2008-04-15

Download Report

Transcript 2008-04-15 

Process isolation for cloud computing using
commodity operating systems
Wenbo Mao
EMC Research China
April 15, 2008
© Copyright 2008 EMC Corporation. All rights reserved.
1
Outline
 Isolation for guest applications in multi-tenancy service provisioning:
– Utility, grid, and nowadays very trendy cloud computing
– Two sorts of players: “lessor” (resourceful) and “lessee” (resource scarce)
– Necessary isolation between applications, and widely known to be done by
virtualization techniques: natural isolation between virtual machines (VMs)
 Reasoning why inter VM isolation is no good
– Inadequate
– Impractical
 This work: fine-granularity Intra-VM process isolation
 Usecase: Green Cloud
© Copyright 2008 EMC Corporation. All rights reserved.
2
Isolation: very meaningful for service provisioning
(slide from Mendel Rosenblum, Co-founder of VMWare)
Protection Engine
Application
Service provisioning
–
–
–
and reception entities
are isolated VMs
Isolation
Introspection
Interposition
Operating
System
Protection
Engine
Virtual Infrastructure
© Copyright 2008 EMC Corporation. All rights reserved.
3
The model of Inter-VM isolation
Terra, vTPM, OpenTC, etc
Virtual Machine
Virtual Machine
.......
Commodity OS
Commodity OS
Security Service
VM
Commodity OS
Virtual Machine Monitor (Hypervisor)
Hardware
© Copyright 2008 EMC Corporation. All rights reserved.
4
In a commodity OS, user process is never really isolated
1) Each process has kernel
memory (higher part of the
address space) The kernel
address space is shared by all
processes
Kernel mapping
User mapping
page
page
© Copyright 2008 EMC Corporation. All rights reserved.
.
.
.
.
Page Directory
2) In the kernel mode (when CPU
works for kernel), the kernel can
see and access any part of the
page table, including the user
mapping
3) This is for kernel to provide
“room service”. So, your single
occupancy as “one VM per
application” can never be truly
single
Page Table
for kernel mapping
Address
location
in
physical
memory
CR3
Page Table
for user mapping
Address
location
in
physical
memory
.
.
.
.
5
Impracticality for inter-VM isolation
Inter-VM isolation is not only inadequate, it’s impractical too
In multi-tenancy service provisioning, a service provider may need to host
thousands of guests at a time; if guest isolation is achieved by one VM
per guest application, then
 Too many VMs are a wastage of system resources (e.g., IP addresses)
 Too many VMs mean more hardware demand: against the original
motivation of virtualization for improving resource utilization
 Usually an application involves using commercial-off-the-shelf 3rd party
software library which is shared by many applications; inter-VM isolation
means each application will use a huge library alone, and hence make
huge sized VMs
© Copyright 2008 EMC Corporation. All rights reserved.
6
Fine granularity process isolation
 Isolation done at the process level
– Hiding the memory content of user processes from the OS and other processes
 Preventing attack from the OS and system services
 Even the system administrator can’t launch an attack
 Secure integration of third-party software
 Making OS security an irrelevant issue
 Saving system resources: can run many applications inside one VM
© Copyright 2008 EMC Corporation. All rights reserved.
7
Protecting guest processes on untrustworthy OS
 Goal: Protect processes from software attacks using commodity OS
– Commodity OS is untrustworthy but too complex to repair, so have to live with it
 Approach: A behavior conformity layer in a Measured VMM
© Copyright 2008 EMC Corporation. All rights reserved.
8
Quick Recall: Trusted Computing Group (TCG)
Trusted Platform Module (TPM)
TPM—a tamper protected hardware module; it is already in PCs and
servers (in wide use today), in mobile gadgets & PDAs (soon) and in
peripheral devices such as disks and keyboards (future in TCG’s plan)
TPM
Non-Volatile
Storage
Platform
Configuration
Register
(PCR)
Attestation
identity
Key
(AIK)
Program
Code
Exec
Engine
Random
Number
Generator
SHA-1
Engine
Key
Generation
RSA
Engine
Opt-In
IO
© Copyright 2008 EMC Corporation. All rights reserved.
9
Quick Recall: TCG Story—
Software Measurement & Attestation
 TPM can “eavesdrop” software
loading through the I/O bus
(Southbridge), and report the
stored software environment
to a remote querier
 This is called: Software
measurement and Attestation
© Copyright 2008 EMC Corporation. All rights reserved.
10
Process Isolation inside memory –
Memory arbitration using MVMM (MXEN)
1. Save and erase user
mapping info to a
secure buffer when
entering kernel mode
User mapping
Kernel mapping
Page Directory
2. Restore user mapping
when returning to user
mode
About to enter
user mode
Page Table
Physical
Address
Space
entry
entry
entry
About to enter
kernel mode
Page Table
In kernel mode
In user mode
NULL
entry
entry
Question:
entry
What if user-space address
information is needed for
CR3
“advanced room service”
(thinking of auto save, swap)?
© Copyright 2008 EMC Corporation. All rights reserved.
11
Trapping kernel / user interactions
Trusted Process

