How Trusted Computing Strengthens Cloud Security: Alibaba’s Practical Approach

What is Trusted Computing

Trusted Computing (TC) is a technology promoted by the Trusted Computing Group (TCG) that aims to ensure system and application integrity, establishing a trustworthy state for software execution.

Trust is the foundation of security; by guaranteeing integrity, it reduces the risk of attacks that exploit tampered systems or software.

Key Security Enhancements Provided by Trusted Computing

Operating system security upgrades, preventing rootkits in UEFI, OS, and malicious drivers.

Application integrity protection, preventing trojan insertion.

Enforcement of security policies, ensuring they cannot be bypassed or altered.

Measurement and Verification

Measurement collects the state of software or system components, while verification compares these measurements against reference values to determine trustworthiness.

Measurements are classified as static (taken at boot or installation) and dynamic (taken during runtime).

Static Measurement

Static measurement evaluates the integrity of firmware, bootloader, OS images, etc., forming a chain of trust where each component measures the next.

Dynamic Measurement

Dynamic measurement monitors runtime characteristics and uses models or rules to assess whether the system is operating normally.

Trusted Root and Hardware Support

The trusted root is typically a hardware chip (e.g., TPM, TCM, TPCM) that stores keys and runs trusted software stacks to perform measurement and verification.

TPM/TCM are mature, commercially available solutions; TPCM is a newer domestic standard offering proactive measurement but is not yet widely commercialized.

Interpretation of GB/T 22239 (Equivalent to “等保2.0”) Requirements

GB/T 22239 elevates trust across four levels, requiring trusted computing in computing environments, networks, and access points.

For computing environments, the standard mandates verification of boot programs, system software, critical configurations, and communication applications, with dynamic verification and audit logging.

Application-level trust requires dynamic verification, typically implemented via whitelist-based behavior monitoring and anomaly detection.

Alibaba Cloud Trusted Computing Practice

Alibaba Cloud leverages hardware-based trusted roots (TCM chips) and a self-developed trusted service to ensure the integrity of the cloud platform’s software stack.

Key components include:

Static measurement and verification of images before application launch.

Dynamic measurement using application behavior whitelists (system calls such as process start, network/file access).

Dynamic association perception that employs machine‑learning‑derived behavior baselines to detect anomalies.

Virtualization of TCM (vTCM) enables secure resource allocation and migration of trust data across hosts.

Conclusion

Trusted computing and security are mutually reinforcing; trusted hardware and software provide a solid foundation for secure cloud services, and industry leaders like Google, Microsoft, and Alibaba Cloud have adopted or are developing trusted computing solutions to meet stringent security standards.