shakeel butt [email protected] h. andres lagar-cavilla [email protected] abhinav...
TRANSCRIPT
![Page 1: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/1.jpg)
Shakeel [email protected]
H. Andres [email protected]
Abhinav [email protected]
Vinod [email protected]
Self-service Cloud Computing
Published in Proceedings of ACM CCS’12
![Page 2: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/2.jpg)
2
• By 2015, 90% of government agencies and large companies will use the cloud [Gartner, “Market Trends: Application Development Software, Worldwide, 2012-2016,” 2012]
• Many new companies & services rely exclusively on the cloud, e.g., Instagram, MIT/Harvard EdX [NYTimes, “Active in Cloud, Amazon Reshapes Computing,” Aug 28, 2012]
![Page 3: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/3.jpg)
3
Virtualized cloud platforms
Hardware
Hypervisor
Management VM (dom0)
Work VM
Work VM
Work VM
Examples: Amazon EC2, Microsoft Azure, OpenStack, RackSpace Hosting
![Page 4: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/4.jpg)
4
Embracing the cloud
Lets do Cloud
![Page 5: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/5.jpg)
5
Embracing the cloud
Trust me with your code & data
Cloud ProviderClient
You have to trust us as well
Cloud operators
Problem #1 Client code & data secrecy and integrity vulnerable to attack
![Page 6: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/6.jpg)
6
Embracing the cloud
Problem #1 Client code & data secrecy and integrity vulnerable to attack
![Page 7: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/7.jpg)
7
Embracing the cloud
Problem #2 Clients must rely on provider to deploy customized services
I need customized malware detection and VM rollback
Cloud ProviderClient
For now just have checkpointing …
Cloud ProviderClient
![Page 8: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/8.jpg)
8
Why do these problems arise?
Hardware
Hypervisor
Management VM (dom0)
Work VM
Work VM
Work VM
![Page 9: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/9.jpg)
9
Hypervisor
Client’s VM Management VM
Code Data Checking daemon
Sec.Policy
Resume guest
1
2
3
Process the page
Alertuser
Example: Malware detection
?
[Example: Gibraltar -- Baliga, Ganapathy, Iftode, ACSAC’08]
![Page 10: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/10.jpg)
10
Hypervisor
Client’s VM Management VM
Code Data Checking daemon
Sec.Policy
Resume guest
1
2
3
Process the page
Alertuser
?
Problem Clients must rely on provider to deploy customized services
![Page 11: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/11.jpg)
11
Hypervisor
Client’s VM Management VM
Code Data Checking daemon
Sec.Policy
Resume guest
1
2
3
Process the page
Alertuser
?
Problem Client code & data secrecy and integrity vulnerable to attack
Malicious cloud operator
![Page 12: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/12.jpg)
12
Hypervisor
Client’s VM Management VM
Code Data Checking daemon
Sec.Policy
Resume guest
1
2
3
Process the page
Alertuser
?
Problem Client code & data secrecy and integrity vulnerable to attack
EXAMPLES:• CVE-2007-4993. Xen guest root escapes to dom0 via pygrub• CVE-2007-5497. Integer overflows in libext2fs in e2fsprogs. • CVE-2008-0923. Directory traversal vulnerability in the shared folders feature for
VMWare. • CVE-2008-1943. Buffer overflow in the backend of XenSource Xen paravirtualized
frame buffer. • CVE-2008-2100. VMWare buffer overflows in VIX API let local users execute
arbitrary code in host OS. …. [AND MANY MORE]
![Page 13: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/13.jpg)
13
Hardware
Hypervisor
Management VM Client’s VMs
Traditional cloud computing
![Page 14: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/14.jpg)
14
SSC: Self-service cloud computing
Hardware
Hypervisor
Management VM Client’s VMs
![Page 15: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/15.jpg)
15
Main contributions
• New hypervisor privilege model• Enables four new cloud abstractions
– Udom0: Per-client management VMs– Sdom0: System-wide management VM– Service VMs– Mutually-trusted service VMs
• Protocols for trustworthy VM startup• Novel cloud-based services
![Page 16: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/16.jpg)
16
Duties of the management VM
Manages and multiplexes hardware resources
Manages client virtual machines
Management VM (Dom0)
![Page 17: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/17.jpg)
17
System-wide Mgmt. VM (SDom0)
Per-Client Mgmt. VM
(UDom0)
Main technique used by SSCDisaggregate the management VM
• Manages hardware• No access to clients VMs
Solves problem #1
• Manages client’s VMs• Allows clients to deploy new services
Solves problem #2
![Page 18: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/18.jpg)
18
An SSC platform
Hardware
SSC Hypervisor
SDom0
Work VM
Work VM
UDom0
Client’s meta-domain
Service VM
Equipped with a Trusted Platform Module (TPM) chipTrusted Computing Base
![Page 19: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/19.jpg)
19
Hardware
SSC Hypervisor
SDom0
Work VM
Work VM
UDom0Service
VM
2. Least Privilege1. Separation of Privilege
![Page 20: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/20.jpg)
Cloud ProviderClient
But providers want some control
• Udom0 and service VMs put clients in control of their VMs
• Sdom0 cannot inspect these VMs• Malicious clients can misuse privilege• Mutually-trusted service VMs
16
NOdata leaks or
corruption
NOillegal activities or
botnet hosting
![Page 21: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/21.jpg)
21
Trustworthy regulatory compliance
Hardware
SSC Hypervisor
SDom0
Work VM
Work VM
UDom0 Mutually-trusted Service
VM
![Page 22: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/22.jpg)
22
Traditional privilege model
Privileged operation
Hypervisoris request from Management VM?
