<div class='slidealt'>Experience kvm <a title='virtualization for embedded heterogeneous arm core platforms' href='/en/products'>virtualization extensions</a></div> <div class='slidealt'>Benefit from custom <a title='kvm on arm services full virtualization' href='/en/services'>virtualization services</a></div> <div class='slidealt'>KVM on ARMv7 and ARMv8 <a title='kvm-on-arm open source smu extensions' href='/en/solutions/guides/vfio-on-arm/'>IOMMU full virtualization</a></div> <div class='slidealt'>Virtualization research projects <a title='ARM multicore kvm open source' href='/en/research'>in cloud and embedded systems</a></div> <div class='slidealt'>Virtualization solutions for heterogeneous <a title='ARMv7-ARMv8 virtualization open source solutions' href='/en/solutions'>ARM multicore systems</a></div>

Virtual Open Systems Scientific Publications

Secure location-aware VM deployment on the edge through OpenStack and ARM TrustZone

Secure geofencing virtualization on the IoT edge through OpenStack trustedvim and ARM TrustZone

Event

European Conference on Networks and Communications (EuCNC 2019), Valencia, Spain, June 18-21.

European Conference on Networks and Communications - EUCNC 2019

Keywords

security, virtualization, cloud, edge computing, geo-fencing, asset tag, Trusted Execution Environment, TEE, OP-TEE, ARM TrustZone, VIM, Virtualized Infrastructure Manager, OpenStack

Authors

Teodora Sechkova, Enrico Barberis, Michele Paolino

Acknowledgement

This work was partly funded by the European Commission under the European Union's Horizon 2020 program – grant agreement number 761508 (5GCity project). The paper solely reflects the views of the authors. The Commission is not responsible for the contents of this paper or any use made thereof.

Abstract

In recent years, there is an ongoing computational shift from the data center to the network edge. Due to the increased hardware capabilities of devices, the edge can also benefit from the dynamic and scalable services provided by the virtualization technologies. In turn, the edge computing brings low-latency and reduced network traffic, location-awareness and local caching. However, the new capabilities unlock new challenges in terms of security, data and workload location.

In this work, we focus on the threats caused by the heterogeneous and distributed nature of the edge infrastructure. We build a trusted edge based on the hardware isolation of ARM TrustZone. Moreover, we use it as a secure foundation to perform location-aware virtual machine deployment utilizing the dispersed nature of the infrastructure. We measure the performance of our solution and discuss the overall overhead and potential improvements.

Introduction

Nowadays, cloud computing is an established paradigm adopted by the business, the industry and the mass users alike. By the means of the virtualization technologies, the cloud provides dynamic and scalable compute, network and storage resources in the form of different services. In the meantime, the processing capabilities of the end devices are continuously growing, hence the ongoing shift of the computation from the data center to the network edge equipment. The utilization of the computing power of edge devices is a common subject of fog, edge and multi-access edge computing. In particular, the distributed device locations closer to the users allow for low-latency communication, reduced network traffic, location-awareness and local caching. When such advantages are combined with virtualization technologies, edge computing becomes a natural part of concepts like Software-Defined Networking (SDN), Network Functions Virtualization (NFV) and Fifth Generation (5G) mobile networks.

As with any other new technology, edge computing brings new challenges together with the new opportunities. Undoubtedly, security is among the most important ones, though often neglected. Various surveys exist, analyzing cloud and edge security threats in different aspects and contexts. The dispersed edge infrastructure often relies on wireless connectivity which makes it vulnerable to man-in-the-middle attacks. Remote or difficult to secure locations also increase the risk of tampering or replacement, therefore, extra measures need to be taken to verify the authenticity and integrity of the edge devices.

Another challenge is related to the data and workload location. In a cloud environment, the actual location of the servers running the workloads and storing the data is known only to the cloud owner or provider. Yet some data may be a subject of sensitive policies which restrict its placement into specific geographic boundaries. This is even more likely for the edge, where the physical hosts have inherently distributed nature. Moreover, the Quality of Service (QoS) may require placing the workloads in close proximity to the end user, for example, to achieve a required minimum latency of a streaming service.

Solving all challenges of the edge computing at once is an ambitious task, however, any of its sub-tasks is an interesting research topic by itself. In this work, we focus on the problem of workload location and we propose a location-aware virtual machine (VM) deployment on the edge. We built an edge infrastructure of trusted ARM devices, able to support hosts authentication and integrity check as well as to securely store geolocation information. In order to achieve completeness of our edge computing system, we use the management capabilities of OpenStack and we integrate attestation and geo-fencing functionality in the OpenStack Compute project.

The next sections are organized as follows. Section II gives some background on the topics of trusted computing and geo-fencing. The architecture and details of the proposed solution are given in Section III followed by experimental setup and results in Section IV. In the end, we present a short survey of related works and give our conclusions in Sections V and VI.

Access the full content of this publication

Login or register to access full information