process isolation for cloud computing using commodity operating systems

1© Copyright 2008 EMC Corporation. All rights reserved.

Process isolation for cloud computing using commodity operating systems

Wenbo Mao

EMC Research ChinaApril 15, 2008


Outline

Isolation for guest applications in multi-tenancy service provisioning:– Utility, grid, and nowadays very trendy cloud computing– Two sorts of players: “lessor” (resourceful) and “lessee” (resource scarce)– Necessary isolation between applications, and widely known to be done by

virtualization techniques: natural isolation between virtual machines (VMs)

Reasoning why inter VM isolation is no good– Inadequate– Impractical

This work: fine-granularity Intra-VM process isolation

Usecase: Green Cloud


Isolation: very meaningful for service provisioning(slide from Mendel Rosenblum, Co-founder of VMWare)

Virtual Infrastructure

Application

Operating System

ProtectionEngine

– Isolation– Introspection– Interposition

Protection Engine

Service provisioning

and reception entities

are isolated VMs


The model of Inter-VM isolationTerra, vTPM, OpenTC, etc

Hardware

Virtual Machine Monitor (Hypervisor)

Virtual Machine

Commodity OS

Virtual Machine

Commodity OS

Security ServiceVM

Commodity OS

. . . . . . .


In a commodity OS, user process is never really isolated

1) Each process has kernel memory (higher part of the address space) The kernel address space is shared by all processes

2) In the kernel mode (when CPU works for kernel), the kernel can see and access any part of the page table, including the user mapping

3) This is for kernel to provide “room service”. So, your single occupancy as “one VM per application” can never be truly single

page

page

.

.

.

.

Addresslocation

inphysicalmemory

.

.

.

.

Address location

inphysicalmemory

Page Directory

Page Tablefor kernel mapping

Page Tablefor user mapping

Kernel mapping

User mapping

CR3


Impracticality for inter-VM isolation

Inter-VM isolation is not only inadequate, it’s impractical too

In multi-tenancy service provisioning, a service provider may need to host thousands of guests at a time; if guest isolation is achieved by one VM per guest application, then

Too many VMs are a wastage of system resources (e.g., IP addresses)

Too many VMs mean more hardware demand: against the original motivation of virtualization for improving resource utilization

Usually an application involves using commercial-off-the-shelf 3rd party software library which is shared by many applications; inter-VM isolation means each application will use a huge library alone, and hence make huge sized VMs


Fine granularity process isolation

Isolation done at the process level– Hiding the memory content of user processes from the OS and other processes

Preventing attack from the OS and system services

Even the system administrator can’t launch an attack

Secure integration of third-party software

Making OS security an irrelevant issue

Saving system resources: can run many applications inside one VM


Protecting guest processes on untrustworthy OS

Goal: Protect processes from software attacks using commodity OS– Commodity OS is untrustworthy but too complex to repair, so have to live with it

Approach: A behavior conformity layer in a Measured VMM


Quick Recall: Trusted Computing Group (TCG)Trusted Platform Module (TPM)

TPM—a tamper protected hardware module; it is already in PCs and servers (in wide use today), in mobile gadgets & PDAs (soon) and in peripheral devices such as disks and keyboards (future in TCG’s plan)

TPM

Non-VolatileStorage

PlatformConfigurationRegister(PCR)

AttestationidentityKey(AIK)

ProgramCode

RandomNumberGenerator

SHA-1Engine

KeyGeneration

RSAEngine Opt-In

ExecEngine

IO


Quick Recall: TCG Story—Software Measurement & Attestation

TPM can “eavesdrop” software loading through the I/O bus (Southbridge), and report the stored software environment to a remote querier

This is called: Software measurement and Attestation


Process Isolation inside memory –Memory arbitration using MVMM (MXEN)

1. Save and erase user mapping info to a secure buffer when entering kernel mode

2. Restore user mapping when returning to user mode

Question:

What if user-space address

information is needed for

“advanced room service”

(thinking of auto save, swap)?

