Zerovm backgroud
-
Upload
prosunjit-biswas -
Category
Technology
-
view
244 -
download
0
description
Transcript of Zerovm backgroud
11World-Leading Research with Real-World Impact!
ZeroVM Backgroud
Prosunjit BiswasInstitute for Cyber Security
University of Texas at San Antonio
April 23, 2014Institute of Cyber Security, ICS @ UTSA
Institute for Cyber Security
22World-Leading Research with Real-World Impact!
Motivation Behind ZeroVM
Institute for Cyber Security
1. In Amazon map/reduces a considerable amount of overhead was due to fetching the data from s3 to EC2 Instances and put it back to s3.
2. The overhead was hurting when the customers need to remake to cluster and do the map/reduce again.
3. A significant amount of customer’s money was spent due to moving the data back and forth.
33World-Leading Research with Real-World Impact!
Motivation Behind ZeroVM(continued)
Institute for Cyber Security
1. can we bring to Application to the data(very limited I/O overhead)?
2. How can we ensure no harm even if the application is malicious?
Challenge with High I/O
Challenge with Application Isolation
44World-Leading Research with Real-World Impact!
What is ZeroVM
Institute for Cyber Security
ZeroVM is an open–source lightweight virtualization
platform based on the Chromium Native Client
project.
55World-Leading Research with Real-World Impact!
ZeroVM Properties
Institute for Cyber Security
1. ZeroVM virtualizes Application not Operating System.
2. Single threaded (thus deterministic) execution
3. Constraint Resource Channel based I/O Predefine socket port / network
Restricted Memory Access Limited Read/ Write (in bytes) Limited life time / Predefined
timeout
66World-Leading Research with Real-World Impact!
ZeroVM Properties
Institute for Cyber Security
1. ZeroVM virtualizes Application not Operating System.
2. Single threaded (thus deterministic) execution
3. Constraint Resource Channel based I/O Predefine socket port / network
Restricted Memory Access Limited Read/ Write (in bytes) Limited life time / Predefined
timeout
77World-Leading Research with Real-World Impact!
Popular Virtualizations
Institute for Cyber Security
1. ZeroVM virtualizes Application not Operating System.
2. Does zeroVM uses process level virtualization ?
OS Level Virtualization Process Level Virtualization
No
88World-Leading Research with Real-World Impact!
Popular Virtualizations
Institute for Cyber Security
OS Level Virtualization Process Level Virtualization
Pros:1.Complete Isolation
Dedicated V. Memory Dedicated V. Storage Dedicated V. CPU
2. Flexible ArchitectureAlmost all OS is supported
3. Fault Tolerance
Cons:1.High Resource Overhead2.High Maintenance Cost.
Pros:1.Easy to maintain2. Comparative low overhead.
Cons:1.Single Large Fault domain
a. One malicious app may crush the whole system.
2.No Complete isolation.
99World-Leading Research with Real-World Impact!
ZeroVM Virtualization
Institute for Cyber Security
Process Level Virtualization
Pros:1.Nearly Complete Isolation
- Uses Google Native Client (NaCl) Project
2.Low Resource overhead.
3. Fault Tolerant
Cons:
1.Run Only special executables/ binary.
2.Very limited support for existing Application
1010World-Leading Research with Real-World Impact!
ZeroVM Properties
Institute for Cyber Security
1. ZeroVM virtualizes Application not Operating System.
2. Single threaded (thus deterministic) execution
3. Constraint Resource Channel based I/O Predefine socket port / network
Restricted Memory Access Limited Read/ Write (in bytes) Limited life time / Predefined
timeout
1111World-Leading Research with Real-World Impact!
ZeroVM Properties
Institute for Cyber Security
1. ZeroVM virtualizes Application not Operating System.
2. Single threaded (thus deterministic) execution
3. Constraint Resource Channel based I/O Predefine socket port / network
Restricted Memory Access Limited Read/ Write (in bytes) Limited life time / Predefined
timeout
Single Threaded Execution:
1.No Fork
2.No Context Switch
3.No Fault due to concurrency
1212World-Leading Research with Real-World Impact!
ZeroVM Properties
Institute for Cyber Security
1. ZeroVM virtualizes Application not Operating System.
2. Single threaded (thus deterministic) execution
3. Constraint Resource Channel based I/O Predefine socket port / network
Restricted Memory Access Limited Read/ Write (in bytes) Limited life time / Predefined
timeout
1313World-Leading Research with Real-World Impact!
Channel Based Input / Output
Institute for Cyber Security
1. ZeroVM virtualizes Application not Operating System.
2. Single threaded (thus deterministic) execution
3. Constraint Resource Channel based I/O Predefine socket port / network
Restricted Memory Access Limited Read/ Write (in bytes) Limited life time / Predefined
timeout
Before execution ZeroVM is given a manifest/ configuration file which specify predefined Resources through Channel.
