CloudVisor: Retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization

SOSP'11 - Proceedings of the 23rd ACM Symposium on Operating Systems Principles

Volumn , Issue , 2011, Pages 203-216

  Zhang, Fengzhe ^a   Chen, Jin ^a   Chen, Haibo ^a   Zang, Binyu ^a  

^a FUDAN UNIVERSITY   (China)

Author keywords

multi tenant cloud; nested virtualization; virtual machine security

Indexed keywords

COMPLEX TASK; HARDWARE SUPPORTS; MULTI TENANTS; OTHER APPLICATIONS; PERFORMANCE EVALUATION; PROTOTYPE SYSTEM; RESOURCE MANAGEMENT; SECURITY PROTECTION; SOFTWARE STACKS; VIRTUAL MACHINE MONITORS; VIRTUAL MACHINES; VIRTUALIZATION LAYERS; VIRTUALIZATION SOFTWARE; VIRTUALIZATIONS;

COMPUTER OPERATING SYSTEMS; RETROFITTING;

VIRTUAL REALITY;

EID: 82655179240     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2043556.2043576     Document Type: Conference Paper

References (72)

1. Bitlocker drive encryption technical overview. http://technet.microsoft. com/en-us/library/cc766200%28WS.10%29.aspx.
2. Common vulnerabilities and exposures. http://cve.mitre.org/.
3. Filevault in mac osx. http://www.apple.com/macosx/whatsnew/ features.html#filevault2.
4. Intel advanced encryption standard instructions (aes-ni). http://software.intel.com/en-us/ articles/intel-advanced-encryptionstandard- instructions-aes-ni/, 2010.
5. D. Abramson, J. Jackson, S. Muthrasanallur, G. Neiger, G. Regnier, R. Sankaran, I. Schoinas, R. Uhlig, B. Vembu, and J. Wiegert. Intel virtualization technology for directed I/O. Intel technology journal, 10(3):179-192, 2006.
6. Amazon Inc. Amazon Elastic Compute Cloud (Amazon EC2). http://aws.amazon.com/ec2/, 2011.
7. Amazon Inc. Amazon machine image. http://aws.amazon.com/amis, 2011.
8. Amazon Inc. Amazon web service customer agreement. http://aws.amazon.com/ agreement/, 2011.
9. AMD Inc. Secure virtual machine architecture reference manual, 2005.
10. Apache. ab - apache http server benchmarking tool. http://httpd.apache. org/docs/2.0/ programs/ab.html, 2011.
11. A. Azab, P. Ning, Z. Wang, X. Jiang, X. Zhang, and N. Skalsky. HyperSentry: enabling stealthy in-context measurement of hypervisor integrity. In Proc. CCS, pages 38-49, 2010.
12. P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In Proc. SOSP. ACM, 2003.
13. M. Ben-Yehuda, M. D. Day, Z. Dubitzky, M. Factor, N. Har'El, A. Gordon, A. Liguori, O. Wasserman, and B.-A. Yassour. The turtles project: Design and implementation of nested virtualization. In Proc. OSDI, 2010.
14. H. Chen, J. Chen, W. Mao, and F. Yan. Daonity-grid security from two levels of virtualization. Information Security Technical Report, 12(3):123-138, 2007. (Pubitemid 47600054)
15. H. Chen, F. Zhang, C. Chen, Z. Yang, R. Chen, B. Zang, P. Yew, and W. Mao. Tamper-resistant execution in an untrusted operating system using a virtual machine monitor. Parallel Processing Institute Technical Report, Number: FDUPPITR-2007-0801, Fudan University, 2007.
16. P. Chen and B. Noble. When virtual is better than real. In Proc. HotOS, 2001.
17. X. Chen, T. Garfinkel, E. Lewis, P. Subrahmanyam, C. Waldspurger, D. Boneh, J. Dwoskin, and D. Ports. Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. In Proc. ASPLOS, pages 2-13. ACM, 2008.
18. Y. Dong, Z. Yu, and G. Rose. SR-IOV networking in Xen: Architecture, design and implementation. In Proc. Workshop on I/O virtualization. USENIX, 2008.
19. B. Fitzpatrick. Distributed caching with memcached. Linux journal, 2004.
20. Flexiant Inc. Flexiscale public cloud. http://www. flexiant.com/products/ flexiscale/.
