pith. sign in

arxiv: 1907.06110 · v1 · pith:AE6S2IFYnew · submitted 2019-07-13 · 💻 cs.DC · cs.CR

Supporting Security Sensitive Tenants in a Bare-Metal Cloud

Amin Mosayyebzadeh , Apoorve Mohan , Sahil Tikale , Mania Abdi , Nabil Schear , Charles Munson , Trammell Hudson , Larry Rudolph
show 3 more authors
Gene Cooperman Peter Desnoyers Orran Krieger
This is my paper

Pith reviewed 2026-05-24 21:42 UTC · model grok-4.3

classification 💻 cs.DC cs.CR
keywords bare-metal cloudtenant security controlcloud provisioningsecurity tradeoffsprivate data center equivalencecloud elasticityprovider flexibility
0
0 comments X

The pith

Bolted architecture lets bare-metal cloud tenants set their own security levels while the provider keeps full efficiency and elasticity.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces an architecture called Bolted for bare-metal clouds. It gives tenants direct control over the balance between security, cost, and speed. Tenants who need high security can reduce their dependence on the cloud provider to reach protection levels similar to running their own private data centers. Tenants who accept standard security face no added slowdown or expense. The provider continues to allocate and manage resources flexibly without extra operational burdens. A working prototype uses a new way to provision machines and custom firmware to reach elasticity close to that of virtual-machine clouds. Tests measure the performance impact of different security choices on real workloads.

Core claim

Bolted is a new architecture for bare-metal clouds that enables tenants to control tradeoffs between security, price, and performance. Security-sensitive tenants can minimize their trust in the public cloud provider and achieve similar levels of security and control that they can obtain in their own private data centers. At the same time, Bolted neither imposes overhead on tenants that are security insensitive nor compromises the flexibility or operational efficiency of the provider. The prototype exploits a novel provisioning system and specialized firmware to enable elasticity similar to virtualized clouds.

What carries the argument

A novel provisioning system paired with specialized firmware that supports dynamic bare-metal allocation while letting tenants enforce chosen security boundaries.

If this is right

  • Security-sensitive tenants reach security and control levels equivalent to private data centers.
  • Security-insensitive tenants experience no added cost or performance loss.
  • The cloud provider retains full flexibility to manage and reallocate resources efficiently.
  • Elasticity for bare-metal resources approaches that of virtualized environments.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Tenants could be offered explicit pricing tiers tied to their chosen security settings.
  • The same tenant-controlled boundary approach might extend to storage or network isolation choices.
  • Providers could use the architecture to support both highly sensitive and general-purpose workloads on the same physical fleet.

Load-bearing premise

The new provisioning system and specialized firmware can deliver elasticity matching virtualized clouds without creating hidden extra costs or management problems for the provider.

What would settle it

A direct comparison showing that Bolted provisioning times or overall resource utilization for mixed workloads fall noticeably behind a standard virtualized cloud under identical tenant demand patterns.

Figures

Figures reproduced from arXiv: 1907.06110 by Amin Mosayyebzadeh, Apoorve Mohan, Charles Munson, Gene Cooperman, Larry Rudolph, Mania Abdi, Nabil Schear, Orran Krieger, Peter Desnoyers, Sahil Tikale, Trammell Hudson.

