Friday, October 07, 2011

#ALGORITHMS: "Cloud Security Hardened with Hardware"

There's a new sheriff guaranteeing security to cloud users with a footprint so small that malware has no place to hide from it. Called the Strongly Isolated Computing Environment by its IBM and North Carolina State inventors, SICE uses the hardware on x86 multi-core processors to isolate secure cloud resources.

Professor Peng Ning, of the computer science department of the engineering school at North Carolina State University wrote 300 lines of code as all that needs to be trusted in order to ensure security.

Cloud security has special needs, especially public clouds where your data may be stored and processed on the same servers as your competitors. However, by repurposing the System Management Mode (SMM) hardware on x86 multi-core processors, IBM and North Carolina State University claim that secure isolated partitions can be easily managed, results that will be presented at this month's ACM Conference on Computer and Communications Security (Oct. 17-21, 2011, Chicago, Ill.)
Today, malware has a chance to get a foothold in thousands of lines of vulnerable code, any single entry point of which could yield unauthorized access to entire computing environments. On the other hand, IBM's and North Carolina State's Strongly Isolated Computing Environment (SICE), reduces its vulnerable-code footprint from thousands to just a few hundred lines that guarantee isolation among users.
"Our approach relies on a software foundation called the trusted computing base, that has approximately 300 lines of code," said Professor Peng Ning, of the computer science department of the engineering school at North Carolina State University. "Only these 300 lines of code need to be trusted in order to ensure isolation."
Ning worked with IBM T.J. Watson Research Center to create SICE. Using the SMM hardware of x86 multi-core processors, the researchers crafted a trusted computing base that manages secure, isolated environments in which to run separate user's jobs. Any malware that gets into a user's applications or data, will not impact other users, and can be easily "flushed" when detected by closing and reloading that user's jobs.
The SMM runs below even the hypervisor and operating system and answers only to code in the firmware BIOS plus the aforementioned 300 lines that implement the SMM. By isolating each workload on a separate core independently of the hypervisor, immunity to malware is combined with peace of mind about the security of sensitive data being processed in public clouds. SMM isolates and secures each separate computing environment so that its data only exists while used and is never exposed to other cloud users, the inventors claim.
The SICE framework adds about 3 percent overhead to system performance for most jobs, but slows down when direct network access is required by an application. The researchers said their next task was to optimize performance overhead for multi-core processors that require direct network access.
SICE was created by Ning with Xiaolan Zhang, a member of the technical staff at IBM’s T.J. Watson Research Center, and NC State doctoral candidate Ahmed Azab. Funding was provided by the National Science Foundation, the U.S. Army Research Office and IBM.
Further Reading