An increasing number of companies and other enterprises are reducing their costs by migrating portions of their information technology infrastructure to cloud service providers. For example, virtual data centers and other types of systems comprising distributed virtual infrastructure are coming into widespread use. Commercially available virtualization software such as VMware® vSphere™ may be used by cloud service providers to build a variety of different types of virtual infrastructure, including private and public cloud computing and storage systems, which may be distributed across hundreds of interconnected computers, storage devices and other physical machines.
In cloud-based system arrangements of the type described above, enterprises in effect become tenants of the cloud service providers. However, by relinquishing control over their information technology resources, cloud tenants expose themselves to additional potential security threats. For example, a given tenant may be inadvertently sharing physical hardware resources with other tenants that could be competitors or attackers. The virtual machines of the given tenant may therefore be running on the same physical machine or set of physical machines as the virtual machine of a competitor or attacker. This is problematic in that hostile virtual machines can use side-channel attacks to potentially extract sensitive data, such as passwords and cryptographic keys, from other virtual machines resident on the same physical machine or set of physical machines.
For such reasons, enterprises often demand physical isolation for their cloud deployments. While cloud service providers may promise physical isolation, and even commit to it in service-level agreements (SLAs), enforcement by tenants and their auditors is a challenge. Cloud systems make heavy use of virtualization to abstract away underlying hardware for simplicity and flexibility. Such systems are architected to be hardware opaque, not hardware transparent, and are thus configured in a manner that is at odds with verification of physical isolation. Accordingly, it remains difficult for a tenant to obtain verifiable assurances that its virtual machines are the only virtual machines running on a given physical machine or set of physical machines of a cloud service provider.