Figure 1
Figure 1. Figure 1: Bolted’s Architecture: Blue arrows show state changes and green dotted lines shows the actions during a state change. attestation agent. Continuous attestation protects tenants both against unauthorized execution of executables and against malicious reboots into unauthorized firmware, bootloader, or operating system. Note that continuous attestation is funda￾mentally more challenging in a provider-deployed… view at source ↗
Figure 2
Figure 2. Figure 2: Bolted deployment examples; purple boxes are provider￾deployed and greens are tenant-deployed. Alice and Bob trust the provider-deployed infrastructure, while security-sensitive Charlie deploys its own. service, the use of network mounted storage by Bolted enables them to use their own storage for persistence, making storage encryption unnecessary. Because Bolted enables tenants to deploy their own provisi… view at source ↗
Figure 3
Figure 3. Figure 3: Performance Impact of Encryption the node. Disk and network encryption securely bootstrapped by the TPM mitigate data confidentiality and integrity attacks from malicious peripherals with external access like network interfaces and storage controllers. System level isolation of device drivers, as in Qubes6 , could further be used to mitigate the impact of malicious peripherals mounting attacks against the … view at source ↗
Figure 4
Figure 4. Figure 4: Provisioning time of one server. kernel 4.17.9-200) enabled with IMA and version 5.6.3 of Strongswan [17] for IPsec. IPsec was configured in ’Host to Host’ and Tunnel mode. The cryptographic algorithm used was AES-256-GCM SHA2-256 MODP2048. The authenti￾cation and encryption were done through a pre-shared key (PSK). IMA used SHA-256 hash algorithm. Cryptsetup util￾ity version 1.7.0 was used to setup disk e… view at source ↗
Figure 5
Figure 5. Figure 5: Bolted Concurrency important result given a large number of bare-metal systems (e.g. CloudLab, Chameleon, Foreman, . . . ), that take no se￾curity measure today to ensure that firmware has not been corrupted. There is no performance justification today for not using attestation, and our project has demonstrated that it is possible to measure all components needed to boot a server securely. For the full att… view at source ↗
Figure 7
Figure 7. Figure 7: (MPI) shows performance degradation results for a variety of applications from the NAS Parallel Benchmark [22] version 3.3.1: Embarrassingly Parallel (EP), Conjugate Gra￾dient (CG), Fourier Transform (FT) and Multi Grid (MG) applications class D running in a 16 server enclave. We see overall that these applications only suffer significant overhead for IPsec, ranging from ∼18% for EB, which has modest com￾9… view at source ↗
read the original abstract

Bolted is a new architecture for bare-metal clouds that enables tenants to control tradeoffs between security, price, and performance. Security-sensitive tenants can minimize their trust in the public cloud provider and achieve similar levels of security and control that they can obtain in their own private data centers. At the same time, Bolted neither imposes overhead on tenants that are security insensitive nor compromises the flexibility or operational efficiency of the provider. Our prototype exploits a novel provisioning system and specialized firmware to enable elasticity similar to virtualized clouds. Experimentally we quantify the cost of different levels of security for a variety of workloads and demonstrate the value of giving control to the tenant.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. Bolted is presented as a new architecture for bare-metal clouds enabling tenants to control tradeoffs between security, price, and performance. Security-sensitive tenants can minimize trust in the provider to achieve security levels similar to private data centers. The architecture imposes no overhead on security-insensitive tenants and does not compromise provider flexibility or efficiency. A prototype with novel provisioning system and specialized firmware achieves elasticity similar to virtualized clouds, and experiments quantify the cost of different security levels for various workloads.

Significance. This work addresses an important problem in cloud computing by providing a way for tenants to achieve high security in shared bare-metal environments without sacrificing performance or elasticity. If the claims about the prototype and experiments are substantiated, it could have significant impact on how security-sensitive applications are deployed in public clouds.

major comments (2)
  1. Abstract: The claim that 'experimentally we quantify the cost of different levels of security for a variety of workloads' cannot be evaluated because the provided manuscript text contains only the abstract with no methods, data, figures, or tables to support the quantification or demonstrate that it supports the central claim.
  2. Abstract, final sentence: the assertion that the novel provisioning system and specialized firmware enable elasticity similar to virtualized clouds is load-bearing for the claim of no hidden operational costs to the provider, but no implementation details, evaluation, or evidence are present in the provided text to assess this.
minor comments (1)
  1. The abstract is clear, but the full paper should include architecture diagrams, experimental setup, and results sections to allow assessment of the prototype claims.

Simulated Author's Rebuttal

2 responses · 0 unresolved

Thank you for the review. The full manuscript contains detailed sections on the prototype implementation, provisioning system, firmware, experimental methodology, results, figures, and tables that support the abstract claims. It appears only the abstract was provided for review rather than the complete paper. We respond to each major comment below.

read point-by-point responses

  1. Referee: Abstract: The claim that 'experimentally we quantify the cost of different levels of security for a variety of workloads' cannot be evaluated because the provided manuscript text contains only the abstract with no methods, data, figures, or tables to support the quantification or demonstrate that it supports the central claim.

    Authors: The complete manuscript includes dedicated sections describing the experimental setup, workloads evaluated, quantitative measurements of security level costs, and supporting figures and tables. These directly substantiate the claim. The evidence is present in the body of the paper rather than the abstract alone. revision: no

  2. Referee: Abstract, final sentence: the assertion that the novel provisioning system and specialized firmware enable elasticity similar to virtualized clouds is load-bearing for the claim of no hidden operational costs to the provider, but no implementation details, evaluation, or evidence are present in the provided text to assess this.

