Below are some frequently asked questions about PrivateCore vCage and securing data in use.
What is PrivateCore vCage?
PrivateCore vCage audits and secures OpenStack servers against persistent malware (rootkits/bootkits) and insider threats. vCage is comprised of two components: vCage Manager and optional vCage Host software. vCage Manager provides validation (referred to as attestation) for OpenStack servers to enable the created of trusted compute pools. Organizations can also deploy vCage Host, a high assurance hypervisor that protects data-in-use with full-memory encryption. Based on the open source Linux Kernel-based Virtual Machine (KVM) hypervisor, vCage host runs existing virtual machine images without modification.
Which threats does vCage address?
PrivateCore vCage validates the integrity of servers against persistent malware (advanced persistent threats) and secures x86 server data-in-use. This can include information in memory such as encryption keys, digital certificates, intellectual property, and personally identifiable information. vCage counters various adversaries trying to access this data including:
- Malicious Insiders
- Third Party Service Providers
- Outside Hackers and State Actors
- IT Hardware Supply Chain
- Visibility & Lawful Intercepts
Is vCage software or hardware?
PrivateCore vCage is software designed to audit and protect OpenStack servers.
What sort of attacks does vCage protect against?
PrivateCore vCage protects against a variety of threats including:
- Inserting a malicious I/O card (e.g. PCIe card) into a system I/O slot that can read information using direct memory access (DMA)List Item #2
- Installing a software rootkit/bootkit (persistent malware)
- Using a system interface like FireWire or Thunderbolt to read information via DMA
- Installing and then extracting Non-Volatile Dual In-line Memory Modules (NVDIMMs) that persistently maintain the contents of memory and leave data accessible even after a system is powered down
Does vCage help protect against “cold boot attacks”?
Yes, vCage Host software protects against cold boot attacks
(also referred to as “freezing RAM” or “freezing memory) by encrypting memory. You can view this video
to understand how vCage protects against such attacks.
Does vCage help protect against malicious devices in the IT supply chain?
Yes, vCage can protect against malicious devices in the IT supply chain. In particular, vCage Host software shrinks the security boundary down to the CPU package and treats all other components as untrusted.
Does vCage protect against malicious or illicit KVM (Keyboard-Video-Mouse) devices?
Yes, vCage Host disables the drivers used by KVM devices. Anybody plugging in a KVM device to access the vCage Host console would be disappointed.
Does vCage complement or compete with data-at-rest (storage) encryption?
vCage attests platform integrity and protects data-in-use by encrypting memory. This complements data-at-rest (storage) encryption as vCage can secure memory containing valuable information including data-at-rest encryption keys.
What server hardware does PrivateCore vCage require?
PrivateCore vCage Manager runs inside a VM and has no special hardware requirements.
PrivateCore vCage Host supports servers using Intel® Xeon Central Processing Units (CPUs) with 20 MB or more of CPU cache. Intel Xeon CPUs with 20 MB of cache have been shipping since 2011. For maximum security, the Intel x86 server should also have a Trusted Platform Module (TPM) chip.
What hypervisor technology does vCage Host leverage?
PrivateCore vCage Host is based on the Linux KVM hypervisor. vCage can leverage the ecosystem of KVM management tools that already exist.
Can any virtual machine (VM) run on vCage Host?
Yes. PrivateCore vCage Host supports any VM supported by the KVM hypervisor.
Does PrivateCore vCage support Intel® Trusted Execution Technology (Intel TXT)? What other Intel technologies does PrivateCore support?
Yes, PrivateCore vCage supports Intel TXT technology to validate that a server is in a known good state. vCage also leverages the large Last Level Cache (LLC) provided by Intel Xeon processors and supports Intel technologies including Intel Advanced Encryption Standard New Instructions (AES-NI) and Intel Virtualization Technology for Directed I/O (VT-d).