USA: +1(669)289-8683 
Sign in
Use two files below they maybe helpful for the assignents
1st assignment is discussion topic should be up to 200 words answering this: Choose an Amazon web service and provide a brief description
2nd assignment is discussion topic should be up to 200 words answering this: What are some of the benefits of a cloud-based service for trust management?
3rd assignment is: In a 2 to 3 page paper using APA format and adhering to the writing rubric, from chapter 10, discuss means to cope with the complexity of computer and communication systems other than modularity, layering and hierarchy. Writing Requirements
Chapter 10 – Cloud Resource
Virtualization
Contents
Virtualization.
◼ Layering and virtualization.
◼ Virtual machine monitor.
◼ Virtual machine.
◼ Performance and security isolation.
◼ Architectural support for virtualization.
◼ x86 support for virtualization.
◼ Full and paravirtualization.
◼ Xen 1.0 and Xen 2.0.
◼ Performance comparison of virtual machine monitors.
◼ The darker side of virtualization.
◼ Software fault isolation.
◼
Dan Marinescu
Cloud Computing Second Edition – Chapter 10
2
Motivation
◼
◼
◼
◼
There are many physical realizations of the fundamental
abstractions necessary to describe the operation of a computing
systems.
Interpreters.
Memory.
Communications links.
Virtualization is a basic tenet of cloud computing, it simplifies the
management of physical resources for the three abstractions.
The state of a virtual machine (VM) running under a virtual machine
monitor (VMM) can de saved and migrated to another server to
balance the load.
Virtualization allows users to operate in environments they are
familiar with, rather than forcing them to idiosyncratic ones.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
3
Motivation (cont’d)
◼
Cloud resource virtualization is important for:
System security, as it allows isolation of services running on
the same hardware.
Performance and reliability, as it allows applications to migrate
from one platform to another.
The development and management of services offered by a
provider.
Performance isolation.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
4
Virtualization
◼
Simulates the interface to a physical object by:
Multiplexing: creates multiple virtual objects from one instance
of a physical object. Example – a processor is multiplexed
among a number of processes or threads.
Aggregation: creates one virtual object from multiple physical
objects. Example – a number of physical disks are aggregated
into a RAID disk.
Emulation: constructs a virtual object from a different type of a
physical object. Example – a physical disk emulates a Random
Access Memory (RAM).
Multiplexing and emulation. Examples – virtual memory with
paging multiplexes real memory and disk; a virtual address
emulates a real address.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
5
Layering
◼
Layering – a common approach to manage system complexity.
Minimizes the interactions among the subsystems of a complex
system.
Simplifies the description of the subsystems; each subsystem is
abstracted through its interfaces with the other subsystems.
We are able to design, implement, and modify the individual
subsystems independently.
◼
Layering in a computer system.
Hardware.
Software.
◼ Operating system.
◼ Libraries.
◼ Applications.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
6
Interfaces
◼
Instruction Set Architecture (ISA) – at the boundary between
hardware and software.
◼
Application Binary Interface (ABI) – allows the ensemble consisting
of the application and the library modules to access the hardware;
the ABI does not include privileged system instructions, instead it
invokes system calls.
◼
Application Program Interface (API) – defines the set of instructions
the hardware was designed to execute and gives the application
access to the ISA; it includes HLL library calls which often invoke
system calls.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
7
Applications
A1
API
Libraries
A2
ABI
System calls
Operating System
A3
ISA
System ISA
User ISA
Hardware
Application Programming Interface, Application Binary Interface,
and Instruction Set Architecture . An application uses library
functions (A1), makes system calls (A2), and executes machine
instructions (A3).
Dan Marinescu
Cloud Computing Second Edition Chapter 10
8
Code portability
◼
Binaries created by a compiler for a specific ISA and a specific
operating systems are not portable.
◼
It is possible, though, to compile a HLL program for a virtual
machine (VM) environment where portable code is produced
and distributed and then converted by binary translators to the
ISA of the host system.
A dynamic binary translation converts blocks of guest
instructions from the portable code to the host instruction and
leads to a significant performance improvement, as such blocks
are cached and reused
Dan Marinescu
Cloud Computing Second Edition Chapter 10
9
HLL code
Dan Marinescu
Compiler front-end
Compiler
Intermediate
code
Portable
code
Compiler back-end
VM loader
Object code
VM image
Loader
VM compiler/
interpreter
VM compiler/
interpreter
Memory
image
Memory
image ISA-1
Memory
image ISA-2
Cloud Computing Second Edition Chapter 10
10
Virtual machine monitor (VMM / hypervisor)
◼
Partitions the resources of computer system into one or more virtual
machines (VMs). Allows several operating systems to run
concurrently on a single hardware platform.
◼
A VMM allows
Multiple services to share the same platform.
Live migration – the movement of a server from one platform to
another.
System modification while maintaining backward compatibility
with the original system.
Enforces isolation among the systems, thus security.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
11
VMM virtualizes the CPU and the memory
◼
A VMM
Traps the privileged instructions executed by a guest OS and
enforces the correctness and safety of the operation.
Traps interrupts and dispatches them to the individual guest
operating systems.
Controls the virtual memory management.
Maintains a shadow page table for each guest OS and replicates
any modification made by the guest OS in its own shadow page
table. This shadow page table points to the actual page frame
and it is used by the Memory Management Unit (MMU) for
dynamic address translation.
Monitors the system performance and takes corrective actions to
avoid performance degradation. For example, the VMM may
swap out a Virtual Machine to avoid thrashing.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
12
Virtual machines (VMs)
◼
◼
◼
◼
◼
◼
VM – isolated environment that appears to be a whole computer,
but actually only has access to a portion of the computer
resources.
Process VM – a virtual platform created for an individual process
and destroyed once the process terminates.
System VM – supports an operating system together with many
user processes.
Traditional VM – supports multiple virtual machines and runs
directly on the hardware.
Hybrid VM – shares the hardware with a host operating system and
supports multiple virtual machines.
Hosted VM – runs under a host operating system.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
13
Traditional, hybrid, and hosted VMs
Process VMs System VMs
Same ISA
Different ISA
Multi
program
Dynamic
translators
Binary
optimizers
HLL VMs
Same ISA
Different ISA
Application
Application
Traditional
VM
Whole
system VM
Guest
OS -1
Guest
OS -n
Hybrid VM
Codesigned
VM
VM-1
VM-n
Hosted VM
Virtual Machine Monitor
Hardware
(b)
Application
Application
Guest OS -1
Guest OS -n
VM-1
VM-n
Application
Application
Application
Application
(a)
Guest OS
Virtual Machine Monitor
Host OS
Dan Marinescu
VMM
Host OS
Hardware
Hardware
(c)
(d)
Cloud Computing Second Edition Chapter 10
14
Dan Marinescu
Cloud Computing Second Edition Chapter 10
15
Performance and security isolation
◼
The run-time behavior of an application is affected by other
applications running concurrently on the same platform and
competing for CPU cycles, cache, main memory, disk and network
access. Thus, it is difficult to predict the completion time!
◼
Performance isolation – a critical condition for QoS guarantees in
shared computing environments.
◼
A VMM is a much simpler and better specified system than a
traditional operating system. Example – Xen has approximately
60,000 lines of code; Denali has only about half, 30,000.
◼
The security vulnerability of VMMs is considerably reduced as the
systems expose a much smaller number of privileged functions.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
16
Computer architecture and virtualization
◼
Conditions for efficient virtualization:
A program running under the VMM should exhibit a behavior
essentially identical to that demonstrated when running on an
equivalent machine directly.
The VMM should be in complete control of the virtualized resources.
A statistically significant fraction of machine instructions must be
executed without the intervention of the VMM.
◼
Two classes of machine instructions:
Sensitive – require special precautions at execution time:
◼ Control sensitive – instructions that attempt to change either the
memory allocation or the privileged mode.
◼ Mode sensitive – instructions whose behavior is different in the
privileged mode.
Innocuous – not sensitive.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
17
Full virtualization and paravirtualization
◼
Full virtualization – a guest OS can run unchanged under the VMM
as if it was running directly on the hardware platform.
Requires a virtualizable architecture.
Examples: Vmware.
◼
Paravirtualization – a guest operating system is modified to use only
instructions that can be virtualized. Reasons for paravirtualization:
Some aspects of the hardware cannot be virtualized.
Improved performance.
Present a simpler interface.
Examples: Xen, Denaly
Dan Marinescu
Cloud Computing Second Edition Chapter 10
18
Full virtualization and paravirtualization
Dan Marinescu
Guest OS
Guest OS
Hardware
abstraction
layer
Hardware
abstraction
layer
Hypervisor
Hypervisor
Hardware
Hardware
(a) Full virtualization
(b) Paravirtualization
Cloud Computing Second Edition Chapter 10
19
Virtualization of x86 architecture
◼
◼
◼
◼
◼
◼
Ring de-privileging – a VMMs forces the operating system and the
applications to run at a privilege level greater than 0.
Ring aliasing – a guest OS is forced to run at a privilege level other
than that it was originally designed for.
Address space compression – a VMM uses parts of the guest
address space to store several system data structures.
Non-faulting access to privileged state – several store instructions
can only be executed at privileged level 0 because they operate on
data structures that control the CPU operation. They fail silently
when executed at a privilege level other than 0.
Guest system calls which cause transitions to/from privilege level 0
must be emulated by the VMM.
Interrupt virtualization – in response to a physical interrupt, the VMM
generates a “virtual interrupt” and delivers it later to the target guest
OS which can mask interrupts.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
20
Virtualization of x86 architecture (cont’d)
◼
◼
◼
Access to hidden state – elements of the system state, e.g.,
descriptor caches for segment registers, are hidden; there is no
mechanism for saving and restoring the hidden components when
there is a context switch from one VM to another.
Ring compression – paging and segmentation protect VMM code
from being overwritten by guest OS and applications. Systems
running in 64-bit mode can only use paging, but paging does not
distinguish between privilege levels 0, 1, and 2, thus the guest OS
must run at privilege level 3, the so called (0/3/3) mode. Privilege
levels 1 and 2 cannot be used thus, the name ring compression.