Linux Kernel

Interrupt Handler
seal


Interposition

unseal

seal
MXEN
Kernel Space
addr 2

TSC

User Space
of Process
addr 1
data
Isolation
Virtual Addr.
 Interposition module intercepts a TSC from a trusted process.  Return from Linux kernel and invoke XEN.
 Forward TSC to TSC layer.
If with no data exchanges, go to next step directly.
If TSC is write-related, data sealing is needed.
 Isolation module restores the concealed CPU-context
and page table.
 Isolation module conceals the CPU-context and user-level
page table mappings.
 If TSC is read-related, data unsealing is needed before
entering user mode.
 Transfer the execution to the Linux kernel.
Then the interrupt handler in Linux serves the TSC request.
 Resume the execution of the trusted process in use mode.
© Copyright 2008 EMC Corporation. All rights reserved.
12
Performance considerations
MXEN only wants “tasty biscuit”
Trusted
Syscall
Int 0x81
Normal
Syscall
Trusted
Process
Untrusted
Process
Int 0x80


iret
Interrupt Handler
 
Hypervisor
_iret

Linux Kernel
 For a “tasty biscuit”
– MXEN replaces the system call entry in Interrupt
Descriptor Table (IDT)
– Binary rewriting trusted process code to make a
different interrupt line (0x81), so MXEN will trap

 For “staple food”
Daoli
MXEN
© Copyright 2008 EMC Corporation. All rights reserved.
– As usual, kernel will directly trap sys-calls (0x80)
from a normal process
– These traps are indiscernible to MXEN
13
Whole system view
Key Management Protocols (4 parts):
• Establishing software TCB
• Deployment of guest applications
• Rolling-out and -in of guest applications
• Application migration
PCRs
TPM
SRK
AIK
 Measurement
& Delegation
Bob (Host)

Alice
Alice
ENCk1(code)
Rolling in
SEAL(k1||PCRs)
 Rolling out
ENCk1(code)
MVMM
BIND(k1)
AIK’
ENCk1(code)
Alice’s code file
 Deploying
Trusted
Process
BIND(k1)
MVMM
ENCk1(code)
PCRs
TPM
SRK
AIK
BIND(k1)
 Migrating to Charlie
Persistent Storage
Memory
Charlie (Host)
© Copyright 2008 EMC Corporation. All rights reserved.
14
Usecase: “Green Cloud”
Green is hot in China too (“Green GDP”)
Conventionally (historically) thinking, utility computing should only be done
with reputable service providers (that’s why “multi-tenancy” with a large
resource lessor), a long term contractual relation between lessor and
lessee
To increase utilization, a reputable host needs to prepare for “overflow
buffers” for off-loading peak time service requests
– An “overflow buffer” can be a host of not so reputable
– It can be in a location of competitive pricing
– Considering peak and trough times in a day and seasonal highs (e.g., Amazon in
Christmas season), a host may be in the other side of the world
– Ad-hoc relation between a reputable host and an “overflow buffer”
So, behavior conformity from process isolation is necessary for a green
cloud
© Copyright 2008 EMC Corporation. All rights reserved.
15
Green Cloud Consortium
 Fudan University
– Process isolation & secure VM migration; VMM techniques (XEN)
 Huazhong University of Science and Technology (HUST)
– Grid & cloud computing; constructing VO by dynamic making & deploying VMs
 Wuhan University
– Trusted Computing: platform measurement & attestation
– VM migration key management protocols
 Tsinghua University
– “Green Cloud” Usecase
© Copyright 2008 EMC Corporation. All rights reserved.
16
Advertisement
3rd Asia-Pacific Trusted Infrastructure Technologies Conference
On a cruiser on Yangtze River near Three Gorges Dam, China
October 14-17, 2008
Proceedings to be published by IEEE Computer Society Press
Sponsored by EMC and VMWare, and co-chaired by EMC Research China
http://grid.hust.edu.cn/aptc08/
© Copyright 2008 EMC Corporation. All rights reserved.
17