achieved by integrating a TPM device into the Firecracker hypervisor, originally developed by Amazon Web Services. In addition to this, multiple performance tests along with an attack surface analysis were performed to evaluate the impact of the changes introduced. The results show a significant performance impact; however, by using a resource pool, they could be partially mitigated. The analysis of the attack surface shows that there is no major change in the Firecracker hypervisor itself. However, the attack surface is extended by allowing cloud users to communicate with a TPM. Therefore, we discuss the impact and possible mitigations of the increased attack surface. Then we describe what it takes for a cloud service provider to offer trusted computing capabilities to its customers. Lastly, we conclude that the slight performance decrease along with the attack surface increase should be acceptable trade-offs in order to enable trusted computing in platform-as-a-service offerings.

Description

Keywords

Trust, TPM, Virtualisation, Firecracker, Linux, Platform-as-a-Service, Cloud

Citation

Architect

Location

Type of building

Build Year

Model type

Scale

Material / technology

Index

Collections

Endorsement

Review

Supplemented By

Referenced By