Enhancing security of cloud service systems by leveraging hardware-based isolation technology

Abstract

Hardware-based isolation technologies have been utilized within a cloud environment to satisfy the demands for secure and scalable security services. However, a naïve adoption of hardware-based isolation fails to protect on-cloud services against emerging security threats arising from the untrusted nature of a cloud environment. Also, it is challenging to apply hardware-based isolation to legacy on-cloud services while considering security, flexibility, scalability, and performance, as this requires expertise in multiple domains. In this dissertation, we argue that providing high-level abstractions of hardware-based isolation encapsulating security-sensitive components helps in implementing secure and scalable on-cloud services. To substantiate our claim, we present the design and implementation of two security service systems. First, we show EVE, a secure middlebox framework that enables visibility on encrypted traffic over multiple encryption protocols. EVE securely processes encrypted traffic leveraging a combination of trusted execution environment (TEE) and software security technology, and provides high-level abstractions for the secure middlebox processing. EVE abstractions relieve engineering efforts while supporting diverse use cases with multiple encryption protocols. Next, we propose ScaleTrust, a scalable and secure key management system that virtualizes cloud-backed hardware security modules (HSMs) using a TEE. The virtual HSM partition abstracts away the details of secure key management such as secure channel establishment and the verification of isolated key usages. By supporting the isolation of each virtual HSM partition, ScaleTrust provides multi-tenancy scalability and security against insider threats in an untrusted cloud environment.