The task-priority register is frequently used by a guest OS; the
VMM must protect the access to this register and trap all attempts
to access it. This can cause a significant performance degradation.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
21
VT-x, a major architectural enhancement
◼
Supports two modes of operations:
VMX root – for VMM operations.
VMX non-root – support a VM.
◼
The Virtual Machine Control Structure including host-state and
guest-state areas.
VM entry – the processor state is loaded from the guest-state of the VM
scheduled to run; then the control is transferred from VMM to the VM.
VM exit – saves the processor state in the guest-state area of the
running VM; then it loads the processor state from the host-state area,
finally transfers control to the VMM.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
22
VT- x
Virtual-machine control structure
VM entry
host-state
VMX root
VMX non-root
guest-state
VM exit
(a)
Dan Marinescu
(b)
Cloud Computing Second Edition Chapter 10
23
VT-d, a new virtualization architecture
I/O MMU virtualization gives VMs direct access to
peripheral devices.
◼ VT-d supports:
◼
DMA address remapping, address translation for device DMA
transfers.
Interrupt remapping, isolation of device interrupts and VM
routing.
I/O device assignment, the devices can be assigned by an
administrator to a VM in any configurations.
Reliability features, it reports and records DMA and interrupt
errors that my otherwise corrupt memory and impact VM
isolation.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
24
Layering
◼
Layering – a common approach to manage system complexity.
Minimizes the interactions among the subsystems of a complex
system.
Simplifies the description of the subsystems; each subsystem is
abstracted through its interfaces with the other subsystems.
We are able to design, implement, and modify the individual
subsystems independently.
◼
Layering in a computer system.
Hardware.
Software.
Operating system.
◼ Libraries.
◼
◼
Dan Marinescu
Applications.
Cloud Computing Second Edition – Chapter 10
25
Interfaces
◼
Instruction Set Architecture (ISA) – at the boundary between
hardware and software.
◼
Application Binary Interface (ABI) – allows the ensemble consisting
of the application and the library modules to access the hardware;
the ABI does not include privileged system instructions, instead it
invokes system calls.
◼
Application Program Interface (API) – defines the set of instructions
the hardware was designed to execute and gives the application
access to the ISA; it includes HLL library calls which often invoke
system calls.
Dan Marinescu
Cloud Computing Second Edition – Chapter 10
26
Applications
A1
API
Libraries
A2
ABI
System calls
Operating System
A3
ISA
System ISA
User ISA
Hardware
Application Programming Interface, Application Binary Interface,
and Instruction Set Architecture . An application uses library
functions (A1), makes system calls (A2), and executes machine
instructions (A3).
Dan Marinescu
Cloud Computing Second Edition – Chapter
10
27
Code portability
◼
◼
Binaries created by a compiler for a specific ISA and a specific
operating systems are not portable.
It is possible, though, to compile a HLL program for a virtual
machine (VM) environment where portable code is produced
and distributed and then converted by binary translators to the
ISA of the host system.
A dynamic binary translation converts blocks of guest
instructions from the portable code to the host instruction and
leads to a significant performance improvement, as such blocks
are cached and reused
Dan Marinescu
Cloud Computing Second Edition – Chapter 10
28
HLL code
Dan Marinescu
Compiler front-end
Compiler
Intermediate
code
Portable
code
Compiler back-end
VM loader
Object code
VM image
Loader
VM compiler/
interpreter
VM compiler/
interpreter
Memory
image
Memory
image ISA-1
Memory
image ISA-2
Cloud Computing Second Edition – Chapter 10
29
Hypervisor or virtual machine monitor (VMM )
◼
◼
◼
Partitions the resources of computer system into one or more virtual
machines (VMs).
Allows several operating systems to run concurrently on a single
hardware platform.
A hypervisor allows
Multiple services to share the same platform.
Live migration – the movement of a server from one platform to another.
System modification while maintaining backward compatibility with the
original system.
Enforces isolation among the systems, thus security.
Dan Marinescu
Cloud Computing Second Edition – Chapter 10
30
A hypervisor virtualizes CPU and memory
◼
A hypervisor:
Traps privileged instructions executed by a guest OS and
enforces the correctness and safety of the operation.
Traps interrupts and dispatches them to the individual guest
operating systems.
Controls the virtual memory management.
Maintains a shadow page table for each guest OS and replicates
any modification made by the guest OS in its own shadow page
table. This shadow page table points to the actual page frame
and it is used by the Memory Management Unit (MMU) for
dynamic address translation.
Monitors the system performance and takes corrective actions to
avoid performance degradation. For example, the VMM may
swap out a Virtual Machine to avoid thrashing.
Dan Marinescu
Cloud Computing Second Edition – Chapter 10
31
Virtual machines (VMs)
◼
◼
◼
◼
◼
◼
VM – isolated environment that appears to be a whole computer,
but actually only has access to a portion of the computer
resources.
Process VM – a virtual platform created for an individual process
and destroyed once the process terminates.
System VM – supports an operating system together with many
user processes.
Traditional VM – supports multiple virtual machines and runs
directly on the hardware.
Hybrid VM – shares the hardware with a host operating system and
supports multiple virtual machines.
Hosted VM – runs under a host operating system.
Dan Marinescu
Cloud Computing Second Edition – Chapter 10
32
Traditional, hybrid, and hosted VMs
Process VMs System VMs
Same ISA
Different ISA
Multi
program
Dynamic
translators
Binary
optimizers
HLL VMs
Same ISA
Different ISA
Application
Application
Traditional
VM
Whole
system VM
Guest
OS -1
Guest
OS -n
Hybrid VM
Codesigned
VM
VM-1
VM-n
Hosted VM
Virtual Machine Monitor
Hardware
(b)
Application
Application
Guest OS -1
Guest OS -n
VM-1
VM-n
Application
Application
Application
Application
(a)
Guest OS
Virtual Machine Monitor
Host OS
Dan Marinescu
VMM
Host OS
Hardware
Hardware
(c)
(d)
Cloud Computing Second Edition – Chapter 10
33
Dan Marinescu
Cloud Computing Second Edition – Chapter 10
34
Performance and security isolation
◼
◼
◼
◼
The run-time behavior of an application is affected by other
applications running concurrently on the same platform and
competing for CPU cycles, cache, main memory, disk and network
access. Thus, it is difficult to predict the completion time!
Performance isolation – a critical condition for QoS guarantees in
shared computing environments.
A VMM is a much simpler and better specified system than a
traditional operating system. Example – Xen has approximately
60,000 lines of code; Denali has only about half, 30,000.
The security vulnerability of VMMs is considerably reduced as the
systems expose a much smaller number of privileged functions.
Dan Marinescu
Cloud Computing Second Edition – Chapter 10
35
5. Architectural support for virtualization
◼
Conditions for efficient virtualization:
A program running under the VMM should exhibit a behavior
essentially identical to that demonstrated when running on an
equivalent machine directly.
The VMM should be in complete control of the virtualized resources.
A statistically significant fraction of machine instructions must be
executed without the intervention of the VMM.
◼
Two classes of machine instructions:
Sensitive – require special precautions at execution time:
◼ Control sensitive – instructions that attempt to change either the
memory allocation or the privileged mode.
◼ Mode sensitive – instructions whose behavior is different in the
privileged mode.
Innocuous – not sensitive.
Dan Marinescu
Cloud Computing Second Edition – Chapter 10
36
Full virtualization and paravirtualization
◼
Full virtualization – a guest OS can run unchanged under the VMM
as if it was running directly on the hardware platform.
Requires a virtualizable architecture.
Examples: Vmware.
◼
Paravirtualization – a guest operating system is modified to use only
instructions that can be virtualized. Reasons for paravirtualization:
Some aspects of the hardware cannot be virtualized.
Improved performance.
Present a simpler interface.
Examples: Xen, Denaly
Dan Marinescu
Cloud Computing Second Edition – Chapter 10
37
Full virtualization and paravirtualization
Dan Marinescu
Guest OS
Guest OS
Hardware
abstraction
layer
Hardware
abstraction
layer
Hypervisor
Hypervisor
Hardware
Hardware
(a) Full virtualization
(b) Paravirtualization
Cloud Computing Second Edition – Chapter 10
38
Virtualization of x86 architecture
◼
◼
◼
◼
◼
◼
Ring de-privileging – a VMMs forces the operating system and the
applications to run at a privilege level greater than 0.
Ring aliasing – a guest OS is forced to run at a privilege level other
than that it was originally designed for.
Address space compression – a VMM uses parts of the guest
address space to store several system data structures.
Non-faulting access to privileged state – several store instructions
can only be executed at privileged level 0 because they operate on
data structures that control the CPU operation. They fail silently
when executed at a privilege level other than 0.
Guest system calls which cause transitions to/from privilege level 0
must be emulated by the VMM.
Interrupt virtualization – in response to a physical interrupt, the VMM
generates a “virtual interrupt” and delivers it later to the target guest
OS which can mask interrupts.
Dan Marinescu
Cloud Computing Second Edition – Chapter
10
39
Virtualization of x86 architecture (Cont’d)
◼
◼
◼
Access to hidden state – elements of the system state, e.g.,
descriptor caches for segment registers, are hidden; there is no
mechanism for saving and restoring the hidden components when
there is a context switch from one VM to another.
Ring compression – paging and segmentation protect VMM code
from being overwritten by guest OS and applications. Systems
running in 64-bit mode can only use paging, but paging does not
distinguish between privilege levels 0, 1, and 2, thus the guest OS
must run at privilege level 3, the so called (0/3/3) mode. Privilege
levels 1 and 2 cannot be used thus, the name ring compression.
The task-priority register is frequently used by a guest OS; the
VMM must protect the access to this register and trap all attempts
to access it. This can cause a significant performance degradation.
Dan Marinescu
Cloud Computing Second Edition – Chapter
10
40
VT-x, a major architectural enhancement
◼
Supports two modes of operations:
VMX root – for VMM operations.
