GB2581717A - Secure processor-based control plane function virtualization in cloud systems - Google Patents

Secure processor-based control plane function virtualization in cloud systems Download PDF

Info

Publication number
GB2581717A
GB2581717A GB2006882.1A GB202006882A GB2581717A GB 2581717 A GB2581717 A GB 2581717A GB 202006882 A GB202006882 A GB 202006882A GB 2581717 A GB2581717 A GB 2581717A
Authority
GB
United Kingdom
Prior art keywords
control plane
function
secure enclave
software defined
secure
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB2006882.1A
Other languages
English (en)
Other versions
GB202006882D0 (en
Inventor
Brown Victor
Linton Jeb
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Publication of GB202006882D0 publication Critical patent/GB202006882D0/en
Publication of GB2581717A publication Critical patent/GB2581717A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5061Partitioning or combining of resources
    • G06F9/5077Logical partitioning of resources; Management or configuration of virtualized resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0893Assignment of logical groups to network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0896Bandwidth or capacity management, i.e. automatically increasing or decreasing capacities
    • H04L41/0897Bandwidth or capacity management, i.e. automatically increasing or decreasing capacities by horizontal or vertical scaling of resources, or by migrating entities, e.g. virtual resources or entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/02Traffic management, e.g. flow control or congestion control
    • H04W28/10Flow control between communication endpoints
    • H04W28/12Flow control between communication endpoints using signalling between network elements
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0894Policy-based network configuration management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0895Configuration of virtualised networks or elements, e.g. virtualised network function or OpenFlow elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/40Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/50Network service management, e.g. ensuring proper service fulfilment according to agreements
    • H04L41/508Network service management, e.g. ensuring proper service fulfilment according to agreements based on type of value added network service under agreement
    • H04L41/5096Network service management, e.g. ensuring proper service fulfilment according to agreements based on type of value added network service under agreement wherein the managed service relates to distributed or central networked applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/64Routing or path finding of packets in data switching networks using an overlay routing layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Mathematical Physics (AREA)
  • Stored Programmes (AREA)
  • Debugging And Monitoring (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
GB2006882.1A 2017-10-25 2018-10-18 Secure processor-based control plane function virtualization in cloud systems Withdrawn GB2581717A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US15/793,432 US10872145B2 (en) 2017-10-25 2017-10-25 Secure processor-based control plane function virtualization in cloud systems
PCT/EP2018/078626 WO2019081348A1 (en) 2017-10-25 2018-10-18 VIRTUALIZATION OF CONTROL PLANE FUNCTION BASED ON A SECURE PROCESSOR IN CLOUD SYSTEMS

Publications (2)

Publication Number Publication Date
GB202006882D0 GB202006882D0 (en) 2020-06-24
GB2581717A true GB2581717A (en) 2020-08-26

Family

ID=63965665

Family Applications (1)

Application Number Title Priority Date Filing Date
GB2006882.1A Withdrawn GB2581717A (en) 2017-10-25 2018-10-18 Secure processor-based control plane function virtualization in cloud systems

Country Status (6)

Country Link
US (1) US10872145B2 (https=)
JP (1) JP7110339B2 (https=)
CN (1) CN111164571B (https=)
DE (1) DE112018004210T5 (https=)
GB (1) GB2581717A (https=)
WO (1) WO2019081348A1 (https=)