21. T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A virtual machine-based platform for trusted computing. ACM SIGOPS Operating Systems Review, 37(5):206, 2003.
22. T. Garfinkel and M. Rosenblum. When virtual is harder than real: Security challenges in virtual machine based computing environments. In Proc. HotOS, 2005.
23. R. Goldberg. Architecture of virtual machines. In Proceedings of the workshop on virtual computer systems, pages 74-112, 1973.
24. R. Goldberg. Survey of virtual machine research. IEEE Computer, 7(6):34-45, 1974.
25. D. Gupta, S. Lee, M. Vrable, S. Savage, A. C. Snoeren, G. Varghese, G. M. Voelker, and A. Vahdat. Difference engine: harnessing memory redundancy in virtual machines. In Proc. OSDI, pages 309-322, 2008.
26. J. Heiser and M. Nicolett. Assessing the security risks of cloud computing. http://www.gartner.com/DisplayDocument?id=685308, 2008.
27. Intel Inc. Intel trusted execution technology. www.intel.com/technology/ security/, 2010.
28. R. Jhala and R. Majumdar. Software model checking. ACM Computing Surveys (CSUR), 41(4):1-54, 2009.
29. X. Jiang and X. Wang. Out-of-the-box monitoring of VM-based high-interaction honeypots. In Proc. RAID, pages 198-218, 2007.
30. X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In Proc. CCS, pages 128-138. ACM, 2007.
31. E. Keller, J. Szefer, J. Rexford, and R. Lee. NoHype: virtualized cloud infrastructure without the virtualization. In Proc. ISCA, pages 350-361, 2010.
32. S. King, P. Chen, Y. Wang, C. Verbowski, H. Wang, and J. Lorch. SubVirt: Implementing malware with virtual machines. In Proc. S&P (Oakland), 2006.
33. A. Kivity, Y. Kamay, D. Laor, U. Lublin, and A. Liguori. kvm: the linux virtual machine monitor. In Linux Symposium, 2007.
34. G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, et al. seL4: Formal verification of an OS kernel. In Proc. SOSP, pages 207-220, 2009.
35. M. Krohn, P. Efstathopoulos, C. Frey, F. Kaashoek, E. Kohler, D. Mazieres, R. Morris, M. Osborne, S. VanDeBogart, and D. Ziegler. Make least privilege a right (not a privilege). In Proc. HotOS, 2005.
36. D. Lie, C. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. Mitchell, and M. Horowitz. Architectural support for copy and tamper resistant software. In Proc. ASPLOS, pages 168-177, 2000.
37. D. Lie, C. A. Thekkath, and M. Horowitz. Implementing an untrusted operating system on trusted hardware. In Proc. SOSP, pages 178-192, 2003.
38. J. McCune, B. Parno, A. Perrig, M. Reiter, and H. Isozaki. Flicker: An execution infrastructure for TCB minimization. In Proc. Eurosys, pages 315-328, 2008.
39. J. McCune, B. Parno, A. Perrig, M. Reiter, and A. Seshadri. Minimal TCB code execution. In Proc. S&P (Oakland), pages 267-272, 2007.
40. J. M. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and A. Perrig. TrustVisor: Efficient TCB Reduction and Attestation. In Proc. S&P (Oakland), 2010.
41. L. McVoy and C. Staelin. lmbench: Portable tools for performance analysis. In Proc. Usenix ATC, 1996.
42. R. Merkle. Protocols for public key cryptosystems. In Proc. S&P (Oakland), 1980.
43. G. Miłós, D. G. Murray, S. Hand, and M. A. Fetterman. Satori: enlightened page sharing. In Proc. Usenix ATC, 2009.
44. D. Murray, G. Milos, and S. Hand. Improving Xen security through disaggregation. In Proc. VEE, pages 151-160, 2008.
45. G. Neiger, A. Santoni, F. Leung, D. Rodgers, and R. Uhlig. Intel virtualization technology: Hardware support for efficient processor virtualization. Intel Technology Journal, 10(3):167-177, 2006.
