Research Article
virtio-ct: A Secure Cryptographic Token Service in Hypervisors
@INPROCEEDINGS{10.1007/978-3-319-23802-9_22, author={Le Guan and Fengjun Li and Jiwu Jing and Jing Wang and Ziqiang Ma}, title={virtio-ct: A Secure Cryptographic Token Service in Hypervisors}, proceedings={International Conference on Security and Privacy in Communication Networks. 10th International ICST Conference, SecureComm 2014, Beijing, China, September 24-26, 2014, Revised Selected Papers, Part II}, proceedings_a={SECURECOMM}, year={2015}, month={12}, keywords={Virtual cryptographic token KVM Virtio}, doi={10.1007/978-3-319-23802-9_22} }- Le Guan
Fengjun Li
Jiwu Jing
Jing Wang
Ziqiang Ma
Year: 2015
virtio-ct: A Secure Cryptographic Token Service in Hypervisors
SECURECOMM
Springer
DOI: 10.1007/978-3-319-23802-9_22
Abstract
Software based cryptographic services are subject to various memory attacks that expose sensitive keys. This poses serious threats to data confidentiality of the stakeholder. Recent research has made progress in safekeeping these keys by employing isolation at all levels. However, all of them depend on the security of the operating system (OS), which is extremely hard to guarantee in practice. To solve this problem, this work designs a virtual hardware cryptographic token with the help of virtualization technology. By pushing cryptographic primitives to ring -1, sensitive key materials are never exposed to the guest OS, thus confidentiality is retained even if the entire guest OS is compromised. The prototype implements the RSA algorithm on KVM and we have developed the corresponding driver for the Linux OS. Experimental results validate that our implementation leaks no copy of any sensitive material in the “guest-physical” address space of the guest OS. Meanwhile, nearly 1,000 2048-bit RSA private requests can be served per second.
