shakeel butt-rutgers university & nvidia vinod ganapathy-rutgers university abhinav...
TRANSCRIPT
![Page 1: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/1.jpg)
Shakeel Butt - Rutgers University & NVidia
Vinod Ganapathy - Rutgers University
Abhinav Srivastava - AT&T Labs Research
On the Control Plane of a Self-service Cloud Platform
![Page 2: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/2.jpg)
2
Client security on cloud platforms
Cloud providers and administrators are all powerful. Clients have little choice but to trust them.
![Page 3: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/3.jpg)
3
Client data exposed to attack
Implications – Attacks
• Malicious attacks perpetrated by employees:– “Insider” attacks by cloud provider’s employees– Cited as important concern in [Gartner 2008]
• Exploits against cloud admin interfaces:– Plethora of examples: CVE-2007-4993, CVE-
2007-5497, CVE-2008-0923, CVE-2008-1943, CVE-2008-2100, …
![Page 4: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/4.jpg)
4
Implications – Deploying services
• Cloud clients largely restricted to in-VM security tools
• Deployment and configuration of powerful security tools entrusted to cloud provider:– VM introspection tools– Network-level middleboxes
Clients have limited flexibility
![Page 5: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/5.jpg)
5
Self-service Cloud Computing
Our Solution – SSC [ACM CCS 2012]
• De-privilege cloud admins • Transfer privilege to clients• Main ideas:
– Privilege separation– Least privilege
• Implemented via hypervisor modifications
![Page 6: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/6.jpg)
6
Contributions of this paperControl plane for a cloud platform
consisting of SSC hypervisors
Client’s Perspective Provider’s Perspective
Deploying custom network middleboxes
Unified administrative interface
Specifying VM dependencies
VM dependency-aware migration
![Page 7: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/7.jpg)
7
Traditional cloud platforms
Hardware
Hypervisor
Provider’s Management VM (dom0)
Client VM
Client VM
Client VM
![Page 8: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/8.jpg)
8
Privilege allocation
Hardware
Hypervisor
Provider’s Management VM (dom0)
Client VM
Client VM
Client VM
![Page 9: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/9.jpg)
9
Hypervisor
Client’s VM Management VM
Code Data Checking daemon
Sec.Policy
Resume guest
1
2
3
Process the page
Alertuser
Example: Malware detection
?
![Page 10: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/10.jpg)
10
Hypervisor
Client’s VM Management VM
Code Data Checking daemon
Sec.Policy
Resume guest
1
2
3
Process the page
Alertuser
?
Flexibility Problem
Clients rely on provider/admins to deploy the service
![Page 11: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/11.jpg)
11
Hypervisor
Client’s VM Management VM
Code Data Checking daemon
Sec.Policy
Resume guest
1
2
3
Process the page
Alertuser
?
Security Problem
Client code & data secrecy and integrity vulnerable to attack
Malicious cloud operator
![Page 12: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/12.jpg)
12
Privilege allocation in SSC
Hardware
SSC Hypervisor
Provider’s Management
VM
ClientMgmt.
VM
Client VM
Client VM
![Page 13: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/13.jpg)
13
Duties of the management VM
Manages and multiplexes hardware resources
Manages client virtual machines
Management VM (Dom0)
![Page 14: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/14.jpg)
14
System-wide Mgmt. VM(one per physical host)
Per-Client Mgmt. VM
Main technique used by SSCDisaggregate the management VM
SDom0• Manages hardware• No access to client VMs
UDom0• Manages client’s VMs• Allows clients to deploy new services
![Page 15: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/15.jpg)
15
An SSC platform
Hardware
SSC Hypervisor
SDom0
Trusted Computing Base
Work VM
Work VM
UDom0
Work VM
Work VM
UDom0
Work VM
Security VMUDom0
![Page 16: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/16.jpg)
16
Cloud control plane
Client’s interface to the cloud
Cloud Controller
Node controller (in Sdom0)
Udom0
Node controller (in Sdom0)
Udom0Dom0
Hypervisor
Node Controller
Clie
nt
VM
Clie
nt
VM
ClientVM images
