The American University in Cairo School of Sciences and Engineering Using Trusted Platform Module for securing virtual environment access in Cloud A Thesis Submitted to Department of Computer Science and Engineering in partial fulfillment of the requirements for the degree of Master of Science by Asser Sherif under the supervision of Professor. Amr El-Kadi December/2014 ACKNOWLEDGMENTS I would like to thank my Thesis supervisor, Professor Amr El-Kadi for all his encouragement, patience and support who without his guidance and motivation I would have not been able to accomplish this work. I would also like to thank my Thesis supervision committee members, Professor Sherif El-Kassas, Professor Sherif Gamal Ali and Professor Ali Fahmy for their support and insightful comments. Thanks also go to my Family and friends who supported me throughout this long period and encouraged me all the time to get it done. ii ABSTRACT The American University in Cairo, Department of Computer Science and Engineering Using Trusted Platform Module for Securing Virtual Environment Access in Cloud Asser Sherif Supervisor: Prof. Amr El-Kadi Keywords: Trusted Platform Module (TPM), Machine Authentication, Virtualization Security, Multi-Tenancy, Malicious Insiders, Machine Identity With the increasing usage of Cloud and the Virtualization technology, there comes also an increasing demand to ensure the security levels of all computing environments and components associated and accordingly in this work we propose a new machine authentication mechanism using Trusted Platform Module that can be used to provide a secure access to virtual environments in the cloud. The proposed authentication module is aiming to contribute in providing a solution to Poor machine identity, Multi-tenancy as well as Malicious insiders known security problems in the cloud. It is targeting the access security to graphical user interface of virtual machines hosted on VirtualBox hypervisor in a Linux based environment through authenticating clients trying to connect using the client’s Trusted Platform Module Public Endorsement key as a pre-authorized signature to the virtual environment in addition to the normal user name and password authentication of the connecting user. Results obtained from the output of this work indicates that it is possible to authenticate the machines based on their Trusted Platform Module signatures and provide them access to VirtualBox environment only based on a pre-defined Access Control List with minimal one time overhead upon establishing the initial connection. iii LIST OF ACRONYMS ACL Access Control List AIK Attestation Identity Key CA Certificate Authority DAA Direct Anonymous Attestation EK Endorsement Key LTS Long Term Support PAM Pluggable Authentication Module PCA Privacy Certificate Authority PCR Platform Configuration Register RDP Remote Desktop Protocol SCP Secure Copy SRK Storage Root Key TCG Trusted Computing Group TNC Trusted Network Connect TPM Trusted Platform Module UUID Universal Unique Identifier VM Virtual Machine VMM Virtual Machine Monitor VRDP VirtualBox Remote Desktop Protocol iv TABLE OF CONTENTS LIST OF TABLES .................................................................................................... VIII LIST OF FIGURES .................................................................................................... IX 1 BACKGROUND .................................................................................................... 1 1.1 CLOUD COMPUTING .................................................................................. 1 1.1.1 Cloud Computing Service Models........................................................... 1 1.1.2 Cloud Computing Deployment Models ................................................... 3 1.2 VIRTUALIZATION TECHNOLOGY........................................................... 4 1.3 IN-SCOPE SECURITY CHALLENGES ....................................................... 5 1.3.1 Identity Management ............................................................................... 5 1.3.2 Multi-tenancy ........................................................................................... 6 1.3.3 Malicious Insiders .................................................................................... 7 1.4 TRUSTED PLATFORM MODULE .............................................................. 7 1.4.1 TPM Components .................................................................................... 9 1.5 TPM RELATED RESEARCH ..................................................................... 11 1.5.1 C-MAS: The Cloud Mutual Authentication Scheme............................. 11 1.5.2 Enabling Trusted Distributed Control with Remote Attestation ........... 12 1.5.3 The Trusted Platform Module (TPM) and Sealed Storage .................... 12 1.6 FUTURE DIRECTIONS FOR USING TPM ............................................... 13 2 INTRODUCTION ................................................................................................ 14 2.1 PROBLEM STATEMENT ........................................................................... 14 2.2 OBJECTIVE & MOTIVATION ................................................................... 14 3 PROPOSED SOLUTION..................................................................................... 16 3.1 HIGH LEVEL DESIGN ............................................................................... 16 3.2 ARCHITECTURE ........................................................................................ 16 3.3 PROCESS FLOW ......................................................................................... 18 4 IMPLEMENTATION .......................................................................................... 22 4.1 PREREQUISITES ........................................................................................ 22 4.1.1 Server ..................................................................................................... 22 4.1.2 Clients .................................................................................................... 22 v 4.1.3 Accounts ................................................................................................ 22 4.2 ENVIRONMENT SETUP ............................................................................ 23 4.2.1 VirtualBox 4.3.8 .................................................................................... 23 4.2.1.1 Remote Display .................................................................................. 24 4.2.1.1.1 VRDP Server ..................................................................................... 24 4.2.1.1.2 RDP Authentication ........................................................................... 25 4.2.1.2 Network .............................................................................................. 26 4.2.2 TPM ....................................................................................................... 27 4.2.3 rDesktop 1.7.1 ........................................................................................ 29 4.2.4 SQLite 3.8.4.3 ........................................................................................ 29 4.2.5 OpenSSH ............................................................................................... 29 4.3 MATERIAL AND METHODS .................................................................... 30 4.3.1 SQLite .................................................................................................... 30 4.3.2 ACL Administration Module ................................................................. 31 4.3.3 rDesktop ................................................................................................. 34 4.3.4 VirtualBox ............................................................................................. 35 4.3.4.1 Populating the ACL with VirtualBox virtual machines info ............. 35 4.3.4.2 Handling the client machine TPM Authentication ............................ 35 5 RESULTS ............................................................................................................. 37 5.1 TESTING ENVIRONMENT ........................................................................ 37 5.2 TESTING APPROACH ................................................................................ 37 5.3 TPM MODULE TESTING ........................................................................... 38 5.4 TEST RESULTS ........................................................................................... 40 5.5 TEST RESULTS ANALYSIS ...................................................................... 40 5.5.1 Difference between PAM authentication with and without TPM authentication ....................................................................................................... 41 5.5.2 Difference between VBoxAuthSimple authentication with and without TPM authentication .............................................................................................. 42 5.5.3 Difference between PAM & VBoxAuthSimple using TPM authentication ....................................................................................................... 42 5.5.4 Difference between PAM & VBoxAuthSimple without using TPM .... 43 5.5.5 Overall comparison between using and not using TPM authentication 44 5.5.6 Standard Deviation Comparison between using and not using TPM .... 45 vi 6 DISCUSSION .....................................................................................................