Attestation of integrity of overlay networks

Abstract

Security of overlay networks requires that the integrity of the software stack of a node is attested not only when a node joins an overlay but continuously, to discover updates of its configuration due to malware. We present a framework that integrates an initial attestation and a continuous node monitoring that strongly separates the software of a node from the attestation system by running them in two virtual machines (VMs). The Monitored VM (Mon-VM) runs the applicative software while the Assurance VM (A-VM) exploits virtual machine introspection to access the status of the Mon-VM to attest and monitor the integrity of its software stack. Before a node can join an overlay, the A-VM of one overlay node interacts with the A-VM of the joining node to attest the integrity of the Mon-VM. After this start-up attestation, the A-VM continuously monitors the behavior of the Mon-VM of its node to detect the injection of malware. Monitoring strategies range from the evaluation of assertions on memory areas of the OS to the comparison of the application behavior against the expected one. The expected behavior is defined by the overlay security policy or computed by applying static tools to the application source code. To define a root-of-trust for the measurements, each node includes a TPM to attest the integrity of the A-VM and of the underlying VMM. We present the resulting system architecture and discuss the main design choices, the underlying threat model as well as the implementation of a prototype.