University researchers and IBM have developed an experimental technique that offers increased security for sensitive information in cloud computing. The approach, called Strongly Isolated Computing Environment [ SICE ], provides a “different layer of protection” without significantly affecting the system’s performance.
According to Peng Ning, computer science associate professor, cloud computing allows different users to share a common resource — in most cases that is the Internet or networked computer servers.
“Users have no option but to trust their service providers, the hardware and software provided by them,” Ning said. “The concern arises when a user has to put some sensitive data in the computing cloud. There is every possibility for other entities to access the data.”
Cloud computing technology has programs called hypervisors . Ning said hypervisors control everything and virtualize computer hardware and the software.
“In this technology, the hypervisor is the trusted computing base, [or TCB ],” Ning said. “TCB is a software foundation. All functions fundamentally rely on this. Simply put, if the TCB works correctly, it can guarantee security. If this hypervisor is compromised, then there’s nothing that can be done.”
There was a need to reduce the size of the TCB and make the hypervisor independent of the TCB . According to Ning, the current TCB has several thousands of lines of codes.
“We reduced that to 300 lines of coding,” Ning said. “This means there is a very small portion that we need to protect and trust. Also, the cost of verifying it will be less.”
According to Ning, a core is the brain of a computer chip and many computers now use chips that have between two and eight cores. Users can now use shared resources and still have the security they need to work.
“This isolation of sensitive information and workload from the rest of the functions performed by a hypervisor is the SICE ,” Ning said. “In testing, the SICE framework took up approximately 3 percent of the system’s performance overhead on multi-core processors for workloads that do not require direct network access.”
According to Ahmed Azab , a computer science Ph.D . student, there is not always a well-defined goal in research, but rather high-level objectives.
“I was driven by the objective to provide enhanced security to customers,” Azab said. “One of the ideas was to turn to hardware features for higher security. For instance, using a system management mode offers embedded protection that does not allow malicious software.”
Ning’s next move is to implement this in Intel processors.
