Top Banner
Verifiable Resource Accounting Chen Chen, Petros Maniatis, Adrian Perrig, Vyas Sekar, Amit Vasudevan Problem Statement Can a customer verify she received the resources charged by the service provider, while remaining close to existing deployment models Ease of Deployment requiring minimal trust in the operator’s infrastructure Small TCB imposing low performance overhead Efficiency Desired Properties Image Integrity Is the provider running the correct VM? Customization Integrity Is the customization legitimate? Execution Integrity Protect VM contents at runtime Accounting Integrity Resources (e.g., cycles) are actually consumed VM Customizer 1. VM Image 3. Guest1 3. Guest2 2. Customized Image Customization Integrity Accounting Integrity Execution Integrity Image Integrity Client 4. Consumption Report Provider Task Lifecycle Guest OS1 Guest OS2 Alibi Layer e.g., minimal KVM Cloud Hypervisor e.g., Xen Verifiable Resource Accounting (VRA) High-level Design Provider hypervisor runs nested on top of Alibi (our accounting hypervisor) Easy to deploy Provider hypervisor needs no modification Small TCB Only Alibi needs to be trusted Amenable to verification Motivation Outsourced computation is ubiquitous today (e.g., EC2, Azure, Rackspace). “Did I get to use the resources I was charged for?” Current Status and Future Directions Use nested virtualization in KVM as starting point Adding Alibi features to KVM-nesting Initial measurements show 7% overhead Efficient Modeling the lifecycle formally Verify high-level system model Verify that nested-virtualization implementation matches the model Current resources: CPU, memory Potential threats Attackers may modify/take over instances (e.g., Somorovsky et al. [CCSW ’11]) Provider may customize VM incorrectly (e.g., Liu and Ding [ICDCS ’11]) Scheduler vulnerabilities in hypervisors (e.g., Zhou et al. [NCA ’11]) Provider may inflate consumption (e.g., Liu and Ding [ICDCS ’11]) Task Lifecycle under VRA Alibi Layer Cloud Hypervisor Launch image Measure and verify VM image attested before launch Image Integrity Only stock VM device drivers (currently) Customization Integrity Alibi Layer Cloud Hypervisor Guest Page 1 Guest Page 2 VM is placed in distinct memory pages Alibi protects VM memory from hypervisor and other VMs Execution Integrity Guest2 Guest1 Guest1 Alibi Layer Cloud Hypervisor time Alibi uses hardware counters to measure resource usage Tracks all entry/exits Accounting Integrity 1. Client provides a VM to the provider 2. Cloud provider may customize the VM (e.g., add BIOS, hardware specific optimizations) 3. Cloud provider may multiplex multiple customer VMs on hardware 4. Cloud provider charges by “usage” for different resources
1

Problem Statement

Feb 14, 2016

Download

Documents

Boaz

Provider. 2. Customized Image. Execution Integrity. Image Integrity. 1. VM Image. 3. Guest1. 3. Guest2. Client. Verifiable Resource Accounting Chen Chen , Petros Maniatis, Adrian Perrig, Vyas Sekar, Amit Vasudevan. VM Customizer. Motivation - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Problem Statement

Verifiable Resource AccountingChen Chen, Petros Maniatis, Adrian Perrig,

Vyas Sekar, Amit Vasudevan

Problem StatementCan a customer verify she received the resources charged by the service provider, while• remaining close to existing deployment models

Ease of Deployment• requiring minimal trust in the operator’s

infrastructureSmall TCB

• imposing low performance overheadEfficiency

Desired Properties• Image Integrity

Is the provider running the correct VM?

• Customization IntegrityIs the customization legitimate?

• Execution IntegrityProtect VM contents at runtime

• Accounting IntegrityResources (e.g., cycles) are actually consumed

VM Customizer

1. VMImage 3. Guest1 3. Guest2

2. CustomizedImage

CustomizationIntegrity

AccountingIntegrity

ExecutionIntegrity

ImageIntegrity

Client

4. Consumption Report

ProviderTask Lifecycle

Guest OS1 Guest OS2

Alibi Layere.g., minimal KVM

Cloud Hypervisore.g., Xen

Verifiable Resource Accounting (VRA) High-level Design

Provider hypervisor runs nested on top of Alibi (our accounting hypervisor)

Easy to deploy ✓Provider hypervisor needs no modification

Small TCB ✓Only Alibi needs to be trustedAmenable to verification

MotivationOutsourced computation is ubiquitous today (e.g., EC2, Azure, Rackspace).

“Did I get to use the resources I was charged for?”

Current Status and Future Directions• Use nested virtualization in KVM as starting point

• Adding Alibi features to KVM-nesting• Initial measurements show 7% overhead• Efficient ✓

• Modeling the lifecycle formally• Verify high-level system model• Verify that nested-virtualization implementation

matches the model

• Current resources: CPU, memory

• Support for I/O forthcoming

Potential threats • Attackers may modify/take over instances

(e.g., Somorovsky et al. [CCSW ’11])• Provider may customize VM incorrectly

(e.g., Liu and Ding [ICDCS ’11])• Scheduler vulnerabilities in hypervisors

(e.g., Zhou et al. [NCA ’11])• Provider may inflate consumption

(e.g., Liu and Ding [ICDCS ’11])

Task Lifecycle under VRA

Alibi Layer

Cloud HypervisorLaunch image

Measure and verify

• VM image attested before launch

Image Integrity

• Only stock VM device drivers (currently)

Customization Integrity

Alibi Layer

Cloud Hypervisor Guest Page 1

Guest Page 2

• VM is placed in distinct memory pages

• Alibi protects VM memory from hypervisor and other VMs

Execution Integrity

Guest2Guest1 Guest1

Alibi Layer

Cloud Hypervisor

time

• Alibi uses hardware counters to measure resource usage

• Tracks all entry/exits Accounting Integrity

1. Client provides a VM to the provider

2. Cloud provider may customize the VM (e.g., add BIOS, hardware specific optimizations)

3. Cloud provider may multiplex multiple customer VMs on hardware

4. Cloud provider charges by “usage” for different resources