CR3

entry

entry

entry

entry

entry

entry

Page Directory

Page TablePhysical Address

SpaceKernel mapping

User mapping

Page Table

NULL

About to enter kernel mode

In kernel mode

About to enter user mode

In user mode


Interposition TSC Isolationunseal

sealMXEN

Trapping kernel / user interactions

Linux Kernel Interrupt Handler

Trusted Process

Interposition module intercepts a TSC from a trusted process.

Forward TSC to TSC layer. If with no data exchanges, go to next step directly. If TSC is write-related, data sealing is needed.

Isolation module conceals the CPU-context and user-level page table mappings.

Transfer the execution to the Linux kernel. Then the interrupt handler in Linux serves the TSC request.

Return from Linux kernel and invoke XEN.

If TSC is read-related, data unsealing is needed before entering user mode.

Isolation module restores the concealed CPU-context and page table.

Resume the execution of the trusted process in use mode.

Virtual Addr.

Kernel Space

User Spaceof Process

dataaddr 1

addr 2

seal


Performance considerations

For a “tasty biscuit”– MXEN replaces the system call entry in Interrupt

Descriptor Table (IDT) – Binary rewriting trusted process code to make a

different interrupt line (0x81), so MXEN will trap

For “staple food”– As usual, kernel will directly trap sys-calls (0x80)

from a normal process– These traps are indiscernible to MXEN

TrustedProcess

Linux Kernel

MXENDaoli

Hypervisor_iret

NormalSyscall

UntrustedProcess

iret

Int 0x80

Int 0x81

TrustedSyscall

Interrupt Handler

MXEN only wants “tasty biscuit”


Whole system view

Alice

TPM

PCRs

SRK

Bob (Host)

Persistent Storage Memory

Measurement& Delegation

AIK’

MVMM

Alice

TrustedProcessBIND(k1)

ENCk1(code)

BIND(k1)

ENCk1(code)

Alice’s code file

Delegated attestation

Deploying

Submitting the encrypted code file

Key Management Protocols (4 parts):

• Establishing software TCB

• Deployment of guest applications

• Rolling-out and -in of guest applications

• Application migration

AIK

Migrating to CharlieBIND(k1)

ENCk1(code)MVMM

Charlie (Host)

TPM

PCRs

SRK AIK

SEAL(k1||PCRs)

ENCk1(code)

Rolling out

Rolling in


Usecase: “Green Cloud”

Green is hot in China too (“Green GDP”)

Conventionally (historically) thinking, utility computing should only be done with reputable service providers (that’s why “multi-tenancy” with a large resource lessor), a long term contractual relation between lessor and lessee

To increase utilization, a reputable host needs to prepare for “overflow buffers” for off-loading peak time service requests– An “overflow buffer” can be a host of not so reputable– It can be in a location of competitive pricing– Considering peak and trough times in a day and seasonal highs (e.g., Amazon in

Christmas season), a host may be in the other side of the world– Ad-hoc relation between a reputable host and an “overflow buffer”

So, behavior conformity from process isolation is necessary for a green cloud


Green Cloud Consortium

Fudan University– Process isolation & secure VM migration; VMM techniques (XEN)

Huazhong University of Science and Technology (HUST)– Grid & cloud computing; constructing VO by dynamic making & deploying VMs

Wuhan University– Trusted Computing: platform measurement & attestation– VM migration key management protocols

Tsinghua University– “Green Cloud” Usecase


Advertisement

3rd Asia-Pacific Trusted Infrastructure Technologies Conference

On a cruiser on Yangtze River near Three Gorges Dam, China

October 14-17, 2008

Proceedings to be published by IEEE Computer Society Press

Sponsored by EMC and VMWare, and co-chaired by EMC Research China

http://grid.hust.edu.cn/aptc08/

process isolation for cloud computing using commodity operating systems

Documents