VMX non-root – support a VM.
◼
The Virtual Machine Control Structure including host-state and
guest-state areas.
VM entry – the processor state is loaded from the guest-state of the VM
scheduled to run; then the control is transferred from VMM to the VM.
VM exit – saves the processor state in the guest-state area of the
running VM; then it loads the processor state from the host-state area,
finally transfers control to the VMM.
Dan Marinescu
Cloud Computing Second Edition – Chapter 10
41
VT- x
Virtual-machine control structure
VM entry
host-state
VMX root
VMX non-root
guest-state
VM exit
(a)
Dan Marinescu
(b)
Cloud Computing Second Edition – Chapter 10
42
VT-d, a new virtualization architecture
I/O MMU virtualization gives VMs direct access to
peripheral devices.
◼ VT-d supports:
◼
DMA address remapping, address translation for device DMA
transfers.
Interrupt remapping, isolation of device interrupts and VM
routing.
I/O device assignment, the devices can be assigned by an
administrator to a VM in any configurations.
Reliability features, it reports and records DMA and interrupt
errors that my otherwise corrupt memory and impact VM
isolation.
Dan Marinescu
Cloud Computing Second Edition – Chapter
10
43
Xen – a VMM based on paravirtualization
◼
◼
◼
The goal of the Cambridge group – design a VMM capable of scaling
to about 100 VMs running standard applications and services
without any modifications to the Application Binary Interface (ABI).
Linux, Minix, NetBSD, FreeBSD, NetWare, and OZONE can operate
as paravirtualized Xen guest OS running on x86, x86-64, Itanium,
and ARM architectures.
Xen domain – ensemble of address spaces hosting a guest OS and
applications running under the guest OS. Runs on a virtual CPU.
Dom0 – dedicated to execution of Xen control functions and privileged
instructions.
DomU – a user domain.
◼
Applications make system calls using hypercalls processed
by Xen; privileged instructions issued by a guest OS are
paravirtualized and must be validated by Xen.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
44
Xen
Management
OS
Xen-aware
device drivers
Application
Application
Application
Guest OS
Guest OS
Guest OS
Xen-aware
device drivers
Xen-aware
device drivers
Xen-aware
device drivers
Xen
Domain0 control
interface
Virtual x86
CPU
Virtual physical
memory
Virtual network
Virtual block
devices
X86 hardware
Dan Marinescu
Cloud Computing Second Edition Chapter 10
45
Xen implementation on x86 architecture
◼
◼
◼
◼
◼
Xen runs at privilege Level 0, the guest OS at Level 1, and
applications at Level 3.
The x86 architecture does not support either the tagging of TLB
entries or the software management of the TLB. Thus, address
space switching, when the VMM activates a different OS, requires a
complete TLB flush; this has a negative impact on the performance.
Solution – load Xen in a 64 MB segment at the top of each address
space and delegate the management of hardware page tables to
the guest OS with minimal intervention from Xen. This region is not
accessible or re-mappable by the guest OS.
Xen schedules individual domains using the Borrowed Virtual Time
(BVT) scheduling algorithm.
A guest OS must register with Xen a description table with the
addresses of exception handlers for validation.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
46
Dom0 components
◼
XenStore – a Dom0 process.
Supports a system-wide registry and naming service.
Implemented as a hierarchical key-value storage.
A watch function informs listeners of changes of the key in storage
they have subscribed to.
Communicates with guest VMs via shared memory using Dom0
privileges.
◼
Toolstack – responsible for creating, destroying, and managing the
resources and privileges of VMs.
To create a new VM, a user provides a configuration file describing
memory and CPU allocations and device configurations.
Toolstack parses this file and writes this information in XenStore.
Takes advantage of Dom0 privileges to map guest memory, to load a
kernel and virtual BIOS and to set up initial communication channels
with XenStore and with the virtual console when a new VM is created.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
47
Strategies for virtual memory management, CPU multiplexing, and
I/O devices
Dan Marinescu
Cloud Computing Second Edition Chapter 10
48
Xen abstractions for networking and I/O
◼
◼
◼
◼
◼
Each domain has one or more Virtual Network Interfaces (VIFs)
which support the functionality of a network interface card. A VIF is
attached to a Virtual Firewall-Router (VFR).
Split drivers have a front-end in the DomU and the back-end in
Dom0; the two communicate via a ring in shared memory.
Ring – a circular queue of descriptors allocated by a domain and
accessible within Xen. Descriptors do not contain data, the data
buffers are allocated off-band by the guest OS.
Two rings of buffer descriptors, one for packet sending and one for
packet receiving, are supported.
To transmit a packet:
a guest OS enqueues a buffer descriptor to the send ring,
then Xen copies the descriptor and checks safety,
copies only the packet header, not the payload, and
executes the matching rules.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
49
I/O channel
Driver domain
Guest domain
Bridge
Frontend
Backend
Network
interface
Event channel
XEN
NIC
(a)
Request queue
Producer Request
(shared pointer updated
by the guest OS)
Consumer Request
(private pointer in Xen)
Outstanding
descriptors
Producer Response
(shared pointer updated
by Xen)
Unused
descriptors
Response queue
Consumer Response
(private pointer maintained by
the guest OS)
(b)
Xen zero-copy semantics for data transfer using I/O rings. (a) The communication
between a guest domain and the driver domain over an I/O and an event channel;
NIC is the Network Interface Controller. (b) the circular ring of buffers.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
50
Xen 2.0
◼
Optimization of:
Virtual interface – takes advantage of the capabilities of some
physical NICs, such as checksum offload.
I/O channel – rather than copying a data buffer holding a packet,
each packet is allocated in a new page and then the physical
page containing the packet is re-mapped into the target domain.
Virtual memory – takes advantage of the superpage and global
page mapping hardware on Pentium and Pentium Pro
processors. A superpage entry covers 1,024 pages of physical
memory and the address translation mechanism maps a set of
contiguous pages to a set of contiguous physical pages. This
helps reduce the number of TLB misses.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
51
Driver domain
Guest domain
Driver domain
Bridge
NIC
Driver
Physical
NIC
Guest domain
Bridge
I/O
channel
Backend
Interface
Offload
Driver
Virtual
Interface
Xen VMM
NIC
Driver
I/O
channel
Backend
Interface
Physical
NIC
(a)
High Level
Virtual
Interface
Xen VMM
(b)
Xen network architecture .(a) The original architecture;
(b) The optimized architecture
Dan Marinescu
Cloud Computing Second Edition Chapter 10
52
A comparison of send and receive data rates for a native Linux system, the Xen
driver domain, an original Xen guest domain, and an optimized Xen guest domain.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
53
Performance comparison of virtual machines
◼
◼
Compare the performance of Xen and OpenVZwith, a standard
operating system, a plain vanilla Linux.
The questions examined are:
How the performance scales up with the load?
What is the impact of a mix of applications?
What are the implications of the load assignment on individual
servers?
◼
The main conclusions:
The virtualization overhead of Xen is considerably higher than that of
OpenVZ and that this is due primarily to L2-cache misses.
The performance degradation when the workload increases is also
noticeable for Xen.
Hosting multiple tiers of the same application on the same server is
not an optimal solution.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
54
Linux
OpenVZ
Xen
Web
server
Web
server
Web
server
MySQL
server
MySQL
server
MySQL
server
(a)
Linux
MySQL
server
Web
server
Xen
OpenVZ
MySQL
server
Web
server
MySQL
server
Web
server
(b)
Linux
Xen
OpenVZ
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
(c)
The setup for the performance comparison of a native Linux system with OpenVZ, and
the Xen systems. The applications are a web server and a MySQL database server. (a)
The first experiment, the web and the DB, share a single system; (b) The second
experiment, the web and the DB, run on two different systems; (c) The third experiment,
the web and the DB, run on two different systems and each has four instances.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
55
The darker side of virtualization
◼
◼
◼
◼
◼
In a layered structure, a defense mechanism at some layer can be
disabled by malware running at a layer below it.
It is feasible to insert a rogue VMM, a Virtual-Machine Based Rootkit
(VMBR) between the physical hardware and an operating system.
Rootkit – malware with a privileged access to a system.
The VMBR can enable a separate malicious OS to run
surreptitiously and make this malicious OS invisible to the guest OS
and to the application running under it.
Under the protection of the VMBR, the malicious OS could:
observe the data, the events, or the state of the target system.
run services, such as spam relays or distributed denial-of-service
attacks.
interfere with the application.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
56
Application
Application
Guest OS
Malicious
OS
Operating
system (OS)
Malicious
OS
Virtual machine monitor
Virtual machine based rootkit
Virtual machine based rootkit
Hardware
Hardware
(a)
(b)
The insertion of a Virtual-Machine Based Rootkit (VMBR) as the lowest
layer of the software stack running on the physical hardware; (a) below an
operating system; (b) below a legitimate virtual machine monitor. The
VMBR enables a malicious OS to run surreptitiously and makes it invisible
to the genuine or the guest OS and to the application.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
57
The features of the SFI for the Native Client on the x86-32, x86-64 , and ARM.
Dan Marinescu
Cloud Computing Second Edition Chapter 10
58
2. Virtualization
◼
Simulates the interface to a physical object by:
Multiplexing: creates multiple virtual objects from one instance
of a physical object. Example – a processor is multiplexed
among a number of processes or threads.
Aggregation: creates one virtual object from multiple physical
objects. Example – a number of physical disks are aggregated
into a RAID disk.
Emulation: constructs a virtual object from a different type of a
physical object. Example – a physical disk emulates a Random
Access Memory (RAM).
Multiplexing and emulation. Examples – virtual memory with
paging multiplexes real memory and disk; a virtual address
emulates a real address.
Dan C. Marinescu
Cloud Computing, Second Edition
59
Virtualization (Cont’d)
◼
◼
◼
Three fundamental abstractions necessary to describe the
operation of a computing systems.
Interpreters – active hardware and software components
which transform data. E.g. processors, programs in
execution.
Memory – repository of data.
Communications links – allow hardware and software
components to interact with one anpther .
