Secure control of portable images in a virtual computing utility
A virtual computing utility hosts guest virtual machines on server provider sites. Each VM is an instantiation of some image or virtual appliance, which might be supplied by the VM owner or a third-party image provider. This paper addresses the problem of establishing a secure channel between a VM and an automated controller running on behalf of the VM's authorized owner. A secure channel is an essential toehold for post-install actions by the controller to adapt the VM to its local environment, join it to an application service, and/or monitor and control its execution. A simple and practical solution is to modify an image for a particular site or owner, e.g., by pre-installing keys or tokens onto the image. That approach compromises the portability of images, and could interfere with image sharing, use of new operating systems on image appliances, or endorsement of standard images by image providers. This paper presents an alternative solution that preserves the portability of images. The solution employs a standard keymaster service on the images. The keymaster and controller conduct a one-round binding protocol for mutual authentication and key exchange, seeded by secure tokens passed from the utility boot authority. The binding protocol relies only on security mechanisms at the transport layer and above, so it is suitable for use with remote controllers. Copyright 2008 ACM.