    Authors: The manuscript provides implementation details for the novel provisioning system and specialized firmware, along with an evaluation section that measures elasticity and compares it to virtualized clouds. This evidence supports the claim regarding operational costs to the provider and is contained in the full paper. revision: no

Circularity Check

0 steps flagged

No significant circularity in derivation chain

full rationale

This is a systems architecture paper proposing Bolted for bare-metal clouds. The abstract and description contain no equations, fitted parameters, predictions, or derivation steps that could reduce to inputs by construction. Claims rest on a prototype implementation and experimental quantification of security costs, with no self-definitional, self-citation load-bearing, or ansatz-smuggling patterns present. The work is self-contained as an engineering proposal rather than a derived mathematical result.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The central claim rests on the existence and correct behavior of specialized firmware and a novel provisioning system whose details are not supplied in the abstract.

axioms (1)
  • domain assumption Specialized firmware can be deployed on bare-metal servers to enforce tenant-chosen isolation boundaries without breaking provider-level elasticity.
    Invoked implicitly when the abstract states that the prototype exploits specialized firmware to enable elasticity similar to virtualized clouds.
invented entities (1)
  • Bolted architecture no independent evidence
    purpose: Provide tenant-controlled security tradeoffs in bare-metal clouds
    New system name and design introduced by the paper; no independent evidence supplied in abstract.

pith-pipeline@v0.9.0 · 5671 in / 1234 out tokens · 17889 ms · 2026-05-24T21:42:24.624974+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

82 extracted references · 82 canonical work pages · 1 internal anchor

  1. [1]

    http:// www.mghpcc.org/about/about-the-mghpcc/

    ABOUT THE MGHPCC | MGHPCC. http:// www.mghpcc.org/about/about-the-mghpcc/

    work page

  2. [2]

    https://doc.coreboot.org/ payloads.html

    coreboot - payloads. https://doc.coreboot.org/ payloads.html

    work page

  3. [3]

    https:// doc.coreboot.org/

    Coreboot minimal firmware. https:// doc.coreboot.org/

    work page

  4. [4]

    https: //www.equinix.com/solutions/cloud- infrastructure/private-cloud/architecture/

    Equinix Private Cloud Architecture. https: //www.equinix.com/solutions/cloud- infrastructure/private-cloud/architecture/

    work page

  5. [5]

    https://github.com/CCI-MOC/hil

    Hil: Hardware Isolation Layer, formerly Hardware as a Service. https://github.com/CCI-MOC/hil

    work page

  6. [6]

    https://trmm.net/LinuxBoot_34c3

    LinuxBoot. https://trmm.net/LinuxBoot_34c3

    work page

  7. [7]

    https:// github.com/CCI-MOC/M2

    Malleable Metal as a Service (M2). https:// github.com/CCI-MOC/M2

    work page

  8. [8]

    http://www.nwrdc.fsu.edu/

    NWRDC | The Ultimate Solution to Simplify Your Data Center. http://www.nwrdc.fsu.edu/

    work page

  9. [9]

    https://github.com/mit-ll/python- keylime

    python-keylime: Bootstrapping and Maintaining Trust in the Cloud. https://github.com/mit-ll/python- keylime

    work page

  10. [10]

    What is TianoCore? https://www.tianocore.org/

    work page

  11. [11]

    https://trustedcomputinggroup.org/trusted- platform-module-tpm-summary/ , Apr

    Trusted Platform Module (TPM) Summary. https://trustedcomputinggroup.org/trusted- platform-module-tpm-summary/ , Apr. 2008

    work page 2008

  12. [12]

    https://www.iarpa.gov/ index.php/working-with-iarpa/requests- for-information/creating-a-classified- processing-enclave-in-the-public-cloud , 2017

    Creating a Classified Processing Enclave in the Public Cloud |IARPA. https://www.iarpa.gov/ index.php/working-with-iarpa/requests- for-information/creating-a-classified- processing-enclave-in-the-public-cloud , 2017

    work page 2017

  13. [13]

    https://gitlab.com/ cryptsetup/cryptsetup/blob/master/README.md, 2018

    Linux unified key setup. https://gitlab.com/ cryptsetup/cryptsetup/blob/master/README.md, 2018

    work page 2018

  14. [14]

    https://github.com/corna/ me_cleaner, 2018

    me_cleaner: Tool for partial deblobbing of intel me/txe firmware images. https://github.com/corna/ me_cleaner, 2018

    work page 2018

  15. [15]

    https:// maas.io/, 2018

    Metal as a service(maas) from canonical. https:// maas.io/, 2018

    work page 2018

  16. [16]

    https://github.com/opencomputeproject/ Project_Olympus/tree/master/ Project_Cerberus, Dec 2018