Virtualization is a basic tenet of cloud computing, it simplifies
the management of physical resources for the three
abstractions.
Provides benefits and creates problems for cloud users and for
cloud service providers.
Dan C. Marinescu
Cloud Computing, Second Edition
60
Virtualization → user benefits versus concerns
◼
◼
◼
◼
Users operate in environments they are familiar with, rather than
forcing them to idiosyncratic ones.
Applications can migrate from one platform to another.
Support performance isolation important for application optimization
and QoS (Quality of Service) assurance.
Adds overhead and increases the execution time. The hypervisor is
invoked by the OS when applications make systems calls.
Dan C. Marinescu
Cloud Computing, Second Edition
61
Virtualization → system benefits versus concerns
◼
◼
◼
◼
◼
Simplifies the development and management of services offered by
a CSP.
Allows isolation of services running on the same hardware.
Important for load balancing. The state of a virtual machine (VM)
running under a hypervisor can de saved and migrated to another
server to balance the load.
Increases the size of software stack.
Complicates software maintenance. Saved VMs are not updated
when OS and other system software patches are applied.
Dan C. Marinescu
Cloud Computing, Second Edition
62
Virtual machines (VMs)
◼
◼
◼
◼
◼
◼
VM – isolated environment that appears to be a whole computer,
but actually only has access to a portion of the computer
resources.
Process VM – a virtual platform created for an individual process
and destroyed once the process terminates.
System VM – supports an operating system together with many
user processes.
Traditional VM – supports multiple virtual machines and runs
directly on the hardware.
Hybrid VM – shares the hardware with a host operating system and
supports multiple virtual machines.
Hosted VM – runs under a host operating system.
Dan C. Marinescu
Cloud Computing, Second Edition
63
Traditional, hybrid, and hosted VMs
Process VMs System VMs
Same ISA
Different ISA
Multi
program
Dynamic
translators
Binary
optimizers
HLL VMs
Same ISA
Different ISA
Application
Application
Traditional
VM
Whole
system VM
Guest
OS -1
Guest
OS -n
Hybrid VM
Codesigned
VM
VM-1
VM-n
Hosted VM
Virtual Machine Monitor
Hardware
(b)
Application
Application
Guest OS -1
Guest OS -n
VM-1
VM-n
Application
Application
Application
Application
(a)
Guest OS
Virtual Machine Monitor
Host OS
Dan C. Marinescu
VMM
Host OS
Hardware
Hardware
(c)
(d)
Cloud Computing, Second Edition
64
Hypervisors –CPU and memory virtualization
◼
A hypervisor:
Traps the privileged instructions executed by a guest OS and
enforces the correctness and safety of the operation.
Traps interrupts and dispatches them to the individual guest
operating systems.
Controls the virtual memory management.
Maintains a shadow page table for each guest OS and replicates
any modification made by the guest OS in its own shadow page
table. This shadow page table points to the actual page frame
and it is used by the Memory Management Unit (MMU) for
dynamic address translation.
Monitors the system performance and takes corrective actions to
avoid performance degradation. For example, the VMM may
swap out a Virtual Machine to avoid thrashing.
Dan C. Marinescu
Cloud Computing, Second Edition
65
3. Xen – a VMM based on paravirtualization
◼
◼
◼
The goal of the Cambridge group – design a VMM capable of scaling
to about 100 VMs running standard applications and services
without any modifications to the Application Binary Interface (ABI).
Linux, Minix, NetBSD, FreeBSD, NetWare, and OZONE can operate
as paravirtualized Xen guest OS running on x86, x86-64, Itanium,
and ARM architectures.
Xen domain – ensemble of address spaces hosting a guest OS and
applications running under the guest OS. Runs on a virtual CPU.
Dom0 – dedicated to execution of Xen control functions and privileged
instructions.
DomU – a user domain.
◼
Applications make system calls using hypercalls processed
by Xen; privileged instructions issued by a guest OS are
paravirtualized and must be validated by Xen.
Dan C. Marinescu
Cloud Computing, Second Edition
66
Virtualization under Xen
Management
OS
Xen-aware
device drivers
Application
Application
Application
Guest OS
Guest OS
Guest OS
Xen-aware
device drivers
Xen-aware
device drivers
Xen-aware
device drivers
Xen
Domain0 control
interface
Virtual x86
CPU
Virtual physical
memory
Virtual network
Virtual block
devices
X86 hardware
Dan C. Marinescu
Cloud Computing, Second Edition
67
Dom0 components
◼
XenStore – a Dom0 process.
Supports a system-wide registry and naming service.
Implemented as a hierarchical key-value storage.
A watch function informs listeners of changes of the key in storage
they have subscribed to.
Communicates with guest VMs via shared memory using Dom0
privileges.
◼
Toolstack – responsible for creating, destroying, and managing the
resources and privileges of VMs.
To create a new VM a user provides a configuration file describing
memory and CPU allocations and device configurations.
Toolstack parses this file and writes this information in XenStore.
Takes advantage of Dom0 privileges to map guest memory, to load a
kernel and virtual BIOS and to set up initial communication channels
with XenStore and with the virtual console when a new VM is created.
Dan C. Marinescu
Cloud Computing, Second Edition
68
Dan C. Marinescu
Cloud Computing, Second Edition
69
Xen abstractions for networking and I/O
◼
◼
◼
◼
◼
Each domain has one or more Virtual Network Interfaces (VIFs)
which support the functionality of a network interface card. A VIF is
attached to a Virtual Firewall-Router (VFR).
Split drivers have a front-end in the DomU and the back-end in
Dom0; the two communicate via a ring in shared memory.
Ring – a circular queue of descriptors allocated by a domain and
accessible within Xen. Descriptors do not contain data, the data
buffers are allocated off-band by the guest OS.
Two rings of buffer descriptors, one for packet sending and one for
packet receiving, are supported.
To transmit a packet:
a guest OS enqueues a buffer descriptor to the send ring,
then Xen copies the descriptor and checks safety,
copies only the packet header, not the payload, and
executes the matching rules.
Dan C. Marinescu
Cloud Computing, Second Edition
70
I/O channel
Driver domain
Guest domain
Bridge
Frontend
Backend
Network
interface
Event channel
XEN
NIC
(a)
Request queue
Producer Request
(shared pointer updated
by the guest OS)
Consumer Request
(private pointer in Xen)
Outstanding
descriptors
Producer Response
(shared pointer updated
by Xen)
Unused
descriptors
Response queue
Consumer Response
(private pointer maintained by
the guest OS)
(b)
Xen zero-copy semantics for data transfer using I/O rings. (a) The communication
between a guest domain and the driver domain over an I/O and an event channel;
NIC is the Network Interface Controller. (b) the circular ring of buffers.
Dan C. Marinescu
Cloud Computing, Second Edition
71
Xen 2.0 Optimizations
◼
◼
◼
◼
Virtual interface – takes advantage of the capabilities of some
physical NICs, such as checksum offload.
I/O channel – rather than copying a data buffer holding a packet,
each packet is allocated in a new page and then the physical page
containing the packet is re-mapped into the target domain.
Virtual memory – takes advantage of the superpage and global
page mapping hardware on Pentium and Pentium Pro processors.
A superpage entry covers 1,024 pages of physical memory and the
address translation mechanism maps a set of contiguous pages to
a set of contiguous physical pages. This helps reduce the number
of TLB misses.
Dan C. Marinescu
Cloud Computing, Second Edition
72
Driver domain
Guest domain
Driver domain
Bridge
NIC
Driver
Bridge
I/O
channel
Backend
Interface
Physical
NIC
Guest domain
Offload
Driver
Virtual
Interface
Xen VMM
NIC
Driver
I/O
channel
Backend
Interface
Physical
NIC
(a)
High Level
Virtual
Interface
Xen VMM
(b)
Xen network architecture. (a) Original architecture;
(b) Optimized architecture
Dan C. Marinescu
Cloud Computing, Second Edition
73
A comparison of send and receive data rates for a native Linux
system, the Xen driver domain, an original Xen guest domain, and
an optimized Xen guest domain.
Dan C. Marinescu
Cloud Computing, Second Edition
74
Porting commodity operating systems to Xen
◼
The number of lines of code that had to be modified to port an OS to
Xen:
3,000 lines of Linux code, or 1.36%..
4,620 lines of Windows XP code is or about 0.04%
Dan C. Marinescu
Cloud Computing, Second Edition
75
4. KVM – kernel VM
◼
◼
◼
◼
Kernel-based Virtual Machine (KVM) is a virtualization infrastructure of
the Linux released as part of the 2.6.20 Linux kernel in 2007.
KVM runs inside Linux as a driver handling the new virtualization
instructions exposed by hardware.
KVM inherits all the new features of Linux in scheduling, memory
management, power management, and so on.
KVM components:
Generic host kernel module exposing architecture-independent functionality.
Architecture-specific kernel module for the host system.
User-space emulation of the VM hardware that the guest OS runs on.
Guest OS performance optimization additions.
◼
When the guest OS performs a privileged operation the CPU exits and
KVM takes over. If KVM itself can service the request it then gives
control back to the guest.
Dan C. Marinescu
Cloud Computing, Second Edition
76
KVM guest
KVM guest kernel
File Systems & Block Devices
Device Drivers
vcpu-0
vcpu-1
vcpu-n
Hardware
Emulator
(QEMU)
IOthread
KVM(kvm.ko)
File Systems & Block Devices
Physical Device Drivers
Linux Kernel
Physical Hardware
Dan C. Marinescu
CPU-0
CPU-1
CPU-n
Disk
Disk
Disk
Cloud Computing, Second Edition
77
5. Nested virtualization
◼
◼
System organization when a guest hypervisor runs inside a VM
which is itself running under a host hypervisor.
Nested virtualization is useful for:
Experimenting with server setup or testing configurations.
2. Allows IaaS users to run their own hypervisor as a VM.
3. Can be also used for live migration of hypervisors together with their
guests VM for load balancing, for hypervisor-level protection, and for
supporting other security mechanisms.
