Process isolation for cloud computing using commodity operating systems
description
Transcript of Process isolation for cloud computing using commodity operating systems
1© Copyright 2008 EMC Corporation. All rights reserved.
Process isolation for cloud computing using commodity operating systems
Wenbo Mao
EMC Research ChinaApril 15, 2008
2© Copyright 2008 EMC Corporation. All rights reserved.
Outline
Isolation for guest applications in multi-tenancy service provisioning:– Utility, grid, and nowadays very trendy cloud computing– Two sorts of players: “lessor” (resourceful) and “lessee” (resource scarce)– Necessary isolation between applications, and widely known to be done by
virtualization techniques: natural isolation between virtual machines (VMs)
Reasoning why inter VM isolation is no good– Inadequate– Impractical
This work: fine-granularity Intra-VM process isolation
Usecase: Green Cloud
3© Copyright 2008 EMC Corporation. All rights reserved.
Isolation: very meaningful for service provisioning(slide from Mendel Rosenblum, Co-founder of VMWare)
Virtual Infrastructure
Application
Operating System
ProtectionEngine
– Isolation– Introspection– Interposition
Protection Engine
Service provisioning
and reception entities
are isolated VMs
4© Copyright 2008 EMC Corporation. All rights reserved.
The model of Inter-VM isolationTerra, vTPM, OpenTC, etc
Hardware
Virtual Machine Monitor (Hypervisor)
Virtual Machine
Commodity OS
Virtual Machine
Commodity OS
Security ServiceVM
Commodity OS
. . . . . . .
5© Copyright 2008 EMC Corporation. All rights reserved.
In a commodity OS, user process is never really isolated
1) Each process has kernel memory (higher part of the address space) The kernel address space is shared by all processes
2) In the kernel mode (when CPU works for kernel), the kernel can see and access any part of the page table, including the user mapping
3) This is for kernel to provide “room service”. So, your single occupancy as “one VM per application” can never be truly single
page
page
.
.
.
.
Addresslocation
inphysicalmemory
.
.
.
.
Address location
inphysicalmemory
Page Directory
Page Tablefor kernel mapping
Page Tablefor user mapping
Kernel mapping
User mapping
CR3
6© Copyright 2008 EMC Corporation. All rights reserved.
Impracticality for inter-VM isolation
Inter-VM isolation is not only inadequate, it’s impractical too
In multi-tenancy service provisioning, a service provider may need to host thousands of guests at a time; if guest isolation is achieved by one VM per guest application, then
Too many VMs are a wastage of system resources (e.g., IP addresses)
Too many VMs mean more hardware demand: against the original motivation of virtualization for improving resource utilization
Usually an application involves using commercial-off-the-shelf 3rd party software library which is shared by many applications; inter-VM isolation means each application will use a huge library alone, and hence make huge sized VMs
7© Copyright 2008 EMC Corporation. All rights reserved.
Fine granularity process isolation
Isolation done at the process level– Hiding the memory content of user processes from the OS and other processes
Preventing attack from the OS and system services
Even the system administrator can’t launch an attack
Secure integration of third-party software
Making OS security an irrelevant issue
Saving system resources: can run many applications inside one VM
8© Copyright 2008 EMC Corporation. All rights reserved.
Protecting guest processes on untrustworthy OS
Goal: Protect processes from software attacks using commodity OS– Commodity OS is untrustworthy but too complex to repair, so have to live with it
Approach: A behavior conformity layer in a Measured VMM
9© Copyright 2008 EMC Corporation. All rights reserved.
Quick Recall: Trusted Computing Group (TCG)Trusted Platform Module (TPM)
TPM—a tamper protected hardware module; it is already in PCs and servers (in wide use today), in mobile gadgets & PDAs (soon) and in peripheral devices such as disks and keyboards (future in TCG’s plan)
TPM
Non-VolatileStorage
PlatformConfigurationRegister(PCR)
AttestationidentityKey(AIK)
ProgramCode
RandomNumberGenerator
SHA-1Engine
KeyGeneration
RSAEngine Opt-In
ExecEngine
IO
10© Copyright 2008 EMC Corporation. All rights reserved.
Quick Recall: TCG Story—Software Measurement & Attestation
TPM can “eavesdrop” software loading through the I/O bus (Southbridge), and report the stored software environment to a remote querier
This is called: Software measurement and Attestation
11© Copyright 2008 EMC Corporation. All rights reserved.
