Measuring the integrity of critical operating system components and securely storing these measurements in a hardware-protected Trusted Platform Module (TPM) is a well-known approach for improving system security. However, currently it is not possible to securely extend this approach to TPMs used in virtualized environments while maintaining the same level of security.
In our research, we investigated how to multiplex integrity measurements originating from arbitrarily many Virtual Machines (VMs) with just a single standard TPM. In contrast to existing approaches such as Virtual Trusted Platform Module (vTPM), our approach achieves a higher level of security since measurements, once stored, will never be held in software but are fully hardware-protected by the TPM at all times.
We developed a remote attestation protocol that enables the integrity reporting of individual VMs. We established an integrity-protected mapping between each measurement and its respective VM such that it is not possible for an attacker to alter this mapping during remote attestation without being detected. Furthermore, all measurements are be stored in the TPM in a concealed manner in order to prevent information leakage of other VMs during remote attestation.
The experimental results of our proof of concept implementation show the feasibility of our approach.