Families Citing this family (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11126699B2 (en) * 2018-02-07 2021-09-21 Nec Corporation Replica trusted execution environment: enabling seamless replication of trusted execution environment (TEE)-based enclaves in the cloud
US11016798B2 (en) 2018-06-01 2021-05-25 The Research Foundation for the State University Multi-hypervisor virtual machines that run on multiple co-located hypervisors
US10949238B2 (en) * 2018-12-05 2021-03-16 Vmware, Inc. Decoupling compute and storage resources in cloud-based HCI (hyper-converged infrastructure)
US12039354B2 (en) 2019-06-18 2024-07-16 The Calany Holding S. À R.L. System and method to operate 3D applications through positional virtualization technology
US12033271B2 (en) 2019-06-18 2024-07-09 The Calany Holding S. À R.L. 3D structure engine-based computation platform
US12040993B2 (en) 2019-06-18 2024-07-16 The Calany Holding S. À R.L. Software engine virtualization and dynamic resource and task distribution across edge and cloud
US11044080B2 (en) * 2019-06-24 2021-06-22 International Business Machines Corporation Cryptographic key orchestration between trusted containers in a multi-node cluster
US10917288B2 (en) * 2019-06-25 2021-02-09 Bank Of America Corporation Adaptive edge-shift for enterprise contingency operations
JP7327057B2 (ja) * 2019-09-30 2023-08-16 日本電気株式会社 コンテナ制御装置、コンテナ制御方法、およびコンテナ制御プログラム
US11288018B2 (en) * 2020-03-25 2022-03-29 Verizon Patent And Licensing Inc. Method and system for deploying a virtual distributed unit on a network device
US11822949B2 (en) * 2020-04-02 2023-11-21 Vmware, Inc. Guest cluster deployed as virtual extension of management cluster in a virtualized computing system
US11057274B1 (en) * 2020-04-09 2021-07-06 Verizon Patent And Licensing Inc. Systems and methods for validation of virtualized network functions
KR102952068B1 (ko) 2020-04-17 2026-04-13 삼성전자주식회사 소프트웨어 정의 네트워크 시스템에서 통신을 수행하는 방법 및 장치
US11763015B2 (en) * 2020-07-14 2023-09-19 Sympatic, Inc. Securely processing shareable data utilizing a vault proxy
CN113612688B (zh) * 2021-07-14 2023-03-24 曙光信息产业(北京)有限公司 分布式软件定义网络控制系统及其构建方法
CN114035901B (zh) * 2021-11-16 2022-04-15 亿咖通(湖北)技术有限公司 用于运行进程的容器的构建方法、装置和电子设备
CN114244724B (zh) * 2021-11-24 2023-08-29 中盈优创资讯科技有限公司 一种城域网控制平面向容器化演进的方法及装置
US20230259352A1 (en) * 2022-02-11 2023-08-17 Intel Corporation Software updates in a network interface device
EP4476869A1 (en) * 2022-02-15 2024-12-18 Google Llc Secure environment for operations on private data
CN117370983A (zh) * 2022-07-01 2024-01-09 华为云计算技术有限公司 基于云技术的可信执行系统及方法
US20240220331A1 (en) * 2022-07-28 2024-07-04 Rakuten Symphony Singapore Pte. Ltd. Methods, systems, and storage media for implementation of enhanced open digital architecture for support system
US12549440B2 (en) 2023-09-29 2026-02-10 Dell Products L.P. Management of network services through pre-population of management plane from system level view
US12609874B2 (en) * 2023-09-29 2026-04-21 Dell Products L.P. Dynamic subscription based management of networks for computing systems
US20250240293A1 (en) * 2024-01-19 2025-07-24 Dell Products L.P. Multi-tenant secrets manager
US12468807B1 (en) 2025-04-24 2025-11-11 Wiz, Inc. Techniques for control plane level containment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016000160A1 (en) * 2014-06-30 2016-01-07 Alcatel-Lucent Shanghai Bell Co., Ltd. Security in software defined network
US20170054696A1 (en) * 2014-09-03 2017-02-23 Amazon Technologies, Inc. Securing service control on third party hardware
US20170214694A1 (en) * 2014-08-22 2017-07-27 Nokia Technologies Oy A Security and Trust Framework for Virtualized Networks

Family Cites Families (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7447872B2 (en) * 2002-05-30 2008-11-04 Cisco Technology, Inc. Inter-chip processor control plane communication
US7224668B1 (en) * 2002-11-27 2007-05-29 Cisco Technology, Inc. Control plane security and traffic flow management
US7606140B2 (en) * 2003-08-28 2009-10-20 Alcatel Lucent Distributed and disjoint forwarding and routing system and method
US7990993B1 (en) * 2008-02-20 2011-08-02 Juniper Networks, Inc. Platform-independent control plane and lower-level derivation of forwarding structures
US8954752B2 (en) 2011-02-23 2015-02-10 International Business Machines Corporation Building and distributing secure object software
US8578175B2 (en) 2011-02-23 2013-11-05 International Business Machines Corporation Secure object having protected region, integrity tree, and unprotected region
US8739177B2 (en) 2010-06-21 2014-05-27 Intel Corporation Method for network interface sharing among multiple virtual machines
US8832465B2 (en) * 2012-09-25 2014-09-09 Apple Inc. Security enclave processor for a system on a chip
US8438631B1 (en) 2013-01-24 2013-05-07 Sideband Networks, Inc. Security enclave device to extend a virtual secure processing environment to a client device
US8448238B1 (en) 2013-01-23 2013-05-21 Sideband Networks, Inc. Network security as a service using virtual secure channels
US9426155B2 (en) * 2013-04-18 2016-08-23 International Business Machines Corporation Extending infrastructure security to services in a cloud computing environment
JP6214088B2 (ja) 2013-11-25 2017-10-18 学校法人東京電機大学 ネットワーク制御システム及び方法
US9442752B1 (en) * 2014-09-03 2016-09-13 Amazon Technologies, Inc. Virtual secure execution environments
US9684608B2 (en) * 2014-10-28 2017-06-20 Intel Corporation Maintaining a secure processing environment across power cycles
KR101951273B1 (ko) 2014-12-04 2019-02-22 노키아 솔루션스 앤드 네트웍스 게엠베하 운트 코. 카게 가상화된 자원들의 조종
US9578008B2 (en) * 2015-05-11 2017-02-21 Intel Corporation Technologies for secure bootstrapping of virtual network functions
WO2016181423A1 (en) 2015-05-11 2016-11-17 Nec Corporation Communication apparaus, system, method, and program
US9742790B2 (en) * 2015-06-16 2017-08-22 Intel Corporation Technologies for secure personalization of a security monitoring virtual network function
US10528721B2 (en) * 2016-10-20 2020-01-07 Intel Corporation Trusted packet processing for multi-domain separatization and security
US10277535B2 (en) * 2017-03-31 2019-04-30 Hewlett Packard Enterprise Development Lp Network switch systems including logical switches

