The Entropia Virtual Machine for Desktop Grids

Brad Calder, Andrew A. Chien, Ju Wang, Don Yang – VEE-2005

Raju Kumar

CS598C: Virtual Machines

Introduction

Desktop Grids Entropia Desktop Distributed Computing

Grid (DCGrid)

VMs for protection How was protection provided earlier ?

Overview

DCGrid Goals Entropia VM Results Conclusion

DCGrid Overview

DCGrid Details

Physical Node Management Resource and Application management

Resource Scheduling Scheduling subjobs

Job Management Decomposes job into subjobs, deploys

subjobs and accumulates results Entropia VM

Entropia VM Requirements

Desktop security Clean execution environment Unobtrusiveness Application security

Entropia VM Components

Entropia VM Components Contd…

Desktop Controller Provides unobtrusiveness

Sandbox Execution Layer Provides all features including

unobtrusiveness

Wrapping Application

Wrapped inside EVM using binary modification

Wrapped interpreters – cmd.exe, Perl, JVM

vm.dll as first entry in import table vm.dll’s main() dynamically modifies

loaded binaries and required dlls to intercept system calls

Validating Binaries Checksum of each binary file

Whether sandboxed Integrity

Configuration file - Checksums for all binaries Encrypted and transferred to EVM Encryption Key – securely communicated

CreateProcess for code in a new binary file Check if registered in configuration file Verify checksum

Desktop Control EVM monitors subjob usage of key resources If subjob uses excess resources, subjob’s processes

paused or terminated – Acceptable ? Unobtrusiveness –

Sandbox Execution Layer – resource usage restriction per process

Desktop Controller – resource usage restriction per subjob

Processes may belong to EVM or subjob Separate resource control using VM Portal

EVM Portal Thread Invisible Portal thread per Sandboxed application Sandboxed application unaware of Portal thread

Thread listing does not show Portal thread Terminating Portal thread not allowed by virtualizing relevant

system calls Heart-beat maintained between Portal thread and Desktop

Controller Loss of heart-beat – Portal thread kills the sandboxed

application When is heart-beat lost ?

One Portal thread for each process Terminate Pause Resume

On being paused, process memory paged to disk – security issues ?

Enforcing Resource Limits If desktop usage is high, Desktop Controller pauses

subjob (via Portal thread) – all or nothing solution If pausing does not decrease usage, terminate – is this

correct ? Different levels of unobtrusiveness

Highest level – pause on mouse movement, keyboard-memory-disk I/O-CPU usage of non-Entropia processes – Background processes in Windows ? Distinction between user and system processes in Windows ?

Lowest level – ignore keyboard and mouse usage Subjobs can run between keystrokes

Subjob threads are run at lowest priorities

Paging Issues Subjob requirements

Specified by user Specified by administrator (a typical value)

Resource Scheduler schedules subjob on a client with sufficient resources

Excessive Paging implications Active user Incorrect value of subjob requirement provided/estimated

Enforcing Resource Limitation Pause/terminate subjob Mentions excessive memory usage as well – is it correct ?

Examples Tracing code – Excessive disk usage Erroneous process – Excessive threads

Resource Problems Failure reported to

Resource Scheduler DCGrid Administrator Job Manager

Categorization Desktop Resource Contention Client Black Hole Malformed subjob

Sandbox Execution Layer

Goal Control subjob’s interaction with OS Virtualize some OS components

Subjob’s access to all important system APIs is mediated

OS Interception Layer Device Driver –

intercepts hardware access

Binary modification – virtualize some APIs

Sandbox Layer is a VMM

Device Driver Mediation

Device Driver Mediation Provides Desktop Security feature Mediated interfaces cannot be bypassed Global mediation overhead

Hence mediates only interfaces with resource access

Dynamic Binary Modification Trampoline approach

Design Decisions

Self-modifying code not allowed JIT code for JVM allowed

Virtualized components Files Registry GUI Network Threads and Processes

Application Security Desktop user does not have administrator

privileges Subjob runs in a separate user space

Device driver provides complete user-space isolation

File encryption Tampering detection

Results

Results

Related Work Existing desktop grid solutions

Require changes to code or well-behaved assumptions

Classic VMs Obtrusive

JVM and .NET/MSIL based grids Obtrusive, not comprehensive

VMs for desktop grids Obtrusive, heavy

VMs with resource control Assume closed system

Conclusion

EVM provides Desktop security Clean execution environment Unobtrusiveness Application security

Thanks !!