Verifiable Resource Accounting Chen Chen, Petros Maniatis, Adrian Perrig, Vyas Sekar, Amit Vasudevan Problem Statement Can a customer verify she received the resources charged by the service provider, while • remaining close to existing deployment models Ease of Deployment • requiring minimal trust in the operator’s infrastructure Small TCB • imposing low performance overhead Efficiency Desired Properties • Image Integrity Is the provider running the correct VM? • Customization Integrity Is the customization legitimate? • Execution Integrity Protect VM contents at runtime • Accounting Integrity Resources (e.g., cycles) are actually consumed VM Customizer 1. VM Image 3. Guest1 3. Guest2 2. Customized Image Customization Integrity Accounting Integrity Execution Integrity Image Integrity Client 4. Consumption Report Provider Task Lifecycle Guest OS1 Guest OS2 Alibi Layer e.g., minimal KVM Cloud Hypervisor e.g., Xen Verifiable Resource Accounting (VRA) High-level Design Provider hypervisor runs nested on top of Alibi (our accounting hypervisor) Easy to deploy ✓ Provider hypervisor needs no modification Small TCB ✓ Only Alibi needs to be trusted Amenable to verification Motivation Outsourced computation is ubiquitous today (e.g., EC2, Azure, Rackspace). “Did I get to use the resources I was charged for?” Current Status and Future Directions • Use nested virtualization in KVM as starting point • Adding Alibi features to KVM-nesting • Initial measurements show 7% overhead • Efficient ✓ • Modeling the lifecycle formally • Verify high-level system model • Verify that nested-virtualization implementation matches the model • Current resources: CPU, memory • Potential threats • Attackers may modify/take over instances (e.g., Somorovsky et al. [CCSW ’11]) • Provider may customize VM incorrectly (e.g., Liu and Ding [ICDCS ’11]) • Scheduler vulnerabilities in hypervisors (e.g., Zhou et al. [NCA ’11]) • Provider may inflate consumption (e.g., Liu and Ding [ICDCS ’11]) Task Lifecycle under VRA Alibi Layer Cloud Hypervisor Launch image Measure and verify • VM image attested before launch Image Integrity • Only stock VM device drivers (currently) Customization Integrity Alibi Layer Cloud Hypervisor Guest Page 1 Guest Page 2 • VM is placed in distinct memory pages • Alibi protects VM memory from hypervisor and other VMs Execution Integrity Guest2 Guest1 Guest1 Alibi Layer Cloud Hypervisor time • Alibi uses hardware counters to measure resource usage • Tracks all entry/exits Accounting Integrity 1. Client provides a VM to the provider 2. Cloud provider may customize the VM (e.g., add BIOS, hardware specific optimizations) 3. Cloud provider may multiplex multiple customer VMs on hardware 4. Cloud provider charges by “usage” for different resources
Problem Statement
Feb 14, 2016
Provider. 2. Customized Image. Execution Integrity. Image Integrity. 1. VM Image. 3. Guest1. 3. Guest2. Client. Verifiable Resource Accounting Chen Chen , Petros Maniatis, Adrian Perrig, Vyas Sekar, Amit Vasudevan. VM Customizer. Motivation - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Verifiable Resource AccountingChen Chen, Petros Maniatis, Adrian Perrig,
Vyas Sekar, Amit Vasudevan
Problem StatementCan a customer verify she received the resources charged by the service provider, while• remaining close to existing deployment models
Ease of Deployment• requiring minimal trust in the operator’s
infrastructureSmall TCB
• imposing low performance overheadEfficiency
Desired Properties• Image Integrity
Is the provider running the correct VM?
• Customization IntegrityIs the customization legitimate?
• Execution IntegrityProtect VM contents at runtime
• Accounting IntegrityResources (e.g., cycles) are actually consumed
VM Customizer
1. VMImage 3. Guest1 3. Guest2
2. CustomizedImage
CustomizationIntegrity
AccountingIntegrity
ExecutionIntegrity
ImageIntegrity
Client
4. Consumption Report
ProviderTask Lifecycle
Guest OS1 Guest OS2
Alibi Layere.g., minimal KVM
Cloud Hypervisore.g., Xen
Verifiable Resource Accounting (VRA) High-level Design
Provider hypervisor runs nested on top of Alibi (our accounting hypervisor)
Easy to deploy ✓Provider hypervisor needs no modification
Small TCB ✓Only Alibi needs to be trustedAmenable to verification
MotivationOutsourced computation is ubiquitous today (e.g., EC2, Azure, Rackspace).
“Did I get to use the resources I was charged for?”
Current Status and Future Directions• Use nested virtualization in KVM as starting point
• Adding Alibi features to KVM-nesting• Initial measurements show 7% overhead• Efficient ✓
• Modeling the lifecycle formally• Verify high-level system model• Verify that nested-virtualization implementation
matches the model
• Current resources: CPU, memory
• Support for I/O forthcoming
Potential threats • Attackers may modify/take over instances
(e.g., Somorovsky et al. [CCSW ’11])• Provider may customize VM incorrectly
(e.g., Liu and Ding [ICDCS ’11])• Scheduler vulnerabilities in hypervisors
(e.g., Zhou et al. [NCA ’11])• Provider may inflate consumption
(e.g., Liu and Ding [ICDCS ’11])
Task Lifecycle under VRA
Alibi Layer
Cloud HypervisorLaunch image
Measure and verify
• VM image attested before launch
Image Integrity
• Only stock VM device drivers (currently)
Customization Integrity
Alibi Layer
Cloud Hypervisor Guest Page 1
Guest Page 2
• VM is placed in distinct memory pages
• Alibi protects VM memory from hypervisor and other VMs
Execution Integrity
Guest2Guest1 Guest1
Alibi Layer
Cloud Hypervisor
time
• Alibi uses hardware counters to measure resource usage
• Tracks all entry/exits Accounting Integrity
1. Client provides a VM to the provider
2. Cloud provider may customize the VM (e.g., add BIOS, hardware specific optimizations)
3. Cloud provider may multiplex multiple customer VMs on hardware
4. Cloud provider charges by “usage” for different resources
Related Documents