4. Experiments with cloud interoperability alternatives.
1.
◼
◼
◼
Nested virtualization is limited by the hardware support.
Main concern – handling sensitive instructions.
When the hardware supports multi-level nested virtualization, each
hypervisor handles all traps caused by sensitive instructions of
guest hypervisors running directly above of it.
Dan C. Marinescu
Cloud Computing, Second Edition
78
Nested virtualization (Cont’d)
Windows
Linux
Windows
Xen
ESXi
Linux/KVM
Hardware
◼
Nested virtualization. KVM allows three VM to run concurrently. Two VMs
run hypervisors Xen and ESXi and the third runs Windows. A VM runs Linux
under Xen and another VM runs Windows under ESXi.
Dan C. Marinescu
Cloud Computing, Second Edition
79
Hardware support for nested virtualization
Nested virtualization with single-level hardware virtualization support. A trap is
handled by the L0 trap handler regardless of the hypervisor where a trap
occurs. The flow of control of nested traps:
(Left) Two-level, L0, L1, and L2 nested hypervisor(s);
(Right) Three-level, L0, L1, L2, and L3 nested hypervisor(s).
When hardware supports multi-level nested virtualization, each hypervisor
handles all traps caused by sensitive instructions of guest hypervisors running
directly above of it.
Dan C. Marinescu
Cloud Computing, Second Edition
80
VMX support for virtualization
◼
◼
VMX is an extension of the x86 Intel architecture for virtualization. It
adds ten new instructions permitting entering and exiting a virtual
execution mode.
In this mode the guest OS views itself as running with full privileges
(running in protection ring 0) but the host OS remains full protected.
Virtual-machine control structure
VMEntry
host-state
VMX root
VMX non-root
guest-state
VMExit
(a)
Dan C. Marinescu
(b)
Cloud Computing, Second Edition
81
Virtual Machine Control Structure (VMCS)
◼
◼
VMCS is used by the VMX extension to x86 architecture to track
host state and guest VMs as control is transferred between them.
Three types of data are stored in VMCS:
Guest state. Holds virtualized CPU registers (e.g., control registers or
segment registers) automatically loaded by the CPU when switching
from kernel mode to guest mode on VMEntry
Host state. Data used by the CPU to restore register values when
switching back from guest mode to kernel mode on VMExit.
Control data. Data used by the hypervisor to inject events such as
exceptions or interrupts into VMs and to specify which events should
cause a VMExit; it is also used by the CPU to specify the VMExit
reason.
Dan C. Marinescu
Cloud Computing, Second Edition
82
Linux
L2
VMCS12
L1
Xen
L0
VMCS01
VMCS02
KVM
Hardware
Intel supports nested virtualization. KVM runs at level L0, Xen runs
at level L1 and KVM uses VMCS01 for the VM running Xen.
VMCS – Virtual machine control structure.
Dan C. Marinescu
Cloud Computing, Second Edition
83
Multiplexing multiple virtualization levels
◼
◼
◼
◼
Intel VMX instructions can only be successfully executed in kernel
mode.
A guest hypervisors at level Li operates in guest mode and
whenever it executes a VMX instruction to launch a level Li+1 guest,
the instruction is trapped and handled at level L0.
Trapping execution exceptions enables the host hypervisor at level
L0 running in kernel mode to emulate VMX instruction executed by
guest hypervisors at level Li.
This mechanism supports a critical idea for increasing efficiency of
nested virtualization, multiplexing multiple hypervisors.
Dan C. Marinescu
Cloud Computing, Second Edition
84
L2
L2
Guest VM
Guest VM
L1
Guest hypervisor
L0
Host hypervisor
Guest
VM
L1
Guest
hypervisor
L0
Hardware
Dan C. Marinescu
L2
Guest
VM
L2
Guest
VM
Guest
VM
Host hypervisor
Hardware
Cloud Computing, Second Edition
85
Nested virtualization based on multiplexing
◼
◼
◼
As long as the host hypervisor at level L0 emulates faithfully the VMX
instruction set, a guest hypervisor at level L1 cannot distinguish if it is
running directly on the hardware or not. It follows that the guest
hypervisor at level L1 can lunch VMs using the standard mechanisms.
The guest hypervisor can use the same technique to give another guest
hypervisor at level L2 the same illusion that it is running directly on the
hardware. The process can be extended, a hypervisor at level Li giving
the illusion that the one at level Li+1 is running directly on the hardware.
The processor runs L1 and L2 maintained by L0 using VMCS0 ➔ 1 and
VMCS0 ➔ 2 environment specification, respectively. L1 creates VMCS0 ➔ 2
within its own virtualized environment and the processor uses it to
emulate VMX for L1. Switching from one level to another is emulated.
Dan C. Marinescu
Cloud Computing, Second Edition
86
Dan C. Marinescu
Cloud Computing, Second Edition
87
Performance comparison of virtual machines
◼
◼
Compare performance of Xen and OpenVZ with, a plain vanilla
Linux.
Questions examined are:
How the performance scales up with the load?
What is the impact of a mix of applications?
What are the implications of the load assignment on individual
servers?
◼
Main conclusions:
The virtualization overhead of Xen is considerably higher than that of
OpenVZ, due primarily to L2-cache misses.
Performance degradation when the workload increases is also
noticeable for Xen.
Hosting multiple tiers of the same application on the same server is
not an optimal solution.
Dan C. Marinescu
Cloud Computing, Second Edition
88
Linux
OpenVZ
Xen
Web
server
Web
server
Web
server
MySQL
server
MySQL
server
MySQL
server
(a)
Linux
MySQL
server
Web
server
Xen
OpenVZ
MySQL
server
Web
server
MySQL
server
Web
server
(b)
Linux
Xen
OpenVZ
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
(c)
The setup for the performance comparison of a native Linux system with OpenVZ, and
the Xen systems. The applications are a web server and a MySQL database server. (a)
The first experiment, the web and the DB, share a single system; (b) The second
experiment, the web and the DB, run on two different systems; (c) The third experiment,
the web and the DB, run on two different systems and each has four instances.
Dan C. Marinescu
Cloud Computing, Second Edition
89
The darker side of virtualization
◼
◼
◼
◼
◼
In a layered structure, a defense mechanism at some layer can be
disabled by malware running at a layer below it.
It is feasible to insert a rogue VMM, a Virtual-Machine Based Rootkit
(VMBR) between the physical hardware and an operating system.
Rootkit – malware with a privileged access to a system.
The VMBR can enable a separate malicious OS to run
surreptitiously and make this malicious OS invisible to the guest OS
and to the application running under it.
Under the protection of the VMBR, the malicious OS could:
observe the data, the events, or the state of the target system.
run services, such as spam relays or distributed denial-of-service
attacks.
interfere with the application.
Dan C. Marinescu
Cloud Computing, Second Edition
90
Application
Application
Guest OS
Malicious
OS
Operating
system (OS)
Malicious
OS
Virtual machine monitor
Virtual machine based rootkit
Virtual machine based rootkit
Hardware
Hardware
(a)
(b)
Insertion of a Virtual-Machine Based Rootkit (VMBR) as the lowest layer of the
software stack running on the physical hardware below:
(a) An operating system;
(b) A legitimate hypervisor; TVMBR enables a malicious OS to run surreptitiously
and makes it invisible to genuine or guest OS and to application.
Dan C. Marinescu
Cloud Computing, Second Edition
91
8. Security risks posed by shared
images
◼
◼
◼
◼
◼
Image sharing poses security risks for IaaS.
A study conducted during the period November 2010 – May 2011
analyzed AMIs available through the public catalog at Amazon
5,303 Linux AMIs
1,202 Windows AMIs.
Many images analyzed allowed a user to undelete files, recover
credentials, private keys, or other types of sensitive information with
little effort and using standard tools.
Critical software vulnerability revealed by the audit:
98% of the Windows AMIs (249 out of 253)
58% of Linux AMIs (2005 out of 3,432).
The average number of vulnerabilities per AMI: 46 for Windows
AMIs and 11 for Linux AMIs.
Dan C. Marinescu
Cloud Computing, Second Edition
92
Security risks
◼
◼
◼
◼
Three types of security risks were analyzed: (1) backdoors and
leftover credentials, (2) unsolicited connections, and (3) malware.
To rent a Linux AMI a user must provide the public part of the her
ssh key and this key is stored in the authorized_keys in the home
directory. This opens a backdoor for a malicious creator of an AMI
who does not remove her own public key from the image and can
remotely login to any instance of this AMI.
Another backdoor is opened when the ssh server allows passwordbased authentication and the malicious creator of an AMI does not
remove her own password.
This backdoor is even wider open as one can extract the password
hashes and then crack the passwords using a tool such as John the
Riper.
Dan C. Marinescu
Cloud Computing, Second Edition
93
More security risks
◼
◼
◼
Omission of the cloud-init script that should be invoked when the
image is booted. This script provided by Amazon regenerates the
host key an ssh server uses to identify itself; the public part of this
key is used to authenticate the server. When this key is shared
among several systems these systems become vulnerable to manin-the middle attacks.
When this script does not run, an attacker can use the NMap tool to
match the ssh keys discovered in the AMI images with the keys
obtained with NMap. The study identified more than 2,100 instances
following this procedure.
About 22% of the scanned Linux AMIs contained credentials
allowing an intruder to remotely login to the system. Some 100
passwords, 995 ssh keys, and 90 cases when both could be
retrieved were identified.
Dan C. Marinescu
Cloud Computing, Second Edition
94
Chapter 11 – Cloud Security
Contents
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
Computer security in the new millennium
Security the top concern for cloud users.
Cloud security risks.
Privacy and privacy impact assessment.
Trust.
Data encryption.
Security of database services.
Operating systems security.
Virtual machine security.
Security of virtualization.
Security risks posed by shared images.
Security risks posed by a management OS.
Breaking the monolithic design of TCB.
Terra – a trusted hypervisor.
