problem statement
DESCRIPTION
Provider. 2. Customized Image. Execution Integrity. Image Integrity. 1. VM Image. 3. Guest1. 3. Guest2. Client. Verifiable Resource Accounting Chen Chen , Petros Maniatis, Adrian Perrig, Vyas Sekar, Amit Vasudevan. VM Customizer. Motivation - PowerPoint PPT PresentationTRANSCRIPT
Verifiable Resource AccountingChen Chen, Petros Maniatis, Adrian Perrig,
Vyas Sekar, Amit Vasudevan
Problem StatementCan a customer verify she received the resources charged by the service provider, while• remaining close to existing deployment models
Ease of Deployment• requiring minimal trust in the operator’s
infrastructureSmall TCB
• imposing low performance overheadEfficiency
Desired Properties• Image Integrity
Is the provider running the correct VM?
• Customization IntegrityIs the customization legitimate?
• Execution IntegrityProtect VM contents at runtime
• Accounting IntegrityResources (e.g., cycles) are actually consumed
VM Customizer
1. VMImage 3. Guest1 3. Guest2
2. CustomizedImage
CustomizationIntegrity
AccountingIntegrity
ExecutionIntegrity
ImageIntegrity
Client
4. Consumption Report
ProviderTask Lifecycle
Guest OS1 Guest OS2
Alibi Layere.g., minimal KVM
Cloud Hypervisore.g., Xen
Verifiable Resource Accounting (VRA) High-level Design
Provider hypervisor runs nested on top of Alibi (our accounting hypervisor)
Easy to deploy ✓Provider hypervisor needs no modification
Small TCB ✓Only Alibi needs to be trustedAmenable to verification
MotivationOutsourced computation is ubiquitous today (e.g., EC2, Azure, Rackspace).
“Did I get to use the resources I was charged for?”
Current Status and Future Directions• Use nested virtualization in KVM as starting point
• Adding Alibi features to KVM-nesting• Initial measurements show 7% overhead• Efficient ✓
• Modeling the lifecycle formally• Verify high-level system model• Verify that nested-virtualization implementation
matches the model
• Current resources: CPU, memory
• Support for I/O forthcoming
Potential threats • Attackers may modify/take over instances
(e.g., Somorovsky et al. [CCSW ’11])• Provider may customize VM incorrectly
(e.g., Liu and Ding [ICDCS ’11])• Scheduler vulnerabilities in hypervisors
(e.g., Zhou et al. [NCA ’11])• Provider may inflate consumption
(e.g., Liu and Ding [ICDCS ’11])
Task Lifecycle under VRA
Alibi Layer
Cloud HypervisorLaunch image
Measure and verify
• VM image attested before launch
Image Integrity
• Only stock VM device drivers (currently)
Customization Integrity
Alibi Layer
Cloud Hypervisor Guest Page 1
Guest Page 2
• VM is placed in distinct memory pages
• Alibi protects VM memory from hypervisor and other VMs
Execution Integrity
Guest2Guest1 Guest1
Alibi Layer
Cloud Hypervisor
time
• Alibi uses hardware counters to measure resource usage
• Tracks all entry/exits Accounting Integrity
1. Client provides a VM to the provider
2. Cloud provider may customize the VM (e.g., add BIOS, hardware specific optimizations)
3. Cloud provider may multiplex multiple customer VMs on hardware
4. Cloud provider charges by “usage” for different resources