Secure cryptographic functions via virtualization-based outsourced computing

摘要

Cryptographic functions, such as encryption/decryption libraries, are common and important tools for applications to enhance confidentiality of the data. However, these functions could be compromised by subtle attacks launched by untrusted operating system or other applications, and sensitive keys or cryptographic procedures could then be compromised. In this paper, based on virtualization technology, we propose a novel approach that outsources the cryptographic functions in one virtual machine (VM) into another dedicated VM, so that sensitive keys and the cryptographic procedures are only contained by this VM with specific purpose. We also propose a prototype, called cryptographic function assurance (CFA), to enhance the security of cryptographic functions. Taking OpenSSL as an example, CFA allows those applications that use OpenSSL library to transparently utilize CFA to protect the cryptographic functions. We present the detailed implementation, as well as the security analysis of CFA. We also give the performance evaluation for OpenSSL's interfaces and Apache httpd, to show the overhead caused by the integration of CFA. Copyright © 2015 John Wiley & Sons, Ltd.