YES
ALLOW
NO
DENY
![Page 23: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/23.jpg)
23
SSC’s privilege modelPrivileged operation
Self-service hypervisorIs the request from client’s Udom0?
NOYES
ALLOW Does requestor have privilege (e.g., client’s service VM)
DENY
NOYES
ALLOW
![Page 24: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/24.jpg)
24
Hardware
SSC Hypervisor
SDom0
Bootstrap: the Domain Builder
Domain Builder
UDom0Work VM
Service VM
![Page 25: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/25.jpg)
25
Hardware
SSC Hypervisor
SDom0
Bootstrap: the Domain Builder
Domain Builder
UDom0Work VM
Service VM
Must establish an encrypted
communicationchannel
![Page 26: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/26.jpg)
26
1
Hardware
SSC Hypervisor
Domain Builder
Udom0 image, Enc ( , )
Udom0
![Page 27: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/27.jpg)
27
Hardware
SSC Hypervisor
Domain Builder
UDom0
DomB builds domain2
Udom0
![Page 28: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/28.jpg)
28
Enc ( , )
Hardware
SSC Hypervisor
Domain Builder
UDom0
DomB installs key, nonce3
![Page 29: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/29.jpg)
29
Hardware
SSC Hypervisor
Domain Builder
UDom0
Client gets TPM hashes4
![Page 30: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/30.jpg)
30
Hardware
SSC Hypervisor
Domain Builder
UDom0
Udom0 sends to client 5
![Page 31: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/31.jpg)
31
UDom0
Hardware
SSC Hypervisor
Domain Builder
Client sends Udom0 SSL key6Enc ( )
![Page 32: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/32.jpg)
32
Hardware
SSC Hypervisor
Domain Builder
UDom0
SSL handshake and secure channel establishment7
![Page 33: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/33.jpg)
33
Hardware
SSC Hypervisor
Domain Builder
UDom0
Can boot other VMs securely
Work VM
Service VM
8
VM image
![Page 34: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/34.jpg)
Client meta-domains
Hardware
Malware detection
Firewall and IDS
Storage services
Service VMs
SSC hypervisor
Computation
Work VM
Work VM
Work VM
Udom0
Trustworthy metering
Regulatory compliance
Mutually-trusted
Service VMs
34
![Page 35: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/35.jpg)
35
Case studies: Service VMs
• Storage services: Encryption, Intrusion detection
• Security services:– Kernel-level rootkit detection– System-call-based intrusion detection
• Data anonymization service• Checkpointing service• Memory dedupication• And compositions of these!
![Page 36: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/36.jpg)
36
Evaluation• Goals
– Measure overhead of SSC
• Dell PowerEdge R610– 24 GB RAM– 8 XEON cores with dual threads (2.3 GHz)– Each VM has 2 vCPUs and 2 GB RAM
• Results shown only for 2 service VMs– See our CCS’12 paper for more
![Page 37: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/37.jpg)
37
Storage encryption service VM
Sdom0 Storage encryption service VM
Client’s work VM
Backend Block device
Frontend Block device
Frontend Block device
Backend Block device
Encryption
Decryption
Platform Unencrypted (MB/s) Encrypted (MB/s)
Xen-legacy 81.72 71.90
Self-service 75.88 70.64
![Page 38: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/38.jpg)
38
Checkpointing service VM
Client’s VM Checkpoint service
Encrypted Storage service
Storage
StorageCheckpoint
service(Encryption)
Platform Unencrypted (sec) Encrypted (sec)
Xen-legacy 1.840 11.419
Self-service 1.936 11.329
![Page 39: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/39.jpg)
39
Related projects
CloudVisor [SOSP’11] Xen-Blanket [EuroSys’12]
Protect client VM data from Dom0 using a thin, bare-metal hypervisor
Allow clients to have their own Dom0s on commodity clouds using a thin shim
Nested Hypervisor
Client VMDom0
CloudVisor Cloud Hypervisor
Client VM
Client Dom0
XenBlanket
CloudDom0
![Page 40: Shakeel Butt shakeelb@cs.rutgers.edu H. Andres Lagar-Cavilla andres@lagarcavilla.org Abhinav Srivastava abhinav@research.att.com Vinod Ganapathy vinodg@cs.rutgers.edu](https://reader038.vdocument.in/reader038/viewer/2022103111/5518cf8055034638098b4fb8/html5/thumbnails/40.jpg)
40
Current and future work
• Novel network services, e.g., trustworthy network traffic metering
• VM migration in an SSC-based cloud:– Co-location of service VMs and work VMs.– Without exposing details of cloud platform to clients– Pricing and metering issues
• Cloud market model: Service VMs as cloud apps