A system for security health monitoring and attestation of virtual machines in cloud computing systems is provided. The system includes a cloud server having multiple virtual machines managed by a hypervisor (also called a Virtual Machine Monitor, VMM). The cloud server collects security measurement information and hashes and signs the security measurement information using a cryptography engine. The system also includes an attestation server for receiving the hashed security measurement information from the cloud server. The attestation server also verifies the signature and hash values, and interprets the security measurement information. The attestation server receives security measurements from multiple cloud servers and multiple virtual machines. The attestation server generates an attestation report based on the verification and interpretation of the security measurement information.

A method for security health monitoring and attestation of virtual machines in cloud computing systems is provided. The method includes the step of providing a cloud server including a virtual machine and a hypervisor, the cloud server collecting security measurement information and signing and hashing the security measurement information using a cryptography engine. The method also includes the step of providing an attestation server for receiving the hashed security measurement information from the cloud server, the attestation server verifying the signature and hash values, and interpreting the security measurement information. The attestation server also interprets the security measurements from multiple cloud servers and multiple VMs, to determine whether certain security properties are likely to be held or not. The method further includes the step of generating an attestation report by the attestation server based on the verification and interpretation of the security measurement information.

A cloud server for security health monitoring and attestation of virtual machines in cloud computing systems is also provided. The cloud server includes a software entity to be protected (e.g., virtual machine or process), a system software layer that manages the software entities and assigns resources to them (e.g., hypervisor or operating system), a plurality of network interface controllers, a plurality of random access memories, a plurality of central processing units, and a plurality of cache memories. The cloud server further includes a monitor module for monitoring and gathering security measurement information and a trust module for generating new keys and nonces, and for hashing and signing, and optionally encrypting, the security measurement information using cryptography operations.

A method for maintaining the security of virtual machines in cloud computing systems is also provided. The method includes the step of providing a software entity to be protected (e.g., a virtual machine or a process), a system software layer that manages the software entities and assigns resources to them (e.g., a hypervisor or an operating system) a plurality of network interface controllers, a plurality of random access memories, a plurality of central processing units, and a plurality of cache memories. The method also includes the step of providing a monitor module for monitoring and gathering security measurement information and a trust module for hashing and signing the security measurement information using cryptography operations.

A system for security health monitoring and attestation of virtual machines in cloud computing systems is further provided. The system includes a cloud server having multiple software entities to be managed and protected by a system software. The cloud server collects security measurement information and interprets these as properties that show the security health of the software entities. The cloud server hashes and signs the security measurement information using a cryptography engine. The system can also include an attestation server for receiving the hashed security measurement information from the cloud server. The attestation server also verifies the signature and hash values, and interprets the security measurement information. The attestation server receives security measurements form multiple cloud servers and multiple software entities to be protected. The attestation server generates an attestation report based on the verification and interpretation of the security measurement information.

A method for security health monitoring and attestation of virtual machines in cloud computing systems is provided. The method includes the step of providing a cloud server including a software entity to be protected and a system software that protects these entities, the cloud server collecting security measurement information and signing and hashing the security measurement information using a cryptography engine. The method also includes the step of providing an attestation server for receiving the hashed security measurement information from the cloud server, the attestation server verifying the signature and hash values, and interpreting the security measurement information. The attestation server also interprets the security measurements from multiple cloud servers and multiple software entities to be protected, to determine whether certain security properties are likely to be held or not. The method further includes the step of generating an attestation report by the attestation server based on the verification and interpretation of the security measurement information.

Finally, a system for security health monitoring and attestation of virtual machines in cloud computing systems is provided. The system includes a virtual machine, a hypervisor, a network interface controller, a random access memory, a central processing unit, and a cache memory. Furthermore, the system also includes a monitor module for monitoring and gathering security measurement information inside the virtual machine or outside the virtual machine. It also includes a trust module for hashing and signing the security measurement information using cryptography operations. Finally, the system includes a property interpretation module for interpreting the security measurement information hashed and signed from the trust module.