46. D. Nurmi, R. Wolski, C. Grzegorczyk, G. Obertelli, S. Soman, L. Youseff, and D. Zagorodnov. The eucalyptus open-source cloud-computing system. In Proc. CCGRID, pages 124-131, 2009.
47. M. Peinado, Y. Chen, P. England, and J. Manferdelli. NGSCB: A trusted open system. In Information Security and Privacy, pages 86-97, 2004.
48. R. Riley, X. Jiang, and D. Xu. Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In Proc. RAID, pages 1-20, 2008.
49. T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In Proc. CCS, pages 199-212. ACM, 2009.
50. J. Rutkowska. Introducing Blue Pill. The official blog of the invisiblethings. org. June, 22, 2006.
51. J. Rutkowska and A. Tereshkin. Bluepilling the Xen Hypervisor. Black Hat USA, 2008.
52. R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn. Design and implementation of a tcg-based integrity measurement architecture. In Proc. USENIX Security, 2004.
53. A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In Proc. SOSP, 2007.
54. A. Seshadri, M. Luk, E. Shi, A. Perrig, L. Van Doorn, and P. Khosla. Pioneer: Verifying integrity and guaranteeing execution of code on legacy platforms. In Proc. SOSP, pages 1-16, 2005.
55. A. Seshadri, A. Perrig, L. Van Doorn, and P. Khosla. SWATT: Software-based attestation for embedded devices. In Proc. S&P (Oakland), pages 272-282, 2004.
56. J. Shi, X. Song, H. Chen, and B. Zang. Limiting cache-based side-channel in multi-tenant cloud using dynamic page. In Proc. HotDep, 2011.
57. T. Shinagawa, H. Eiraku, K. Tanimoto, K. Omote, S. Hasegawa, T. Horie, M. Hirano, K. Kourai, Y. Oyama, E. Kawai, et al. BitVisor: a thin hypervisor for enforcing i/o device security. In Proc. VEE, pages 121-130. ACM, 2009.
58. L. Singaravelu, C. Pu, H. H "artig, and C. Helmuth. Reducing TCB complexity for security-sensitive applications: Three case studies. In Proc. Eurosys, 2006.
59. SPEC. Specjbb 2005. http://www.spec.org/jbb2005/, 2005.
60. U. Steinberg and B. Kauer. NOVA: A microhypervisor-based secure virtualization architecture. In Proc. Eurosys, pages 209-222. ACM, 2010.
61. G. Suh, D. Clarke, B. Gassend, M. Van Dijk, and S. Devadas. AEGIS: architecture for tamper-evident and tamper-resistant processing. In Proc. Supercomputing, 2003.
62. T. R. Team. Rackspace cloud. http://www.rackspacecloud.com/.
63. TechSpot News. Google fired employees for breaching user privacy. http://www.techspot.com/news/40280-google-fired-employees-for-breachinguser- privacy.html, 2010.
64. The Nimbus Team. Nimbus project. http://www.nimbusproject.org/.
65. A. Tridgell. Dbench filesystem benchmark. http://samba.org/ftp/tridge/ dbench/.
66. Trusted Computing Group. Trusted platform module. http://www. trustedcomputinggroup.org/, 2010.
67. C. A. Waldspurger. Memory resource management in vmware esx server. In Proc. OSDI, pages 181-194, 2002.
68. Z. Wang and X. Jiang. HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In Proc. S&P (Oakland), pages 380-395, 2010.
69. Z. Wang, X. Jiang, W. Cui, and P. Ning. Countering kernel rootkits with lightweight hook protection. In Proc. CCS, pages 545-554. ACM, 2009.
70. C. Weinhold and H. Härtig. jVPFS: Adding Robustness to a Secure Stacked File System with Untrusted Local Storage Components. In Proc. Usenix ATC, 2011.
71. J. Yang and K. G. Shin. Using hypervisor to provide data secrecy for user applications on a per-page basis. In Proc. VEE, pages 71-80, 2008.
72. N. Zeldovich, H. Kannan, M. Dalton, and C. Kozyrakis. Hardware enforcement of application security policies using tagged memory. In Proc. OSDI, pages 225-240, 2008.