    Project Cerberus Architecture Overview. https://github.com/opencomputeproject/ Project_Olympus/tree/master/ Project_Cerberus, Dec 2018

    work page 2018

  17. [17]

    https://www.strongswan.org/, Oct

    Strongswan. https://www.strongswan.org/, Oct. 2018

    work page 2018

  18. [18]

    https: //cloud.google.com/blog/products/gcp/titan- in-depth-security-in-plaintext/ , 2019

    Titan in depth: Security in plaintext. https: //cloud.google.com/blog/products/gcp/titan- in-depth-security-in-plaintext/ , 2019

    work page 2019

  19. [19]

    D. S. Anderson, M. Hibler, L. Stoller, T. Stack, and J. Lepreau. Automatic online validation of network configuration in the emulab network testbed. In Auto- nomic Computing, 2006. ICAC’06. IEEE International Conference on, pages 134–142. IEEE, 2006

    work page 2006

  20. [20]

    W. A. Arbaugh. Trusted computing. De- partment of Computer Science, University of Mary- land,[online][Retrieved on Feb. 22, 2007] Retrieved from the Internet, 2007

    work page 2007

  21. [21]

    A. O. F. Atya, Z. Qian, S. V . Krishnamurthy, T. L. Porta, P. McDaniel, and L. Marvel. Malicious co-residency on the cloud: Attacks and defense. In IEEE INFOCOM 2017 - IEEE Conference on Computer Communications, pages 1–9, May 2017

    work page 2017

  22. [22]

    D. H. Bailey, E. Barszcz, J. T. Barton, D. S. Browning, R. L. Carter, L. Dagum, R. A. Fatoohi, P. O. Freder- ickson, T. A. Lasinski, R. S. Schreiber, et al. The nas parallel benchmarks. The International Journal of Su- percomputing Applications, 5(3):63–73, 1991

    work page 1991

  23. [23]

    Bigelow, T

    D. Bigelow, T. Hobson, R. Rudd, W. Streilein, and H. Okhravi. Timely rerandomization for mitigating memory disclosures. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, CCS ’15, pages 268–279, New York, NY , USA,

    work page

  24. [24]

    Bulygin, J

    Y . Bulygin, J. Loucaides, A. Furtak, O. Bazhaniuk, and A. Matrosov. Summary of attacks against BIOS and secure boot. Defcon-22, 2014

    work page 2014

  25. [25]

    Burow, S

    N. Burow, S. A. Carr, J. Nash, P. Larsen, M. Franz, S. Brunthaler, and M. Payer. Control-flow integrity: Precision, security, and performance. ACM Comput. Surv., 50(1):16:1–16:33, Apr. 2017

    work page 2017

  26. [26]

    Butterworth, C

    J. Butterworth, C. Kallenberg, X. Kovah, and A. Her- zog. BIOS Chronomancy: Fixing the core root of trust for measurement. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS ’13, pages 25–36, New York, NY , USA,

    work page 2013

  27. [27]

    I. Cloud. Bare metal servers. https://www.ibm.com/ cloud/bare-metal-servers, 2018

    work page 2018

  28. [28]

    Cortez, A

    E. Cortez, A. Bonde, A. Muzio, M. Russinovich, M. Fon- toura, and R. Bianchini. Resource central: Understand- ing and predicting workloads for improved resource management in large cloud platforms. In Proceedings of the 26th Symposium on Operating Systems Principles, SOSP ’17, pages 153–167, New York, NY , USA, 2017. ACM

    work page 2017

  29. [29]

    Ermolov and M

    M. Ermolov and M. Goryachy. How to hack a turned - off computer, or running unsigned code in intel manage- ment engine. https://www.blackhat.com/docs/eu- 17/materials/eu-17-Goryachy-How-To-Hack- A-Turned-Off-Computer-Or-Running-Unsigned- Code-In-Intel-Management-Engine .pdf, Dec 2017

    work page 2017

  30. [30]

    Foreman. Foreman. https://www.theforeman.org/, 2019

    work page 2019

  31. [31]

