Putting a Padlock on Lambda - Integrating vTPMs into AWS Firecracker
Paper in proceeding, 2023
When software services use cloud providers to run their workloads, they place implicit trust in the cloud provider, without an explicit trust relationship. One way to achieve such explicit trust in a computer system is to use a hardware Trusted Platform Module (TPM), a coprocessor for trusted computing. However, in the case of managed platform-as-a-service (PaaS) offerings, there is currently no cloud provider that exposes TPM capabilities. In this paper, we improve trust by integrating a virtual TPM device into the Firecracker hypervisor, originally developed by Amazon Web Services. In addition to this, multiple performance tests along with an attack surface analysis are performed to evaluate the impact of the changes introduced. We discuss the results and conclude that the slight performance decrease and attack surface increase are acceptable trade-offs in order to enable trusted computing in PaaS offerings.
Linux
Trust
Cloud
Virtualisation
TPM
Firecracker
Platform-as-a-Service
Author
Melker Veltman
Chalmers, Physics, Subatomic, High Energy and Plasma Physics
Alexandra Parkegren
Student at Chalmers
Victor Morel
Chalmers, Computer Science and Engineering (Chalmers), Information Security
Proceedings - 2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom/BigDataSE/CSE/EUC/iSCI 2023
1377-1384
979-835038199-3 (ISBN)
22nd IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2023
Exeter, United Kingdom,
Exeter, United Kingdom,
Subject Categories
Computer Science
Computer Systems
DOI
10.1109/TrustCom60117.2023.00188