Input file, Output file / File System Network (socket, DNS) Memory
Channel = /tmp/input.txt, /dev/stdin, 0, 1, 0x1000, 0x1000, 0, 0
Which means :Zerovm input (/dev/stdin) comes from : /tmp/input.txt of
local filesystem. 0: Only sequential Read / Write is allowed
0x1000: only 1000 bytes is allowed to be read from input file.
0: 0 bytes can be written to /tmp/input.txt
1414World-Leading Research with Real-World Impact!
An example Manifest file
Institute for Cyber Security
1. ZeroVM virtualizes Application not Operating System.
2. Single threaded (thus deterministic) execution
3. Constraint Resource Channel based I/O Predefine socket port / network
Restricted Memory Access Limited Read/ Write (in bytes) Limited life time / Predefined
timeout
Channel = /dev/null, /dev/stdin, 0, 1, 999999, 999999, 0, 0Channel = /dev/stdout, /dev/stdout, 0, 1, 0, 0, 999999, 999999Channel = /dev/stderr, /dev/stderr, 0, 1, 0, 0, 999999, 999999
Version = 20130611Program = hello.nexe
Memory = 33554432, 1Timeout = 1
1515World-Leading Research with Real-World Impact!
Binary Support for ZeroVM
Institute for Cyber Security
ZeroVM executables have to be precompiled in .nexe format.
Currently only C (C99) and python executables are supported.
Existing C executables and python interpreter need recompilation to modify / eliminate sensitive system calls.
1616World-Leading Research with Real-World Impact!
ZeroVM from a theoretical standpoint
Institute for Cyber Security
ZeroVM
Google Native Client
Software Fault Isolation
Functional Dependencyand Security
Feature
1717World-Leading Research with Real-World Impact!
ZeroVM from a theoretical standpoint
Institute for Cyber Security
ZeroVM
Google Native Client
Software Fault Isolation
Functional Dependencyand Security
Feature
1818World-Leading Research with Real-World Impact!
Software Fault Isolation
Institute for Cyber Security
Trusted Code( Ex: Distributed by Google )
Untrusted Code
( Ex:Third party extensions)
Ex: Google Chrome Browser
Malicious access
Fault Isolation Techniques:1.Address Space Abstraction by OS
Cons:1. Communication between address space is very costly.
Valid accessRef: Efficient Software-based Fault Isolation
1919World-Leading Research with Real-World Impact!
Software Fault Isolation
Institute for Cyber Security
Fault Domain:-- Contiguous region of memory.-- have different code and data segment-- Code from different trust level have own fault domain.
Cross Domain Communication:-- No direct memory access-- All call are implemented by RPC
Single Domain Restricted Access:-- the module cannot change Code segment. (dangerous, self modifying code)-- Every jump instruction must not pass single domain.-- Most Jumps are statically verified otherwise-- verified at run time with help of checking code.
Fault domain1
Distributed code / extensions must be recompiled/rewritten.
Code Segment, RO
Data ,RW
Code Segment, RO
Data, RW
Code,RO
Data, RW
Fault Domain2
Fault Domain3
2020World-Leading Research with Real-World Impact!
Google Native Client (NaCl)
Institute for Cyber Security
Adopted from : https://developers.google.com/native-client/dev/overview
2121World-Leading Research with Real-World Impact!
Application Development for Native Client
Institute for Cyber Security
Adopted from : https://developers.google.com/native-client/dev/overview
2222World-Leading Research with Real-World Impact!
Google Native Client (NaCl)
Institute for Cyber Security
NaCl consists of Two parts:
1.Inner Sandbox: Constraint execution environment for native code to prevent unintended side effects.
2.Outer Sandbox: A Runtime for hosting these native code extensions through which allowable side effects may occur safely.
Reference: Native Client: A Sandbox for Portable, Untrusted x86 Native Code
2323World-Leading Research with Real-World Impact!
Protection Rule for Inner Sandbox
Institute for Cyber Security
Reference: Native Client: A Sandbox for Portable, Untrusted x86 Native Code
2424World-Leading Research with Real-World Impact!
Sucurity Application for ZeroVM
Institute for Cyber Security
S
Data
Swift
Object Request
Object
S
Swift
Request
Reult
AppData
zerovm
2525World-Leading Research with Real-World Impact!
Sucurity Application for ZeroVM
Institute for Cyber Security
Application Perspective
1. User Application
2. 3rd party Application
3. Provider Application
.
Data Perspective:
1. User Data
2. Public Data
3. Protected data(Data + Access Control)
.
2626World-Leading Research with Real-World Impact!
Security Application for ZeroVM
Institute for Cyber Security
Provider Application:
Authaas - Authorization as a service for object storage ( for JSON Data)
Data owner does not create a new application to restrictively publish his data. Instead just specify a AC policy and enforcement is done through Authass .
Usecase:
Texas State Library has decided to move their digital contents (book, article and so on) to the object store. Their digital content is structured in JSON format. The library has readers of various types (Public, Silver, golden, platinum etc.) and digital contents are also classified into various types (public, paid , protected , secret etc.).
.
Thank You
World-Leading Research with Real-World Impact!