Securing Network-Booting Linux Systems at the Example of bwLehrpool and bwForCluster NEMO

• URL: http://arxiv.org/abs/2409.11413v1
• Date: Tue, 3 Sep 2024 20:54:19 GMT
• Title: Securing Network-Booting Linux Systems at the Example of bwLehrpool and bwForCluster NEMO
• Authors: Simon Moser,
• Abstract summary: The universities of Baden-W"urttemberg are using stateless system remote boot for services such as computer labs and data centers. The aim of this work is to establish trust within this network, focusing on server-client identity, confidentiality and image authenticity.
• Score: 0.0
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: The universities of Baden-W\"urttemberg are using stateless system remote boot for services such as computer labs and data centers. It involves loading a host system over the network and allowing users to start various virtual machines. The filesystem is provided over a distributed network block device (dnbd3) mounted read-only. The process raises security concerns due to potentially untrusted networks. The aim of this work is to establish trust within this network, focusing on server-client identity, confidentiality and image authenticity. Using Secure Boot and iPXE signing, the integrity can be guaranteed for the complete boot process. The necessary effort to implement it is mainly one time at the set-up of the server, while the changes necessary once to the client could be done over the network. Afterwards, no significant delay was measured in the boot process for the main technologies, while the technique of integrating the kernel with other files resulted in a small delay measured. TPM can be used to ensure the client's identity and confidentiality. Provisioning TPM is a bigger challenge because as a trade-off has to be made between the inconvenience of using a secure medium and the ease of using an insecure channel once. Additionally, in the data center use case, hardware with TPM might have higher costs, while the additional security gained by changing from the current key storage is only little. After the provisioning is completed, the TPM can then be used to decrypt information with a securely stored key.

Related papers

• Lightweight, Secure and Stateful Serverless Computing with PSL [43.025002382616066]
  We present Function-as-a-Serivce (F) framework for Trusted Execution Environments (TEEs) The framework provides rich programming language support on heterogeneous TEE hardware for statically compiled binaries and/or WebAssembly (WASM) bytecodes. It achieves near-native execution speeds by utilizing the dynamic memory mapping capabilities of Intel SGX2.
  arXiv  Detail & Related papers  (2024-10-25T23:17:56Z)
• SNPGuard: Remote Attestation of SEV-SNP VMs Using Open Source Tools [3.7752830020595796]
  Cloud computing is a ubiquitous solution to handle today's complex computing demands. VM-based Trusted Execution Environments (TEEs) are a promising solution to solve this issue. They provide strong isolation guarantees to lock out the cloud service provider.
  arXiv  Detail & Related papers  (2024-06-03T10:48:30Z)
• Trusting the Cloud-Native Edge: Remotely Attested Kubernetes Workers [3.423623217014682]
  This paper presents an architecture that enrolls edge devices as trusted worker nodes. A new custom controller directs a modified version of Keylime to cross the cloud-edge gap. We provide both a qualitative and a quantitative evaluation of the architecture.
  arXiv  Detail & Related papers  (2024-05-16T14:29:28Z)
• The Power of Bamboo: On the Post-Compromise Security for Searchable Symmetric Encryption [43.669192188610964]
  Dynamic searchable symmetric encryption (DSSE) enables users to delegate the keyword search over dynamically updated databases to an honest-but-curious server. This paper studies a new and practical security risk to DSSE, namely, secret key compromise. We introduce the notion of searchable encryption with key-update (SEKU) that provides users with the option of non-interactive key updates.
  arXiv  Detail & Related papers  (2024-03-22T09:21:47Z)
• Trustworthy confidential virtual machines for the masses [1.6503985024334136]
  We present Revelio, an approach that allows confidential virtual machine (VM)-based workloads to be designed and deployed in a way that disallows tampering even by the service providers. We focus on web-facing workloads, protect them leveraging SEV-SNP, and enable end-users to remotely attest them seamlessly each time a new web session is established.
  arXiv  Detail & Related papers  (2024-02-23T11:54:07Z)
• HasTEE+ : Confidential Cloud Computing and Analytics with Haskell [50.994023665559496]
  Confidential computing enables the protection of confidential code and data in a co-tenanted cloud deployment using specialized hardware isolation units called Trusted Execution Environments (TEEs) TEEs offer low-level C/C++-based toolchains that are susceptible to inherent memory safety vulnerabilities and lack language constructs to monitor explicit and implicit information-flow leaks. We address the above with HasTEE+, a domain-specific language (cla) embedded in Haskell that enables programming TEEs in a high-level language with strong type-safety.
  arXiv  Detail & Related papers  (2024-01-17T00:56:23Z)
• Tamper-Evident Pairing [55.2480439325792]
  Tamper-Evident Pairing (TEP) is an improvement of the Push-Button configuration (PBC) standard. TEP relies on the Tamper-Evident Announcement (TEA), which guarantees that an adversary can neither tamper a transmitted message without being detected, nor hide the fact that the message has been sent. This paper provides a comprehensive overview of the TEP protocol, including all information needed to understand how it works.
  arXiv  Detail & Related papers  (2023-11-24T18:54:00Z)
• Putting a Padlock on Lambda -- Integrating vTPMs into AWS Firecracker [49.1574468325115]
  Software services place implicit trust in the cloud provider, without an explicit trust relationship. There is currently no cloud provider that exposes Trusted Platform Module capabilities. We improve trust by integrating a virtual TPM device into the Firecracker, originally developed by Amazon Web Services.
  arXiv  Detail & Related papers  (2023-10-05T13:13:55Z)
• SyzTrust: State-aware Fuzzing on Trusted OS Designed for IoT Devices [67.65883495888258]
  We present SyzTrust, the first state-aware fuzzing framework for vetting the security of resource-limited Trusted OSes. SyzTrust adopts a hardware-assisted framework to enable fuzzing Trusted OSes directly on IoT devices. We evaluate SyzTrust on Trusted OSes from three major vendors: Samsung, Tsinglink Cloud, and Ali Cloud.
  arXiv  Detail & Related papers  (2023-09-26T08:11:38Z)
• Distributed Symmetric Key Establishment: A scalable, quantum-proof key distribution system [0.8192907805418583]
  We propose and implement a protocol for a scalable, cost-effective, information-theoretically secure key distribution and management system. The system, called Distributed Symmetric Key Establishment (DSKE), relies on pre-shared random numbers between DSKE clients and a group of Security Hubs.
  arXiv  Detail & Related papers  (2022-05-02T01:46:11Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.