Researchers at North Carolina State University and IBM said they may have found a way to effectively protect certain information in cloud and services environments. A new technique called Strongly Isolated Computing Environment” (SICE) aims to isolate sensitive information and workload from the rest of the functions performed by a hypervisor, which serves as gateway to a virtual, cross-platform workspace shared by users in a cloud system.
Peng Ning, a professor of computer science at NC State and co-author of a paper describing the research, explained that the basic idea of the approach is to reduce the "surface" for a potential attack. The foundation of SICE Trusted Computing Base (TCB), which has just about 300 lines of code. In the case of an attack, only those 300 lines have to be protected.
"Previous techniques have exposed thousands of lines of code to potential attacks," Ning said. "We have a smaller attack surface to protect.”
SICE can be configured to allocate specific CPU cores to the sensitive workload. During tests, SICE consumed about 3 percent of the entire system performance, according to Ning. “That is a fairly modest price to pay for the enhanced security,” he noted. “However, more research is needed to further speed up the workloads that require interactions with the network.”
The research paper detailing SICE will be presented at the 18th ACM Conference on Computer and Communications Security, which will be held from October 17 to 21 in Chicago.