Dan C. Marinescu
Cloud Computing Second Edition – Chapter 11
2
11.1 Computer security in the new millennium
◼
◼
◼
In an interconnected world, various embodiments of malware can
migrate easily from one system to another, cross national borders
and infect systems all over the globe.
Security of computing and communication systems takes a new
urgency as the society becomes increasingly more dependent on
the information infrastructure. Even the critical infrastructure of a
nation can be attacked by exploiting flaws in computer security.
Recently, the term cyberwarfare has enter the dictionary meaning
“actions by a nation-state to penetrate another nation’s computers or
networks for the purposes of causing damage or disruption”
Dan C. Marinescu
Cloud Computing Second Edition – Chapter 11
3
11.2 Security – the top concern for cloud users
◼
The unauthorized access to confidential information and the data theft
top the list of user concerns.
Data is more vulnerable in storage, as it is kept in storage for extended
periods of time.
Threats during processing cannot be ignored; such threats can originate
from flaws in the VMM, rogue VMs, or a VMBR.
◼
◼
◼
◼
◼
There is the risk of unauthorized access and data theft posed by
rogue employees of a Cloud Service Provider (CSP).
Lack of standardization is also a major concern.
Users are concerned about the legal framework for enforcing cloud
computing security.
Multi-tenancy is the root cause of many user concerns. Nevertheless,
multi-tenancy enables a higher server utilization, thus lower costs.
The threats caused by multi-tenancy differ from one cloud delivery
model to another.
Dan C. Marinescu
Cloud Computing Second Edition – Chapter 11
4
Cloud security
◼
◼
◼
◼
◼
◼
Outsourcing computing to a cloud generates new security and privacy
concerns.
Many issues related to privacy, security, and trust in cloud computing
are far from being settled.
A computer cloud is a target-rich environment for malicious individuals
and criminal organizations.
Standards, regulations, and laws governing the activities of
organizations supporting cloud computing have yet to be adopted.
There is the need for international regulations adopted by the countries
where data centers of cloud computing providers are located.
Service Level Agreements (SLAs) do not provide adequate legal
protection for cloud computer users, often left to deal with events
beyond their control.
Dan C. Marinescu
Cloud Computing Second Edition – Chapter 11
5
11.3 Cloud security risks
◼
◼
◼
◼
◼
Traditional threats → impact amplified due to the vast amount of cloud
resources and the large user population that can be affected. The fuzzy
bounds of responsibility between the providers of cloud services and
users and the difficulties to accurately identify the cause.
New threats → cloud servers host multiple VMs; multiple applications
may run under each VM. Multi-tenancy and VMM vulnerabilities open
new attack channels for malicious users. Identifying the path followed
by an attacker more difficult in a cloud environment.
Authentication and authorization → the procedures in place for one
individual does not extend to an enterprise.
Third-party control → generates a spectrum of concerns caused by the
lack of transparency and limited user control.
Availability of cloud services → system failures, power outages, and
other catastrophic events could shutdown services for extended
periods of time.
Dan C. Marinescu
Cloud Computing Second Edition – Chapter 11
6
Attacks in a cloud computing environment
◼
Three actors involved; six types of attacks possible.
The user can be attacked by:
Service → SSL certificate spoofing, attacks on browser caches, or
phishing attacks.
◼ The cloud infrastructure → attacks that either originates at the
cloud or spoofs to originate from the cloud infrastructure.
The service can be attacked by:
◼ A user→ buffer overflow, SQL injection, and privilege escalation
are the common types of attacks.
◼ The cloud infrastructure → the most serious line of attack. Limiting
access to resources, privilege-related attacks, data distortion,
injecting additional operations.
The cloud infrastructure can be attacked by:
◼ A user → targets the cloud control system.
◼ A service → requesting an excessive amount of resources and
causing the exhaustion of the resources.
◼
Dan C. Marinescu
Cloud Computing Second Edition – Chapter 11
7
User
Invoke the service
and get results
Control and
monitor the cloud
Service-User
Cloud-User
User-Service
User-Cloud
Cloud
infrastructure
Service
Cloud-Service
Service-Cloud
Request resources
and manage them
Surfaces of attacks in a cloud computing environment.
Dan C. Marinescu
Cloud Computing Second Edition – Chapter 11
8
Top threats to cloud computing
◼
Identified by a 2010 Cloud Security Alliance (CSA) report:
The abusive use of the cloud – the ability to conduct nefarious activities
from the cloud.
APIs that are not fully secure – may not protect the users during a range
of activities starting with authentication and access control to monitoring
and control of the application during runtime.
Malicious insiders – cloud service providers do not disclose their hiring
standards and policies, so this can be a serious threat.
Shared technology.
Account hijacking.
Data loss or leakage – if the only copy of the data is stored on the cloud,
then sensitive data is permanently lost when cloud data replication fails
followed by a storage media failure.
Unknown risk profile – exposure to the ignorance or underestimation of
the risks of cloud computing.
Dan C. Marinescu
Cloud Computing Second Edition – Chapter 11
9
Auditability of cloud activities
◼
◼
The lack of transparency makes auditability a very difficult
proposition for cloud computing.
Auditing guidelines elaborated by the National Institute of
Standards (NIST) are mandatory for US Government agencies:
the Federal Information Processing Standard (FIPS).
the Federal Information Security Management Act (FISMA).
Dan C. Marinescu
Cloud Computing Second Edition – Chapter 11
10
Legal protection of cloud users
◼
The contract between the user and the Cloud Service Provider (CSP)
should spell out explicitly:
CSP obligations to handle securely sensitive information and its
obligation to comply to privacy laws.
CSP liabilities for mishandling sensitive information.
CSP liabilities for data loss.
The rules governing ownership of the data.
The geographical regions where information and backups can be stored.
Dan C. Marinescu
Cloud Computing Second Edition – Chapter 11
11
11.4 Privacy and privacy impact assessment
◼
◼
◼
◼
◼
Privacy ➔ the right of an individual, a group of individuals, or an
organization to keep information of personal nature or proprietary
information from being disclosed.
Privacy is protected by law; sometimes laws limit privacy.
The main aspects of privacy are: the lack of user control, potential
unauthorized secondary use, data proliferation, and dynamic
provisioning.
Digital age has confronted legislators with significant challenges
related to privacy as new threats have emerged. For example,
personal information voluntarily shared, but stolen from sites granted
access to it or misused can lead to identity theft.
Privacy concerns are different for the three cloud delivery models
and also depend on the actual context.
Dan C. Marinescu
Cloud Computing Second Edition – Chapter 11
12
Federal Trading Commission Rules
◼
Web sites that collect personal identifying information from or about
consumers online required to comply with four fair information practices:
Notice – provide consumers clear and conspicuous notice of their
information practices, including what information they collect, how they
collect it, how they use it, how they provide Choice, Access, and Security to
consumers, whether they disclose the information collected to other entities,
and whether other entities are collecting information through the site.
Choice – offer consumers choices as to how their personal identifying
information is used. Such choice would encompass both internal secondary
uses (such as marketing back to consumers) and external secondary uses
(such as disclosing data to other entities).
Access – offer consumers reasonable access to the information a web site
has collected about them, including a reasonable opportunity to review
information and to correct inaccuracies or delete information.
Security – take reasonable steps to protect the security of the information
they collect from consumers.
Dan C. Marinescu
Cloud Computing Second Edition – Chapter 11
13
Privacy Impact Assessment (PIA)
◼
◼
◼
The need for tools capable to identify privacy issues in information
systems.
There are no international standards for such a process, though
different countries and organization require PIA reports.
The centerpiece of A proposed PIA tool is based on a SaaS service.
The users of the SaaS service providing access to the PIA tool must fill
in a questionnaire.
The system used a knowledge base (KB) created and maintained by
domain experts.
The system uses templates to generate additional questions necessary
and to fill in the PIA report.
An expert system infers which rules are satisfied by the facts in the
database and provided by the users and executes the rule with the
highest priority.
Dan C. Marinescu
Cloud Computing Second Edition – Chapter 11
14
11.5 Trust
◼
◼
◼
Trust → assured reliance on the character, ability, strength, or truth
of someone or something.
Complex phenomena: enable cooperative behavior, promote
adaptive organizational forms, reduce harmful conflict, decrease
transaction costs, promote effective responses to crisis.
Two conditions must exist for trust to develop.
Risk → the perceived probability of loss; trust not necessary if there is
no risk involved, if there is a certainty that an action can succeed.
Interdependence → the interests of one entity cannot be archived
without reliance on other entities.
◼
A trust relationship goes though three phases:
Building phase, when trust is formed.
2. Stability phase, when trust exists.
3. Dissolution phase, when trust declines.
1.
◼
An entity must work very hard to build trust, but may lose the trust
very easily.
Dan C. Marinescu
Cloud Computing Second Edition – Chapter 11
15
Internet trust
◼
◼
◼
◼
◼
Obscures or lacks entirely the dimensions of character and
personality, nature of relationship, and institutional character of the
traditional trust.
Offers individuals the ability to obscure or conceal their identity. The
anonymity reduces the cues normally used in judgments of trust.
Identity is critical for developing trust relations, it allows us to base
our trust on the past history of interactions with an entity. Anonymity
causes mistrust because identity is associated with accountability
and in absence of identity accountability cannot be enforced.
The opacity extends identity to personal characteristics. It is
impossible to infer if the entity or individual we transact with is who it
pretends to be, as the transactions occur between entities separated
in time and distance.
There are no guarantees that the entities we transact with fully
understand the role they have assumed.
Dan C. Marinescu
Cloud Computing Second Edition – Chapter 11
16
How to determine trust
◼
Policies and reputation are two ways of determining trust.
Policies reveal the conditions to obtain trust, and the actions when
some of the conditions are met. Policies require the verification of
credentials; credentials are issued by a trusted authority and describe
the qualities of the entity using the credential.
Reputation is a quality attributed to an entity based on a relatively long
history of interactions or possibly observations of the entity.
Recommendations are based on trust decisions made by others and
filtered through the perspective of the entity assessing the trust.
◼
In a computer science context : trust of a party A to a party B for a
service X is the measurable belief of A in that B behaves
dependably for a specified period within a specified context (in
relation to service X).
