OB-IMA: out-of-the-box integrity measurement approach for guest virtual machines

摘要

Infrastructure as a Service cloud provides elasticity and scalable virtual machines (VMs) as computingrnservice to multiple tenants, but the tenants lose the full control of their data. Measuring the integrity ofrncritical files of the VMs and providing the integrity attestation to the tenants on the basis of TCG trustedrncomputing techniques is an effective way to alleviate their anxiety. This paper considers how to measurernthe integrity of the processes run in guest VMs and files opened in guest VMs. We propose an out-of-theboxrnintegrity measurement approach to measure the integrity of critical files through system call (syscall)rninterception without any modification of the guest VMs. Out-of-the-box integrity measurement approachrncan not only measure the integrity of all files that have been considered by existing approaches but alsornmeasure the integrity of the system configuration files, program loaders, and script interpreters, which affectrnthe system behaviors and integrity. The ability of supporting both system and manual measurement policiesrnmakes our approach flexible. We implement this approach in Xen hypervisor with little modification of thernexisting syscall interception method, and this approach can be ported to other virtualization platform easily.