Stefan Berger  Stefan Berger photo         

contact information

Virtualization and Cloud Security Architecture, Design & Development
Thomas J. Watson Research Center, Yorktown Heights, NY USA



I am a member of the Security Department.

I work on cloud security, virtualization security, and more recently on security for containers. I am actively involved in open source work on projects like QEMU, SeaBIOS, SLOF, Libvirt, Docker, and Linux. I am also contributing and hosting several of our public projects related to trusted computing and virtualization security.

My research in the area of virtualized trusted computing tries to find solutions for trusted boot on virtualized systems. This includes solutions for virtualizing the trusted platform module (vTPM) while keeping the device's security features and extending them to the virtualized platform. One challenge here is that solutions have to fit into existing open source projects (QEMU, SeaBIOS, SLOF, Libvirt, OpenStack) so that they are acceptable to the communities.

I am doing similar work for container security but here we are also trying to extend support for the Linux Integrity Measurement Architecture (IMA) to Linux containers, primarily to enforce signed files. The work here involves extensions to the Linux kernel for support of IMA inside the container as well as drivers for virtualizing the TPM. Much of the work here is done on Docker and includes extensions of its management stack.

My other involvement in the area of containers is the design and implementation of support for encrypted container images to protect the confidentiality and integrity of the data while they are at rest in the a registry. We extended the Open Container Initiative's (OCI) image specification to support encryption of container images using encryption technolgies such as JWK, PKCS7, and OpenPGP. We recently extended this with PKCS11 support to be able to include Hardware Security Modules (HSM) devices that for example the financial industry is interested in.

My group is a strong evangelizer of signed files for Linux. Enforcement of signed files is done by Linux IMA Appraisal and relies on packages from Linux distros providing those signature. While packages holding the signatures are not available from Linux repositories today, I am working on solutions for distribution mirrors that sign the packages while replicating a repository.

Further my involvement is in the security analysis, hardening, and implementing security components for IBM's cloud. Along this way I have been involved in IBM's Container Cloud, Smart Cloud Enterprise, Smart Cloud Enterprise Plus, and the internal Research Compute Cloud.