Dan C. Marinescu
Cloud Computing Second Edition – Chapter 11
17
11.6 Data encryption
◼
◼
◼
◼
◼
Encryption is the obvious solution to protect cloud outsourced data.
Cloud service providers offer encryption services. For example,
Amazon offers AWS Key Management Service (KMS) to create and
control the encryption keys used by clients to encrypt their data.
KMS is integrated with other AWS services including EBS, S3,
RDS, Redshift, Elastic Transcoder, and WorkMail. AWS also offers
Encryption SDK for developers.
Sensitive data is safe while in storage, provided that it is encrypted
with strong encryption.
Encrypted data must be decrypted for processing and this opens a
window of vulnerability. So a first question examined in this section
is if it is feasible to operate on encrypted data.
Homomorphic encryption allows to operate on encrypted data but
this is a theoretical but impractical solution.
Dan C. Marinescu
Cloud Computing Second Edition – Chapter 11
18
Homomorphic encryption reflects the concept of homomorphism, a
structure-preserving between two algebraic structures of the same type.
The homomorphism shows that we can carry arithmetic and/or logic
operations with encrypted data and the decryption of the result of these
operation replicates the result of carrying out the same operations with
the plaintext data. This implies that the window of vulnerability created
when data is decrypted for processing disappears.
Dan C. Marinescu
Cloud Computing Second Edition – Chapter 11
19
Order-preserving encryption
◼
◼
Order Preserving Encryption (OPE) can be used for encryption of
numeric data. OPE maps a range of numerical values (1 to M) into a
much larger and sparse range of values (1 to M).
To encrypt plaintext x the OPE encryption algorithm performs a
binary search down to x. Given the secret key K the algorithm first
assigns Encrypt(K, M/2), then Encrypt(K, M/4) if the index m < M/2
and Encrypt(K, 3M/4) otherwise, and so on, until Encrypt(K, x$ is
assigned. Each ciphertext assignment is made according to the
output of the negative hypergeometric sampling algorithm.
Dan C. Marinescu
Cloud Computing Second Edition - Chapter 11
20
Searching encrypted databases
◼
◼
◼
Searchable symmetric encryption (SSE) is used when an encrypted
databases is outsourced to a cloud or to a different organization.
SSE hides information about the database and the queries.
The client only stores the cryptographic key. To search the database
the client encrypts the query, sends it to the database server,
receives the encrypted result of the query and decrypts it using the
cryptographic key.
The information leakage from these searches is confined to query
patterns, while disclosure of explicit data and query plaintext values
is prevented.
Dan C. Marinescu
Cloud Computing Second Edition - Chapter 11
21
11.7 Security of database services
◼
◼
◼
◼
Data owners and DBaaS users fear compromised integrity and
confidentiality, as well as data unavailability.
Insufficient authorization, authentication and accounting
mechanisms, inconsistent use of encryption keys and techniques,
alteration or deletion of records without maintaining backup and
operational failures are the major causes of data loss in DBaaS.
Insider attacks are a concern for DBaaS users and data owners.
Super users have unlimited privileges and misuse of superuser
privileges poses a considerable threat to confidential data such as
medical records, sensitive business data, proprietary product data,
and so on.
Malicious external attackers use spoofing, sniffing, man-in-themiddle attacks, side channeling and illegal transactions to launch
DoS attacks.
Dan C. Marinescu
Cloud Computing Second Edition - Chapter 11
22
User concerns
◼
◼
◼
◼
◼
◼
Another concern is illegal recovery of data from storage devices, a side
effect of multi-tenancy.
Cloud users are not aware of the physical location of their data. This
lack of transparency allows cloud service providers to optimize the user
of resources but in case of security breaches it is next to impossible for
users to identify compromised resources.
DBaaS users do not have fine-grained control of the remote execution
environment and cannot inspect the execution traces to detect the
occurrence of illegal operations.
To increase availability, performance and to enhance reliability DBaaS
replicate data. Ensuring consistency among the replicas is challenging.
Another critical function of DBaaS is to carry out timely backups of all
sensitive and confidential data to facilitate quick recovery in case of
disasters.
Auditing and monitoring are important functions of a DBaaS but
generate their own security risks when delegated to TPAs.
Dan C. Marinescu
Cloud Computing Second Edition - Chapter 11
23
11.8 Operating system security
◼
◼
A critical function of an OS is to protect applications against a wide
range of malicious attacks, e.g., unauthorized access to privileged
information, tempering with executable code, and spoofing.
The elements of the mandatory OS security:
Access control → mechanisms to control the access to system objects.
Authentication usage → mechanisms to authenticate a principal.
Cryptographic usage policies → mechanisms used to protect the data
◼
◼
Commercial OS do not support a multi-layered security; only
distinguish between a completely privileged security domain and a
completely unprivileged one.
Trusted paths mechanisms → support user interactions with trusted
software. Critical for system security; if such mechanisms do not
exist, then malicious software can impersonate trusted software.
Some systems provide trust paths for a few functions, such as login
authentication and password changing, and allow servers to
authenticate their clients.
Dan C. Marinescu
Cloud Computing Second Edition - Chapter 11
24
Closed-box versus open-box platforms
◼
◼
◼
◼
◼
Closed-box platforms , e.g., cellular phones, game consoles and ATM
could have embedded cryptographic keys to reveal their true identity to
remote systems and authenticate the software running on them.
Such facilities are not available to open-box platforms, the traditional
hardware for commodity operating systems.
Commodity operating system offer low assurance. An OS is a complex
software system consisting of millions of lines of code and it is vulnerable
to a wide range of malicious attacks.
An OS provides weak mechanisms for applications to authenticate to
one another and create a trusted path between users and applications.
An OS poorly isolates one application from another; once an application
is compromised, the entire physical platform and all applications running
on it can be affected. The platform security level is reduced to the
security level of the most vulnerable application running on the platform.
Dan C. Marinescu
Cloud Computing Second Edition - Chapter 11
25
11.9 Virtual machine security
◼
◼
Hybrid and hosted VMs, expose the entire system to the vulnerability
of the host OS.
In a traditional VM the Virtual Machine Monitor (VMM) controls the
access to the hardware and provides a stricter isolation of VMs from
one another than the isolation of processes in a traditional OS.
A VMM controls the execution of privileged operations and can enforce
memory isolation as well as disk and network access.
The VMMs are considerably less complex and better structured than
traditional operating systems thus, in a better position to respond to
security attacks.
A major challenge → a VMM sees only raw data regarding the state of a
guest operating system while security services typically operate at a
higher logical level, e.g., at the level of a file rather than a disk block.
◼
A secure TCB (Trusted Computing Base) is a necessary condition for
security in a virtual machine environment; if the TCB is compromised
then the security of the entire system is affected.
Dan C. Marinescu
Cloud Computing Second Edition - Chapter 11
26
Trusted Computing
Base (TCB)
Guest VM
Guest VM
Application
Application
Guest VM
Guest VM
Application
Application
Guest OS
Guest OS
Guest OS
Guest OS
Frontend of VM
Security Services
(a)
(b)
Frontend of VM
Security Services
Security
Services VM
Reduced
Guest OS
Security
Services
Virtual Machine Monitor &
Security Services
Virtual Machine Monitor & Security Services
(a)
(b)
Virtual security services provided by the VMM;
A dedicated security VM.
Dan C. Marinescu
Cloud Computing Second Edition - Chapter 11
27
Hypervizor - based threats
◼
Starvation of resources and denial of service for some VMs.
Probable causes:
(a) badly configured resource limits for some VMs.
(b) a rogue VM with the capability to bypass resource limits set in the
hypervisor.
◼
VM side-channel attacks: malicious attack on one or more VMs by
a rogue VM under the hypervisor. Probable causes:
(a) lack of proper isolation of inter-VM traffic due to misconfiguration of
the virtual network residing in the hypervisor.
(b) limitation of packet inspection devices to handle high speed traffic,
e.g., video traffic.
(c) presence of VM instances built from insecure VM images, e.g., a
VM image having a guest OS without the latest patches.
◼
Buffer overflow attacks.
Dan C. Marinescu
Cloud Computing Second Edition - Chapter 11
28
VM-based threats
◼
Deployment of rogue or insecure VM. Unauthorized users may
create insecure instances from images or may perform
unauthorized administrative actions on existing VMs.
Probable cause:
◼
improper configuration of access controls on VM administrative tasks
such as instance creation, launching, suspension, re-activation and so
on.
Presence of insecure and tampered VM images in the VM image
repository. Probable causes:
(a) lack of access control to the VM image repository.
(b) lack of mechanisms to verify the integrity of the images, e.g.,
digitally signed image.
Dan C. Marinescu
Cloud Computing Second Edition - Chapter 11
29
Security of virtualization
◼
The complete state of an operating system running under a virtual
machine is captured by the VM; this state can be saved in a file and
then the file can be copied and shared. Implications:
Ability to support the IaaS delivery model. In this model a user selects an
image matching the local environment used by the application and then
uploads and runs the application on the cloud using this image.
Increased reliability. An operating system with all the applications running
under it can be replicated and switched to a hot standby.
Improved intrusion prevention and detection. A clone can look for known
patterns in system activity and detect intrusion. The operator can switch
to a hot standby when suspicious events are detected.
More efficient and flexible software testing. Instead of a very large
number of dedicated systems running under different OS, different
version of each OS, and different patches for each version, virtualization
allows the multitude of OS instances to share a small number of physical
systems.
Dan C. Marinescu
Cloud Computing Second Edition Chapter 11
30
More advantages of virtualization
◼
Straightforward mechanisms to implement resource management
policies:
To balance the load of a system, a VMM can move an OS and the
applications running under it to another server when the load on the
current server exceeds a high water mark.
To reduce power consumption, the load of lightly loaded servers can be
moved to other servers and then, turn off or set on standby mode the
lightly loaded servers.