Process Isolation inside memory –Memory arbitration using MVMM (MXEN)
1. Save and erase user mapping info to a secure buffer when entering kernel mode
2. Restore user mapping when returning to user mode
Question:
What if user-space address
information is needed for
“advanced room service”
(thinking of auto save, swap)?
CR3
entry
entry
entry
entry
entry
entry
Page Directory
Page TablePhysical Address
SpaceKernel mapping
User mapping
Page Table
NULL
About to enter kernel mode
In kernel mode
About to enter user mode
In user mode
12© Copyright 2008 EMC Corporation. All rights reserved.
Interposition TSC Isolationunseal
sealMXEN
Trapping kernel / user interactions
Linux Kernel Interrupt Handler
Trusted Process
Interposition module intercepts a TSC from a trusted process.
Forward TSC to TSC layer. If with no data exchanges, go to next step directly. If TSC is write-related, data sealing is needed.
Isolation module conceals the CPU-context and user-level page table mappings.
Transfer the execution to the Linux kernel. Then the interrupt handler in Linux serves the TSC request.
Return from Linux kernel and invoke XEN.
If TSC is read-related, data unsealing is needed before entering user mode.
Isolation module restores the concealed CPU-context and page table.
Resume the execution of the trusted process in use mode.
Virtual Addr.
Kernel Space
User Spaceof Process
dataaddr 1
addr 2
seal
13© Copyright 2008 EMC Corporation. All rights reserved.
Performance considerations
For a “tasty biscuit”– MXEN replaces the system call entry in Interrupt
Descriptor Table (IDT) – Binary rewriting trusted process code to make a
different interrupt line (0x81), so MXEN will trap
For “staple food”– As usual, kernel will directly trap sys-calls (0x80)
from a normal process– These traps are indiscernible to MXEN
TrustedProcess
Linux Kernel
MXENDaoli
Hypervisor_iret
NormalSyscall
UntrustedProcess
iret
Int 0x80
Int 0x81
TrustedSyscall
Interrupt Handler
MXEN only wants “tasty biscuit”
14© Copyright 2008 EMC Corporation. All rights reserved.
Whole system view
Alice
TPM
PCRs
SRK
Bob (Host)
Persistent Storage Memory
Measurement& Delegation
AIK’
MVMM
Alice
TrustedProcessBIND(k1)
ENCk1(code)
BIND(k1)
ENCk1(code)
Alice’s code file
Delegated attestation
Deploying
Submitting the encrypted code file
Key Management Protocols (4 parts):
• Establishing software TCB
• Deployment of guest applications
• Rolling-out and -in of guest applications
• Application migration
AIK
Migrating to CharlieBIND(k1)
ENCk1(code)MVMM
Charlie (Host)
TPM
PCRs
SRK AIK
SEAL(k1||PCRs)
ENCk1(code)
Rolling out
Rolling in
15© Copyright 2008 EMC Corporation. All rights reserved.
Usecase: “Green Cloud”
Green is hot in China too (“Green GDP”)
Conventionally (historically) thinking, utility computing should only be done with reputable service providers (that’s why “multi-tenancy” with a large resource lessor), a long term contractual relation between lessor and lessee
To increase utilization, a reputable host needs to prepare for “overflow buffers” for off-loading peak time service requests– An “overflow buffer” can be a host of not so reputable– It can be in a location of competitive pricing– Considering peak and trough times in a day and seasonal highs (e.g., Amazon in
Christmas season), a host may be in the other side of the world– Ad-hoc relation between a reputable host and an “overflow buffer”
So, behavior conformity from process isolation is necessary for a green cloud
16© Copyright 2008 EMC Corporation. All rights reserved.
Green Cloud Consortium
Fudan University– Process isolation & secure VM migration; VMM techniques (XEN)
Huazhong University of Science and Technology (HUST)– Grid & cloud computing; constructing VO by dynamic making & deploying VMs
Wuhan University– Trusted Computing: platform measurement & attestation– VM migration key management protocols
Tsinghua University– “Green Cloud” Usecase
17© Copyright 2008 EMC Corporation. All rights reserved.
Advertisement
3rd Asia-Pacific Trusted Infrastructure Technologies Conference
On a cruiser on Yangtze River near Three Gorges Dam, China
October 14-17, 2008
Proceedings to be published by IEEE Computer Society Press
Sponsored by EMC and VMWare, and co-chaired by EMC Research China
http://grid.hust.edu.cn/aptc08/