Researchers from North Carolina State University and IBM are claiming a major breakthrough in the way cloud computing architectures protect sensitive information.
They have developed a new, experimental technique to isolate sensitive information and workload from the rest of the functions performed by a hypervisor – without, they claim, significantly affecting the system’s overall performance.
The new technique, called “Strongly Isolated Computing Environment” (SICE) introduces a different layer of security protection at the software framework level. It is designed to tackle longstanding concerns that attackers could take exploit hypervisor vulnerabilities to steal or corrupt confidential data in a cloud.
Dr. Peng Ning, a professor of computer science at North Carolina State and co-author of a paper describing the research, said the SICE technique significantly reduces the “surface” that can be attacked by malicious software.
“Our approach relies on a software foundation called the Trusted Computing Base, or TCB, that has approximately 300 lines of code, meaning that only these 300 lines of code need to be trusted in order to ensure the isolation offered by our approach,” he said.
“Previous techniques have exposed thousands of lines of code to potential attacks. We have a smaller attack surface to protect.”
The technique is also designed to let programmers dedicate specific cores on commodity multi-core processors to the sensitive workload. By confining the sensitive workload to one or a few cores with strong isolation, and allowing other functions to operate separately, researchers said SICE provides both high assurance for the sensitive workload and efficient resource sharing in a cloud.
In testing, the researchers reported that the SICE framework generally took up approximately three per cent of the multi-core processors system’s performance overhead for workloads that do not require direct network access.
“That is a fairly modest price to pay for the enhanced security,” Ning said. However, he added that more research was needed to further speed up the workloads that require interactions with the network.