◼
When secure logging and intrusion protection are implemented at the
VMM layer, the services cannot be disabled or modified. Intrusion
detection can be disabled and logging can be modified by an intruder
when implemented at the OS level. A VMM may be able to log only
events of interest for a post-attack analysis.
Dan C. Marinescu
Cloud Computing Second Edition Chapter 11
31
Undesirable effects of virtualization
◼
Diminished ability to manage the systems and track their status.
The number of physical systems in the inventory of an organization is
limited by cost, space, energy consumption, and human support.
Creating a virtual machine (VM) reduces ultimately to copying a file,
therefore the explosion of the number of VMs. The only limitation for the
number of VMs is the amount of storage space available.
Qualitative aspect of the explosion of the number of VMs → traditionally,
organizations install and maintain the same version of system software.
In a virtual environment the number of different operating systems, their
versions, and the patch status of each version will be very diverse.
Heterogeneity will tax the support team.
The software lifecycle has serious implication on security. The traditional
assumption → the software lifecycle is a straight line, hence the patch
management is based on a monotonic forward progress. The virtual
execution model maps to a tree structure rather than a line; indeed, at
any point in time multiple instances of the VM can be created and then,
each one of them can be updated, different patches installed, and so on.
Dan C. Marinescu
Cloud Computing Second Edition Chapter 11
32
Implications of virtualization on security
◼
◼
◼
◼
Infection may last indefinitely → some of the infected VMs may be
dormant at the time when the measures to clean up the systems are
taken and then, at a later time, wake up and infect other systems; the
scenario can repeat itself.
In a traditional computing environment a steady state can be reached.
In this steady state all systems are brought up to a desirable state.
This desirable state is reached by installing the latest version of the
system software and then applying to all systems the latest patches.
Due to the lack of control, a virtual environment may never reach
such a steady state.
A side effect of the ability to record in a file the complete state of a VM
is the possibility to roll back a VM. This allows a new type of
vulnerability caused by events recorded in the memory of an attacker.
Virtualization undermines the basic principle that time sensitive data
stored on any system should be reduced to a minimum.
Dan C. Marinescu
Cloud Computing Second Edition - Chapter 11
33
11.11 Security risks posed by shared images
◼
Image sharing is critical for the IaaS cloud delivery model. For
example, a user of AWS has the option to choose between
Amazon Machine Images (AMIs) accessible through the Quick Start.
Community AMI menus of the EC2 service.
◼
◼
◼
Many of the images analyzed by a recent report allowed a user to
undelete files, recover credentials, private keys, or other types of
sensitive information with little effort and using standard tools.
A software vulnerability audit revealed that 98% of the Windows
AMIs and 58% of Linux AMIs audited had critical vulnerabilities.
Security risks:
Backdoors and leftover credentials.
Unsolicited connections.
Malware.
Dan C. Marinescu
Cloud Computing Second Edition - Chapter 11
34
11.12 Security risks posed by a management OS
◼
◼
◼
◼
A virtual machine monitor, or hypervisor, is considerably smaller than
an operating system, e.g., the Xen VMM has ~ 60,000 lines of code.
The Trusted Computer Base (TCB) of a cloud computing environment
includes not only the hypervisor but also the management OS.
The management OS supports administrative tools, live migration,
device drivers, and device emulators.
In Xen the management operating system runs in Dom0; it manages
the building of all user domains, a process consisting of several steps:
Allocate memory in the Dom0 address space
and load the kernel of the
guest operating system from the secondary storage.
Allocate memory for the new VM and use foreign mapping to load the
kernel to the new VM.
Set up the initial page tables for the new VM.
Release the foreign mapping on the new VM memory, set up the virtual
CPU registers and launch the new VM.
Dan C. Marinescu
Cloud Computing Second Edition - Chapter 11
35
Management OS
Administrative tools
Application
Application
Application
Guest OS
Guest OS
Guest OS
Live migration
Device drivers
Device emulation
Xen
Domain0 control
interface
Virtual x86
CPU
Virtual physical
memory
Virtual network
Virtual block
devices
x86 Hardware
The trusted computing base of a Xen-based environment includes the hardware,
Xen, and the management operating system running in Dom0. The management
OS supports administrative tools, live migration, device drivers, and device
emulators. A guest operating system and applications running under it reside in a
DomU.
Dan C. Marinescu
Cloud Computing Second Edition - Chapter 11
36
Possible actions of a malicious Dom0
◼
At the time a DomU is created:
Refuse to carry out the steps necessary to start the new VM.
Modify the kernel of the guest OS to allow a third party to monitor and
control the execution of applications running under the new VM.
Undermine the integrity of the new VM by setting the wrong page
tables and/or setup wrong virtual CPU registers.
Refuse to release the foreign mapping and access the memory while
the new VM is running.
◼
At run time:
Dom0 exposes a set of abstract devices to the guest operating systems
using split drivers with the frontend of in a DomU and the backend in
Dom0. We have to ensure that run time communication through Dom0
is encrypted. Transport Layer Security (TLS) does not guarantee that
Dom0 cannot extract cryptographic keys from the memory of the OS
and applications running in DomU
Dan C. Marinescu
Cloud Computing Second Edition - Chapter 11
37
A major weakness of Xen
◼
The entire state of the system is maintained by XenStore.
◼
A malicious VM can deny to other VMs access to XenStore;
it can also gain access to the memory of a DomU.
Dan C. Marinescu
Cloud Computing Second Edition - Chapter 11
38
How to deal with run-time vulnerability of Dom0
◼
◼
To implement a secure run-time system, we have to intercept and
control the hypercalls used for communication between a Dom0 that
cannot be trusted and a DomU we want to protect.
New hypercalls are necessary to protect:
The privacy and integrity of the virtual CPU of a VM. When Dom0 wants to
save the state of the VM the hypercall should be intercepted and the
contents of the virtual CPU registers should be encrypted. When DomU is
restored, the virtual CPU context should be decrypted and then an integrity
check should be carried out.
The privacy and integrity of the VM virtual memory. The page table update
hypercall should be intercepted and the page should be encrypted so that
Dom0 handles only encrypted pages of the VM. To guarantee the integrity,
the hypervisor should calculate a hash of all the memory pages before they
are saved by Dom0. An address translation is necessary as a restored
DomU may be allocated a different memory region.
The freshness of the virtual CPU and the memory of the VM. The solution
is to add to the hash a version number.
Dan C. Marinescu
Cloud Computing Second Edition - Chapter 11
39
11.13 Breaking the monolithic design of TCB
◼
◼
Xoar → version of Xen designed based on micro-kernel design principles.
Design goals:
Maintain Xen functionality.
Ensure transparency with existing management and VM interfaces.
Tight control of privileges, each component should only have the privileges
required by its function.
Minimize the interfaces of all components to reduce the possibility that a
component can be used by an attacker.
Eliminate sharing. Make sharing explicit whenever it cannot be eliminated to
allow meaningful logging and auditing.
Reduce the opportunity of an attack targeting a system component by limiting
the time window when the component runs.
◼
The security model of Xoar assumes that threats come from:
A guest VM attempting to violate data integrity or confidentiality of another
guest VM on the same platform, or to exploit the code of the guest.
Bugs in the initialization code of the management virtual machine.
Dan C. Marinescu
Cloud Computing Second Edition Chapter 11
40
Xoar system components
◼
◼
Permanent components → XenStore-State maintains all information
regarding the state of the system.
Components used to boot the system; they self-destruct before any
user VM is started. They discover the hardware configuration of the
server including the PCI drivers and then boot the system:
PCIBack - virtualizes access to PCI bus configuration.
Bootstrapper - coordinates booting of the system.
◼
Components restarted on each request:
XenStore-Logic.
Toolstack - handles VM management requests, e.g., it requests the Builder
to create a new guest VM in response to a user request.
Builder - initiates user VMs.
◼
Components restarted on a timer; the two components export physical
storage device drivers and the physical network driver to a guest VM.
Blk-Back - exports physical storage device drivers using udev rules.
NetBack - exports the physical network driver.
Dan C. Marinescu
Cloud Computing Second Edition - Chapter 11
41
PCIBack
BlkBack
XenStore-State
Bootstrapper
NetBack
Self-destructing
QEMU
Permanent
Guest VM
Restarted on timer
XenStore-Logic
Toolstack
Builder
XOAR
Restarted on
each request
Xoar has nine classes of components of four types: permanent, self-destructing,
restarted upon request, and restarted on timer. A guest VM is started using the
by the Builder using the Toolstack; it is controlled by the XenStore-Logic. The
devices used by the guest VM are emulated by the Qemu component. Qemu is
responsible for device emulation
Dan C. Marinescu
Cloud Computing Second Edition - Chapter 11
42
Virtual Machine A
Virtual Machine B
Qemu
BlkBack B
BlkBack A
NetBack A
Toolstack A
Builder
NetBack B
Toolstack B
XenStore-Logic
XenStore-State
XenStore
Xen
Component sharing between guest VMs in Xoar. Two VMs share only the
XenStore components. Each one has a private version of the BlkBack, NetBack
and Toolstack.
Dan C. Marinescu
Cloud Computing Second Edition - Chapter 11
43
11.14 Terra - a trusted virtual machine monitor
◼
Novel ideas for a trusted virtual machine monitor (TVMM):
It should support not only traditional operating systems, by exporting the
hardware abstraction for open-box platforms, but also the abstractions for
closed-box platforms (do not allow the contents of the system to be either
manipulated or inspected by the platform owner).
An application should be allowed to build its software stack based on its
needs. Applications requiring a very high level of security should run under
a very thin OS supporting only the functionality required by the application
and the ability to boot. At the other end of the spectrum are applications
demanding low assurance, but a rich set of OS features; such applications
need a commodity operating system.
Provide trusted paths from a user to an application. Such a path allows a
human user to determine with certainty the identity of the VM it is
interacting with and allows the VM to verify the identity of the human user.
Deny the platform administrator the root access.
Support attestation, the ability of an application running in a closed-box to
gain trust from a remote party, by cryptographically identifying itself.
Dan C. Marinescu
Cloud Computing Second Edition - Chapter 11
44
