Towards Trusted Cloud ComputingNuno Santos Krishna P. GummadiRodrigo RodriguesMPI-SWSAbstractCloud computing infrastructures enable companies to cutcosts by outsourcing computations on-demand . How-ever, clients of cloud computing services currently haveno means of verifying the confidentiality and integrity oftheir data and computation.To address this problem we propose the design of atrusted cloud computing platform (TCCP). TCCP en-ables Infrastructure as a Service (IaaS) pr oviders suchas Amazon EC2 to provide a closed box execution envi-ronment that guarantees confidential execution of guestvirtual machines. Moreover, it allows users to attest tothe IaaS provider and determine whether or not the ser-vice is secure before they launch their virtual machines.1IntroductionCompanies can greatly reduce IT costs by offloadingdata and computation to cloud computing services. Still,many companies are reluctant to do so, mostly due tooutstanding security concerns. A recent study [2] sur-veyed more than 500 chief executives and IT managersin 17 countries, and found that despite the potentialbenefits, executives “trust existing internal systems overcloud-based systems due to fear about security threatsand loss of control of data and systems”. One o f themost serious concerns is the possibility of confidential-ity violations. Either maliciously or accidentally, cloudprovider’s employees can tamper with or leak a com-pany’s data. Such actions can severely damage the repu-tation or finances of a company.In ord er to prevent confidentiality violations, cloudservices’ customers might resort to encryption. Whileencryption is effective in securing data before it is storedat the provider, it cannot be applied in services wheredata is to be computed, since the unencrypted data mustreside in the m emory of the host running the computa-tion. In Infrastructure as a Service (IaaS) cloud servicessuch as Amazon’s EC2, the provider hosts virtual ma-chines (VMs) on behalf of its customer s, who can doarbitrary computations. In these systems, anyone withprivileged access to the host can read or manipulate acustomer’s d ata. Consequen tly, customers cannot protecttheir VMs on their own.Cloud service providers are making a substantial effortto secure their systems, in order to minimize the threatof insider attacks, and reinforce the confidence of cus-tomers. For example, they protect and restrict accessto the hardware facilities, adopt stringent accountabil-ity and auditing procedures, and minimize the numberof staff who have access to critical components of theinfrastructure [8]. Nevertheless, insiders that administerthe software systems at the provider backend ultimatelystill possess the technical means to access customers’VMs. Thus, there is a clear need for a technical solu-tion that guarantees the confidentiality and integrity ofcomputation, in a way that is verifiable by the cu stomer sof the service.Traditional trusted computing platforms like T erra [4]take a compelling approach to this problem. For ex-ample, Terra is able to prevent the owner of a physi-cal host from inspecting and interf er ing with a com p u-tation. Terra also provides a remote attestation capabilitythat enables a remote party to determine upfront whetherthe host can securely run the computation. This mecha-nism reliably detects whether or not the host is runningaplatformimplementationthattheremotepartytrusts.These platforms can effectively secure a VM running inasinglehost. However,manyprovidersrundatacen-ters comprising several hundreds of machines, and a cus-tomer’s VM can be dynamically scheduled to run on anyone of them. This complexity and the opaqueness of theprovider backend creates vulnerabilities that traditionaltrusted platforms cannot address.This paper proposes a trusted cloud computing plat-form (TCCP) for ensuring the confidentiality and in-tegrity of computations that are outsourced to IaaS ser-Figure 1: Simplified architecture of Eucalyptus.vices. The TCCP provides the abstraction of a closed boxexecution environment for a customer’s VM, guarantee-ing that no cloud provider’s privileged administrator caninspect or tamper with its content. Moreover, before re-questing the service to launch a VM, the TCCP allows acustomer to reliably and remotely determine whether theservice backend is running a trusted TCCP implementa-tion. This capability extends the notion of attestation tothe entire service, and thus allows a customer to verify ifits computation will run securely.In this paper we show how to leverage the advancesof trusted computing technologies to design the TCCP.Section 2 introduces these technologies and describes thearchitecture of an IaaS service. Section 3 p r esents ourdesign of TCCP. Although we do not yet have a work-ing prototype of TCCP, the design is sufficiently detailedthat we are confident that a solution to the problem underdiscussion is possible.2Background2.1 Infrastructure as a ServiceToday, myriads of cloud providers offer services at vari-ous layers of the software stack. At lower layers, Infras-tructure as a Service (IaaS) providers such as Amazon,Flexiscale, and GoGrid allow their customers to hav eaccess to entire virtual machin es (VMs) hosted b y theprovider. A customer, and user of the system, is respon-sible for providing the entire software stack running in-side a VM. At higher layers, Software as a Service (SaaS)systems such as Google Apps offer complete online ap-plications than can be directly executed by their users.The difficulty in guaranteeing the confidentiality ofcomputations increases f or services sitting on higher lay-ers of the software stack, because services themselvesprovide and run the software that directly manipulatescustomer’s data ( e.g., Google Docs). In this paper wefocus on the lower layer IaaS cloud p roviders where se-curing a customer’s VM is more manag eab le.While very little detail is known about the internal or-ganization of commercial IaaS services, we describe (andbase our proposal on) Eucalyptus [6], an open sourceIaaS platform that offers an interface similar to EC2. Fig-ure 1 presents a very simplified architecture of Eucalyp-tus. This system manages one or more clusters whosenodes run a virtual machine monitor (typically Xen) tohost customers’ VMs. Eucalyptus comprehends a set ofcomponents to manage the clusters. For simplicity, ourdescription aggregates all these components in a singlecloud man ager (CM) that