    Fukai, S

    T. Fukai, S. Takekoshi, K. Azuma, T. Shinagawa, and K. Kato. BMCArmor: A Hardware Protection Scheme for Bare-Metal Clouds. In2017 IEEE International Con- ference on Cloud Computing Technology and Science (CloudCom), pages 322–330, Dec 2017

    work page 2017

  32. [32]

    P. Z. Gal Beniamini. Over the air: Ex- ploiting Broadcom’s wi-fi stack. https: //googleprojectzero.blogspot.com/2017/04/ over-air-exploiting-broadcoms-wi-fi_4 .html

    work page 2017

  33. [33]

    M. Guri, B. Zadov, D. Bykhovsky, and Y . Elovici. Pow- erHammer: Exfiltrating Data from Air-Gapped Comput- ers through Power Lines. arXiv:1804.04014 [cs], Apr

    work page internal anchor Pith review Pith/arXiv arXiv

  34. [34]

    J. A. Halderman, S. D. Schoen, N. Heninger, W. Clark- son, W. Paul, J. A. Calandrino, A. J. Feldman, J. Appel- baum, and E. W. Felten. Lest we remember: Cold boot attacks on encryption keys. In Proceedings of the 17th USENIX Security Symposium, July 28-August 1, 2008, San Jose, CA, USA, pages 45–60, 2008

    work page 2008

  35. [35]

    J. Heasman. Rootkit threats. Network Security , 2006(1):18–19, 2006

    work page 2006

  36. [36]

    Hennessey, S

    J. Hennessey, S. Tikale, A. Turk, E. U. Kaynar, C. Hill, P. Desnoyers, and O. Krieger. HIL: Designing an ex- okernel for the data center. In Proceedings of the 7th ACM Symposium on Cloud Computing (SoCC’16), Santa Clara, CA, Oct. 2016

    work page 2016

  37. [37]

    A. Hoban. Using intel ® aes new instructions and pclmulqdq to significantly improve ipsec performance on linux. https://www.intel.com/content/dam/ www/public/us/en/documents/white-papers/ aes-ipsec-performance-linux-paper .pdf, Au- gust 2010

    work page 2010

  38. [38]

    Hogan, H

    K. Hogan, H. Maleki, R. Rahaeimehr, R. Canetti, M. van Dijk, J. Hennessey, M. Varia, and H. Zhang. On the universally composable security of openstack. IACR Cryptology ePrint Archive, 2018:602, 2018

    work page 2018

  39. [39]

    T. Hudson. Linuxboot. https://github.com/ osresearch/linuxboot

    work page

  40. [40]

    Hudson, X

    T. Hudson, X. Kovah, and C. Kallenberg. ThunderStrike 2: Sith Strike. Black Hat USA Briefings, 2015

    work page 2015

  41. [41]

    Hudson and L

    T. Hudson and L. Rudolph. Thunderstrike: EFI firmware bootkits for Apple Macbooks. In Proceedings of the 8th ACM International Systems and Storage Conference, page 15. ACM, 2015

    work page 2015

  42. [42]

    Extreme Cloud Administration Toolkit — xCAT 2.14.5 documentation

    IBM. Extreme Cloud Administration Toolkit — xCAT 2.14.5 documentation. https://xcat- docs.readthedocs.io/en/stable/index.html#, 2019

    work page 2019

  43. [43]

    Ibm’s tpm 1.2

    IBM. Ibm’s tpm 1.2. http:// ibmswtpm.sourceforge.net/, 2019

    work page 2019

  44. [44]

    Hardware monitoring and security con- trols

    IBMcloud. Hardware monitoring and security con- trols. https://console.bluemix.net/docs/bare- metal/intel-trusted-execution-technology- txt.html#hardware-monitoring-and-security- controls, Apr 2018

    work page 2018

  45. [45]

    IEEE standard for local and metropolitan area networks media access control (MAC) bridges and virtual bridged local area networks

    IEEE Computer Society. IEEE standard for local and metropolitan area networks media access control (MAC) bridges and virtual bridged local area networks. Insti- tute of Electrical and Electronics Engineers, New York, 2018

    work page 2018

  46. [46]

    A. W. S. Inc. Amazon EC2 Bare Metal Instances with Direct Access to Hardware. https://aws.amazon.com/blogs/aws/new-amazon- ec2-bare-metal-instances-with-direct- access-to-hardware/, 2017

    work page 2017

  47. [47]

