Trusted Execution Environments in Cloud Computing

Thumbnail Image
Journal Title
Journal ISSN
Volume Title
School of Science | Doctoral thesis (article-based) | Defence date: 2021-12-21
Degree programme
84 + app. 58
Aalto University publication series DOCTORAL DISSERTATIONS, 171/2021
Cloud technologies have become ubiquitous, being widely used by a variety of users: from individuals to large corporations. Without a doubt, clouds offer major benefits that make them attractive, such as elasticity, scalability, availability, and reliability. However, users' data privacy and security are two main concerns when data is processed in the cloud. Currently, users have to trust cloud providers for processing their data securely, not disclosing it to third parties maliciously or by mistake, and applying best security practices. Largely this trust is based on the cloud provider's reputation: it is in the interest of cloud providers to take security seriously; otherwise, they may lose customers. However this trust model does not provide the technical means of security assurance.   Trusted Execution Environments (TEEs) can be used to change the situation. It is a very promising technology that enables secure computation on a remote host. Applying TEEs to cloud environments changes the trust model: customers no longer need to rely on the reputation of the cloud provider. The main reason is that a TEE provides the ability to execute arbitrary code in isolation from the underlying operating system or the hypervisor. Additionally, it is possible to remotely verify what code is running inside a TEE. The trust is based on the hardware and technically it is moved from the cloud provider to the hardware manufacturer.   This work addresses the following challenges when developing TEE applications and deploying TEEs in the cloud. First, how to build scalable applications while maintaining TEE security guarantees? Second, how to reconcile hardware-based TEEs with existing cloud practices? Third, how to utilize TEEs to provide trustworthy resource measurements in the cloud? The contributions of this dissertation are developing two scalable Trusted Applications for cloud environments, a TEE migration framework to support Virtual Machine migration in the cloud, and a secure resource measurement framework based on TEEs. The contributions form an important step forward towards a wider deployment of TEEs in the cloud that opens opportunities for cloud providers and their clients to benefit from assurance based on hardware and stronger security guarantees.
Supervising professor
Asokan, N., Prof., Aalto University, Department of Computer Science, Finland
Thesis advisor
Paverd, Andrew, Dr., Microsoft Research, England
TEE, cloud computing, remote attestation
Other note
  • [Publication 1]: Klaudia Krawiecka, Arseny Kurnikov, Andrew Paverd, Mohammad Mannan, N. Asokan. SafeKeeper: Protecting Web Passwords using Trusted Execution Environments. In Proceedings of the 2018 World Wide Web Conference, Lyon, France, pp. 349-358, April 2018.
    Full text in Acris/Aaltodoc:
    DOI: 10.1145/3178876.3186101 View at publisher
  • [Publication 2]: Arseny Kurnikov, Andrew Paverd, Mohammad Mannan, N. Asokan. Keys in the Clouds: Auditable Multi-device Access to Cryptographic Credentials. In Proceedings of the 13th International Conference on Availability, Reliability and Security, Hamburg, Germany, pp. 40:1-40:10, August 2018.
    DOI: 10.1145/3230833.3234518 View at publisher
  • [Publication 3]: Fritz Alder, Arseny Kurnikov, Andrew Paverd, N. Asokan. Migrating SGX Enclaves with Persistent State. In IEEE/IFIP International Conference on Dependable Systems and Networks, Luxembourg City, pp. 195-206, June 2018.
    DOI: 10.1109/DSN.2018.00031 View at publisher
  • [Publication 4]: Fritz Alder, N. Asokan, Arseny Kurnikov, Andrew Paverd, Michael Steiner. S-FaaS: Trustworthy and Accountable Function-as-a-Service using Intel SGX. In CCSW 2019: The ACM Cloud Computing Security Workshop, London, UK, pp. 185-199, November 2019.
    DOI: 10.1145/3338466.3358916 View at publisher