Abstract: According to certain embodiments, a method comprises monitoring a request for use of memory requested by a container manager application on behalf of a given one of a plurality of containers during runtime of the given container. The method further comprises determining that the request for use of memory has caused an exception. The exception indicates that the request has requested an invalid operation on a memory table or that the request has requested a previously not seen memory table. In response, the method further comprises determining an action to perform. The action depends on both first trustworthiness information associated with the given container and second trustworthiness information associated with the given container. The first trustworthiness information is obtained from a Third Party Reputation Service (TPRS). The second trustworthiness information is obtained based on monitoring the runtime behavior of the given container.

Abstract: Techniques are described for securely booting and executing a virtual machine (VM) image in an untrusted cloud infrastructure. A multi-core processor may be configured with additional hardware components—referred to as a trust anchor. The trust anchor may be provisioned with a private/public key pair, which allows the multi-core CPU to authenticate itself as being able to securely boot and execute a virtual machine (VM) image in an untrusted cloud infrastructure.

Abstract: An example method is provided and includes providing an encrypted image to a central processing unit of an integrated circuit and decrypting the encrypted image using a cryptographic key element. The cryptographic key element is embedded within the integrated circuit. The method also includes evaluating the decrypted image in order to verify its authenticity, and executing the decrypted image if the decrypted image is successfully verified. In more particular embodiments, the verification includes utilizing an executable and linkable format (ELF) to signify that encryption has been enabled for at least a portion of the encrypted image. A processor within the integrated circuit can be provided with the cryptographic key element that corresponds to a product family of devices. The method can also include providing a corresponding image of the decrypted image to an external memory of the integrated circuit.

Abstract: An example method is provided and includes providing an encrypted image to a central processing unit of an integrated circuit and decrypting the encrypted image using a cryptographic key element. The cryptographic key element is embedded within the integrated circuit. The method also includes evaluating the decrypted image in order to verify its authenticity, and executing the decrypted image if the decrypted image is successfully verified. In more particular embodiments, the verification includes utilizing an executable and linkable format (ELF) to signify that encryption has been enabled for at least a portion of the encrypted image. A processor within the integrated circuit can be provided with the cryptographic key element that corresponds to a product family of devices. The method can also include providing a corresponding image of the decrypted image to an external memory of the integrated circuit.

Abstract: Techniques are described for securely booting and executing a virtual machine (VM) image in an untrusted cloud infrastructure. A multi-core processor may be configured with additional hardware components—referred to as a trust anchor. The trust anchor may be provisioned with a private/public key pair, which allows the multi-core CPU to authenticate itself as being able to securely boot and execute a virtual machine (VM) image in an untrusted cloud infrastructure.