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016000160A1 (en) * 2014-06-30 2016-01-07 Alcatel-Lucent Shanghai Bell Co., Ltd. Security in software defined network
US20170214694A1 (en) * 2014-08-22 2017-07-27 Nokia Technologies Oy A Security and Trust Framework for Virtualized Networks
US20170054696A1 (en) * 2014-09-03 2017-02-23 Amazon Technologies, Inc. Securing service control on third party hardware

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
MICHAEL COUGHLIN ET AL, "Trusted Click : Overcoming Security issues of NFV in the Cloud", PROCEEDINGS OF THE ACM INTERNATIONAL WORKSHOP ON SECURITY IN SOFTWARE DEFINED NETWORKS & NETWORK FUNCTION VIRTUALIZATION, SDN-NFVSEC '17, New York, New York, USA, (20170101), doi:10.1145/3040992.3040994 *
NICOLAE PALADI; CHRISTIAN GEHRMANN: "TruSDN: Bootstrapping Trust in Cloud Network Infrastructure", ARXIV.ORG, CORNELL UNIVERSITY LIBRARY, 201 OLIN LIBRARY CORNELL UNIVERSITY ITHACA, NY 14853, 14 February 2017 (2017-02-14), 201 Olin Library Cornell University Ithaca, NY 14853, XP080745669, DOI: 10.1007/978-3-319-59608-2_6 *
SERGEI ARNAUTOV 1, BOHDAN TRACH 1, FRANZ GREGOR 1, THOMAS KNAUTH 1, ANDRE MARTIN 1, CHRISTIAN PRIEBE 2, JOSHUA LIND 2, DIVYA MUTHU: "SCONE: Secure Linux Containers with Intel SGX", USENIX, USENIX, THE ADVANCED COMPUTING SYSTEMS ASSOCIATION, 2 November 2016 (2016-11-02), Usenix, the Advanced Computing Systems Association, pages 696 - 710, XP061025068 *
SOMNATH CHAKRABARTI ET AL, "Intel Software Guard Extensions (Intel SGX) Architecture for Oversubscription of Secure Memory in a Virtualized Environment", 20170625; 20170625 - 20170625, (20170625), doi:10.1145/3092627.3092634, ISBN 978-1-4503-5266-6, pages 1 - 8, XP058370143 [I] 2,10,18 *

Also Published As

Publication number Publication date
US10872145B2 (en) 2020-12-22
JP2021500669A (ja) 2021-01-07
CN111164571B (zh) 2024-04-19
US20190121960A1 (en) 2019-04-25
JP7110339B2 (ja) 2022-08-01
CN111164571A (zh) 2020-05-15
GB202006882D0 (en) 2020-06-24
WO2019081348A1 (en) 2019-05-02
DE112018004210T5 (de) 2020-04-30

Similar Documents

Publication Publication Date Title
GB2581717A (en) Secure processor-based control plane function virtualization in cloud systems
JP2021500669A5 (https=)
Kaiser et al. Container technologies for arm architecture: A comprehensive survey of the state-of-the-art
Szefer et al. Eliminating the hypervisor attack surface for a more secure cloud
US8341627B2 (en) Method and system for providing user space address protection from writable memory area in a virtual environment
US10726119B2 (en) Monitoring application execution in a clone of a virtual computing instance for application whitelisting
PH12018550196A1 (en) Hardware-based virtualized security isolation
EP4379592A3 (en) Providing isolation in virtualized systems using trust domains
US20180165224A1 (en) Secure encrypted virtualization
US20180011797A1 (en) Memory sharing method of virtual machines based on combination of ksm and pass-through
US10754991B2 (en) Method to isolate real-time or safety-critical software and operating system from non-critical software and operating system
WO2015176682A1 (en) Forwarding a packet
WO2016118033A3 (en) Systems and methods for exposing a result of a current processor instruction upon exiting a virtual machine
CN108509251B (zh) 一种适用于可信执行环境中的安全虚拟化系统
JP2016524257A5 (https=)
CN108549571B (zh) 一种适用于可信执行环境中的安全虚拟化方法
CN103559087A (zh) 一种虚拟处理器之间的中断的实现方法、相关装置和系统
CN107450962B (zh) 一种虚拟化运行环境下的异常处理方法、装置及系统
JP2015524128A5 (https=)
US9697027B1 (en) Hypercall-based security for hypervisors
US20200167180A1 (en) Securing virtual machines in computer systems
Sharma et al. Performance evaluation of adaptive virtual machine load balancing algorithm
RU2013118639A (ru) Аппаратно-вычислительный комплекс с повышенными надежностью и безопасностью в среде облачных вычислений
US20220159036A1 (en) Malicious packet filtering in a virtualization system
Liang et al. Aurora: Providing trusted system services for enclaves on an untrusted system

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)