![Page 17: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/17.jpg)
17
Cloud control plane• From the client’s perspective:
– Interfaces with the client to get VM images– Is the client’s administrative interface
• From the cloud provider’s perspective:– Manages VM placement and migration– Abstracts away platform details, hiding them
from the client’s view
![Page 18: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/18.jpg)
18
Need for an SSC control plane
Traditional control plane software
unaware of SSC abstractions
Two implications:
1. Poor flexibility:– Client cannot specify VM dependencies– Client cannot specify middlebox placement
2. Poor security:– Udom0s on individual platforms may expose
cloud provider topology to malicious clients
![Page 19: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/19.jpg)
19
SSC-aware control plane• Enhanced dashboard interface to abstract
details of individual Udom0s• Allows specification of:
– VM dependency constraints– Middlebox placement topologies
• Transparently handles VM migration and placement– Please see paper for details on our VM
migration protocol
![Page 20: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/20.jpg)
20
SSC-aware control plane
Client’s interface to the cloud
Cloud Controller
Node controller (in Sdom0)
Udom0
Node controller (in Sdom0)
Udom0Sdom0
SSC Hypervisor
Node Controller
Clie
nt
VM
UD
om
0
ClientVM images
Clie
nt
sw
itc
he
s
![Page 21: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/21.jpg)
21
Client interface
Client’s interface to the cloud
Cloud Controller
Node controller (in Sdom0)
Udom0
Node controller (in Sdom0)
Udom0Sdom0
SSC Hypervisor
Node Controller
Clie
nt
VM
UD
om
0
ClientVM images
Clie
nt
sw
itc
he
s
1
1
![Page 22: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/22.jpg)
22
Example scenario
Web Server(web_vm)
![Page 23: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/23.jpg)
23
Example scenario
Web Server(web_vm)
VMI tool (vmi_vm)
MUST_COLOCATE
![Page 24: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/24.jpg)
24
Example scenario
Web Server(web_vm)
VMI tool (vmi_vm)
SSL Proxy (ssl_vm)
MUST_COLOCATEMUST_COLOCATE
![Page 25: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/25.jpg)
25
Example scenario
Web Server(web_vm)
VMI tool (vmi_vm)
SSL Proxy (ssl_vm)
Firewall(firewall_vm)
MUST_COLOCATEMUST_COLOCATE
MAY_COLOCATE
![Page 26: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/26.jpg)
26
VM dependency constraintsVM web_vm; // Client’s Web serverVM vmi_vm; // VMI-based Memory introspection toolVM ssl_vm; // SSL proxy for the Web serverVM firewall_vm; // VM running the Snort NIDS
web_vm.name = “MyWeb”; web_vm.image = Apache.img;vmi_vm.name = ...; vmi_vm.image = ...;ssl_vm.name = ...; ssl_vm.image = ...;firewall_vm.name = ...; firewall_vm.image = ...;
Grant_Privilege (vmi_vm, web_vm, Kern_Mem);Set_Backend (ssl_vm, web_vm, NET, MUST_COLOCATE);Set_Backend (firewall_vm, ssl_vm, NET, MAY_COLOCATE);
![Page 27: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/27.jpg)
27
Cloud controller
Client’s interface to the cloud
Cloud Controller
Node controller (in Sdom0)
Udom0
Node controller (in Sdom0)
Udom0Sdom0
SSC Hypervisor
Node Controller
Clie
nt
VM
UD
om
0
ClientVM images
Clie
nt
sw
itc
he
s2
2
![Page 28: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/28.jpg)
28
Cloud controller’s tasks• Solves a constraint-satisfaction problem
– All MUST_COLOCATE constraints satisfied– Output is a set of VM placements
• Communicates VM placements to individual node controllers– Sends network switch configurations for
backend VMs (Set_Backend)– Also sends permission requirements for VMs
(Grant_Privilege)
2
![Page 29: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/29.jpg)
29
Udom0 and switches
Client’s interface to the cloud
Cloud Controller
Node controller (in Sdom0)
Udom0
Node controller (in Sdom0)
Udom0Sdom0
SSC Hypervisor
Node Controller
Clie
nt
VM
UD
om
0
ClientVM images
Clie
nt
sw
itc
he
s
3
3
![Page 30: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/30.jpg)
30
Udom0 and switches• Each physical host that runs a client VM
has a Udom0 and software switches– We use Open vSwitch for switches
• Udom0 handles Grant_Privilege requests, and enables system services
• Software switches configured to handle Set_Backend requests and accommodate middleboxes