    O. Inc. Oracle Cloud Infrastructure Security. Oracle Cloud Infrastructure white papers, page 36, Nov 2018

    work page 2018

  48. [48]

    Bare-metal AgileSERVER

    Internap. Bare-metal AgileSERVER. http:// www.internap.com/bare-metal/, 2015

    work page 2015

  49. [49]

    S. T. King and P. M. Chen. Subvirt: Implementing malware with virtual machines. In Security and Privacy, 2006 IEEE Symposium on, pages 14–pp. IEEE, 2006

    work page 2006

  50. [50]

    J. Kirk. Destroying your hard drive is the only way to stop this super-advanced malware. https://www.pcworld.com/article/2884952/ equation-cyberspies-use-unrivaled-nsastyle- techniques-to-hit-iran-russia .html, Feb 2015

    work page arXiv 2015

  51. [51]

    Kocher, D

    P. Kocher, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y . Yarom. Spectre attacks: Exploiting speculative exe- cution. ArXiv e-prints, Jan. 2018

    work page 2018

  52. [52]

    Kovah, C

    X. Kovah, C. Kallenberg, J. Butterworth, and S. Corn- well. SENTER Sandman: Using Intel TXT to Attack BIOSes. In HITB Security Conference, page 5, Amster- dam, May 2014

    work page 2014

  53. [53]

    A. Kroizer. Tpm and intel ® ptt overview. http://tce.webee.eedev.technion.ac.il/wp- content/uploads/sites/8/2016/01/AK_TPM- overview-technion.pdf, Sep 2015

    work page 2016

  54. [54]

    M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, S. Mangard, P. Kocher, D. Genkin, Y . Yarom, and M. Hamburg. Meltdown. ArXiv e-prints, Jan. 2018

    work page 2018

  55. [55]

    F. Liu, Y . Yarom, Q. Ge, G. Heiser, and R. B. Lee. Last- level cache side-channel attacks are practical. In 2015 IEEE Symposium on Security and Privacy, pages 605– 622, May 2015

    work page 2015

  56. [56]

    P. A. Loscocco, P. W. Wilson, J. A. Pendergrass, and C. D. McDonell. Linux kernel integrity measurement using contextual inspection. In Proceedings of the 2007 ACM Workshop on Scalable Trusted Computing, STC ’07, pages 21–29, New York, NY , USA, 2007. ACM

    work page 2007

  57. [57]

    Mohan, A

    A. Mohan, A. Turk, R. S. Gudimetla, S. Tikale, J. Hen- nesey, U. Kaynar, G. Cooperman, P. Desnoyers, and O. Krieger. M2: Malleable Metal as a Service. In 2018 IEEE International Conference on Cloud Engineering (IC2E), pages 61–71, April 2018

    work page 2018

  58. [58]

    H. Moore. A penetration tester’s guide to ipmi and bmcs. https://blog.rapid7.com/2013/07/02/ a-penetration-testers-guide-to-ipmi/ , Aug 2017

    work page 2013

  59. [59]

    Morgan, E

    B. Morgan, E. Alata, V . Nicomette, and M. Kaâniche. Bypassing IOMMU protection against I/O attacks. In 2016 Seventh Latin-American Symposium on Depend- able Computing (LADC), pages 145–150, Oct 2016

    work page 2016

  60. [60]

    Mosayyebzadeh, G

    A. Mosayyebzadeh, G. Ravago, A. Mohan, A. Raza, S. Tikale, N. Schear, T. Hudson, J. Hennessey, N. Ansari, K. Hogan, C. Munson, L. Rudolph, G. Cooperman, P. Desnoyers, and O. Krieger. A secure cloud with minimal provider trust. In 10th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud 18), Boston, MA, 2018. USENIX Association

    work page 2018

  61. [61]

    L. H. Newman. Intel chip flaws leave millions of devices exposed. https://www.wired.com/story/ intel-management-engine-vulnerabilities- pcs-servers-iot/, Nov 2017

    work page 2017

  62. [62]

    Omote, T

    Y . Omote, T. Shinagawa, and K. Kato. Improving Agility and Elasticity in Bare-metal Clouds. In Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS ’15, pages 145–159, New York, NY , USA, 2015. ACM

    work page 2015

  63. [63]

    Openstack. Ironic. https://docs.openstack.org/ ironic/latest/, 2018

    work page 2018

  64. [64]