3
![Page 31: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/31.jpg)
31
Example of middlebox placement
Host AHost B
Inboundtraffic
firewall_vm
Open vSwitch VM
ssl_vm
Open vSwitch VM
web_vmTraffic scanned by firewall_vm
![Page 32: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/32.jpg)
32
Evaluation• Goals
– Measure overhead of control plane components
• Dell PowerEdge R610 running Xen-4.3– 24 GB RAM– 8 Xeon cores with dual threads (2.3 GHz)– Each VM has 2 vCPUs and 2 GB RAM
• Results shown only for one case study– See our paper for more
![Page 33: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/33.jpg)
33
Baseline overhead for middleboxesSAMEHOST
Ping requests
Client VM
MiddleboxMeasurement host
DIFFHOST
Client VM
Open vSwitch
Measurement host
Middlebox
Open vSwitch
![Page 34: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/34.jpg)
34
Baseline overhead for middleboxes
Setup Throughput (Mbps) RTT (ms)
Traditional 925.4 ± 0.5 0.38
SSC 924 ± 1.2 0.62 (1.6x)
Setup Throughput (Mbps) RTT (ms)
Traditional 848.4 ± 11.2 0.69
SSC 425.8 ± 5.5 1.6 (2.3x)
SAMEHOST
DIFFHOST
![Page 35: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/35.jpg)
35
Example: Network metering
Client VM
Open vSwitch
Metering
Open vSwitch
Client VM
Open vSwitch
Client VM
Open vSwitch
![Page 36: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/36.jpg)
36
Network metering overhead
Setup Throughput (Mbps)
Traditional 924.8 ± 1.1
SSC 924 ± 0.4
Setup Throughput (Mbps)
Traditional 845.4 ± 11.1
SSC 424.3 ± 3.1
SAMEHOST
DIFFHOST
![Page 37: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/37.jpg)
37
See paper for more
• Network intrusion detection• Network access control• Host+network (hybrid) intrusion detection• Evaluation of VM migration overheads
![Page 38: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/38.jpg)
38
Related work• Client security:
– CloudVisor [SOSP’11], Xoar [SOSP’11], Intel SGX, Haven [OSDI’14], Overshadow [ASPLOS’08]
• Client flexibility with nested VMs:– XenBlanket [EuroSys’12]
• Client-controlled middleboxes with SDN:– SIMPLE [SIGCOMM’13], FlowTags [NSDI’14],
CloudNaaS [SOCC’11]
![Page 39: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/39.jpg)
Shakeel Butt - [email protected]
Vinod Ganapathy - [email protected]
Abhinav Srivastava - [email protected]
Thank You.
![Page 40: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/40.jpg)
40
BACKUP SLIDES
![Page 41: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/41.jpg)
41
SSC versus Haven/Intel SGX• SGX allows clients to create enclaves,
which are opaque to cloud providers• Benefits of Intel SGX over SSC:
– Cloud provider is untrusted– Ability to defend against memory snooping– Strong, cryptographic security guarantees
• Benefits of SSC over Intel SGX:– Mutually-trusted domains allow provider to
monitor client– Mimics cloud setting of VMs over hypervisors
![Page 42: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/42.jpg)
42
Cloudvisor and XenBlanket
CloudVisor [SOSP’11] Xen-Blanket [EuroSys’12]
Protect client VM data from Dom0 using a thin, bare-metal hypervisor
Allow clients to have their own Dom0s on commodity clouds using a thin shim
Nested Hypervisor
Client VMDom0
CloudVisor Cloud Hypervisor
Client VM
Client Dom0
XenBlanket
CloudDom0
![Page 43: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/43.jpg)
Cloud ProviderClient
Providers want some control
• Udom0 and service VMs put clients in control of their VMs
• Sdom0 cannot inspect these VMs• Malicious clients can misuse privilege• Mutually-trusted service VMs
16
NOdata leaks or
corruption
NOillegal activities or
botnet hosting
![Page 44: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/44.jpg)
44
Traditional privilege model
Privileged operation
Hypervisoris request from Management VM?
YES
ALLOW
NO
DENY
![Page 45: Shakeel Butt-Rutgers University & NVidia Vinod Ganapathy-Rutgers University Abhinav Srivastava-AT&T Labs Research On the Control Plane of a Self-service](https://reader034.vdocument.in/reader034/viewer/2022042702/56649d935503460f94a7b1ac/html5/thumbnails/45.jpg)
45
SSC’s privilege modelPrivileged operation
Self-service hypervisorIs the request from client’s Udom0?
NOYES
ALLOW Does requestor have privilege (e.g., client’s service VM)
DENY
NOYES
ALLOW