    The promise of the cloud delivered on bare metal

    Packet. The promise of the cloud delivered on bare metal. https://www.packet.net, 2017

    work page 2017

  65. [65]

    Perez-Botero, J

    D. Perez-Botero, J. Szefer, and R. B. Lee. Characterizing hypervisor vulnerabilities in cloud computing servers. In Proceedings of the 2013 International Workshop on Security in Cloud Computing , Cloud Computing ’13, pages 3–10, New York, NY , USA, 2013. ACM

    work page 2013

  66. [66]

    Rackspace Cloud Big Data OnMetal

    Rackspace. Rackspace Cloud Big Data OnMetal. http: //go.rackspace.com/baremetalbigdata/, 2015

    work page 2015

  67. [67]

    Razavi, B

    K. Razavi, B. Gras, E. Bosman, B. Preneel, C. Giuffrida, and H. Bos. Flip feng shui: Hammering a needle in the software stack. In 25th USENIX Security Symposium (USENIX Security 16), pages 1–18, Austin, TX, 2016. USENIX Association

    work page 2016

  68. [68]

    Regenscheid

    A. Regenscheid. Platform firmware resiliency guide- lines. https://doi.org/10.6028/NIST.SP.800-193, May 2018

    work page doi:10.6028/nist.sp.800-193 2018

  69. [69]

    Ricci and t

    R. Ricci and t. E. Team. Precursors: Emulab. In R. McGeer, M. Berman, C. Elliott, and R. Ricci, editors, The GENI Book , pages 19–33. Springer International Publishing, Cham, 2016

    work page 2016

  70. [70]

    Ristenpart, E

    T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM conference on Computer and commu- nications security, pages 199–212. ACM, 2009

    work page 2009

  71. [71]

    Rutkowska

    J. Rutkowska. Intel x86 considered harmful, 2015. https://blog.invisiblethings.org/papers/ 2015/x86_harmful.pdf

    work page 2015

  72. [72]

    Sailer, X

    R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn. De- sign and implementation of a tcg-based integrity mea- surement architecture. In Proceedings of the 13th Conference on USENIX Security Symposium - Volume 13, SSYM’04, pages 16–16, Berkeley, CA, USA, 2004. USENIX Association

    work page 2004

  73. [73]

    Schear, P

    N. Schear, P. T. Cable, II, T. M. Moyer, B. Richard, and R. Rudd. Bootstrapping and maintaining trust in the cloud. In Proceedings of the 32Nd Annual Conference on Computer Security Applications, ACSAC ’16, pages 65–77, New York, NY , USA, 2016. ACM

    work page 2016

  74. [74]

    W. K. Sze, A. Srivastava, and R. Sekar. Hardening Open- Stack Cloud Platforms against Compute Node Compro- mises. In Proceedings of the 11th ACM on Asia Confer- ence on Computer and Communications Security - ASIA CCS ’16 , pages 341–352, Xi’an, China, 2016. ACM Press

    work page 2016

  75. [75]

    Szefer, P

    J. Szefer, P. Jamkhedkar, D. Perez-Botero, and R. B. Lee. Cyber defenses for physical attacks and insider threats in cloud computing. In Proceedings of the 9th ACM Symposium on Information, Computer and Communi- cations Security, ASIA CCS ’14, pages 519–524, New York, NY , USA, 2014. ACM

    work page 2014

  76. [76]

    Tarasov, E

    V . Tarasov, E. Zadok, and S. Shepler. Filebench: A flex- ible framework for file system benchmarking. https: //github.com/filebench/filebench/wiki, 2017

    work page 2017

  77. [77]

    Tomonori and M

    F. Tomonori and M. Christie. tgt: Framework for storage target drivers. In Linux Symposium, 2006

    work page 2006

  78. [78]

    Wagner, D.-I

    H. Wagner, D.-I. M. Zach, and D.-I. F. M. A.-P. Linten- hofer. BIOS-rootkit LightEater. 2015

    work page 2015

  79. [79]

    S. A. Weil, S. A. Brandt, E. L. Miller, D. D. Long, and C. Maltzahn. Ceph: A scalable, high-performance dis- tributed file system. In Proceedings of the 7th sympo- sium on Operating systems design and implementation, pages 307–320. USENIX Association, 2006

    work page 2006

  80. [80]

    Wojtczuk and J

    R. Wojtczuk and J. Rutkowska. Attacking intel trusted execution technology. Black Hat DC, 2009

    work page 2009

Showing first 80 references.