1 / 21

Virtual Switching Without a Hypervisor for a More Secure Cloud

Virtual Switching Without a Hypervisor for a More Secure Cloud. Xin Jin Princeton University Joint work with Eric Keller( UPenn ) and Jennifer Rexford(Princeton). Public Cloud Infrastructure. Cloud providers offer computing resources on demand to multiple “tenants” Benefits:

kobe
Download Presentation

Virtual Switching Without a Hypervisor for a More Secure Cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)

  2. Public Cloud Infrastructure • Cloud providers offer computing resources on demand to multiple “tenants” • Benefits: • Public (any one can use) • Economies of scale (lower cost) • Flexibility (pay-as-you-go)

  3. Server Virtualization • Multiple VMs run on the same server • Benefits • Efficient use of server resources • Backward compatibility • Examples • Xen • KVM • VMware VM VM VM Hypervisor Hardware

  4. Network Virtualization • Software switches • Run in the hypervisor or the control VM (Dom0) • Benefits: Flexible control at the “edge” • Access control • Resource and name space isolation • Efficient communication between co-located VMs • Examples • Open vSwitch • VMware’s vSwitch • Cisco’s Nexus 1000v Switch VM VM Software Switch Hypervisor Hardware

  5. Security: a major impediment for moving to the cloud! Let’s take a look at where the vulnerabilities are…

  6. Vulnerabilities in Server Virtualization • The hypervisor is quite complex • Large amount of code ―> Bugs (NIST’s National Vulnerability Database) Guest VM 2 Guest VM 3 Guest VM 1 Hypervisor Hardware

  7. Vulnerabilities in Server Virtualization • The hypervisor is an attack surface (bugs, vulnerable) ―> Malicious customers attack the hypervisor Guest VM 2 Guest VM 3 Guest VM 1 Hypervisor Hardware

  8. Guest VM 1 Dom0 Guest VM 2 Software Switch Hypervisor Hardware Physical NIC Vulnerabilities in Network Virtualization • Software switch in control VM (Dom0) • Hypervisor is involved in communication Virtual Interface Virtual Interface

  9. Guest VM 1 Dom0 Guest VM 2 Software Switch Hypervisor Hardware Physical NIC Vulnerabilities in Network Virtualization • Software switch is coupled with the control VM ―> e.g., software switch crash can lead to a complete system crash Virtual Interface Virtual Interface

  10. Dom0 Guest VM 2 Guest VM 1 Hypervisor Hardware Dom0 Disaggregation [e.g., SOSP’11] Service VM Service VM Service VM Service VM • Disaggregate control VM (Dom0) into smaller, single-purpose and independent components • Malicious customer can still attack hypervisor!

  11. Guest VM 1 Guest VM 2 NoHype[ISCA’10, CCS’11] • Pre-allocating memory and cores • Using hardware virtualized I/O devices • Hypervisor is only used to boot up and shut down guest VMs. • Eliminate the hypervisor attack surface • What if I want to use a software switch? Dom0 Emulate, Manage Physical Device Driver Physical Device Driver Hypervisor Hardware Virtualized Physical NIC

  12. Software Switching in NoHype • Bouncing packets through the physical NIC • Consumes excessive bandwidth on PCI bus and the physical NIC! Dom0 Emulate, Manage Guest VM 1 Guest VM 2 Guest VM 3 Physical Device Driver Physical Device Driver Software Switch Hypervisor Hardware Virtualized Physical NIC

  13. Guest VM 2 DomS Guest VM 1 Software Switch Virtual Interface Virtual Interface Hardware Physical NIC Our Solution Overview Dom0 Emulate, Manage • Eliminate the hypervisor attack surface • Enable software switching in an efficient way Hypervisor

  14. Eliminate the Hypervisor-Guest Interaction Guest VM 1 • Shared memory • Two FIFO buffers for communication • Polling only • Do not use event channel; no hypervisor involvement Polling Dom0 Software Switch FIFO Virtual Interface FIFO Hypervisor

  15. Limit Damage From a Compromised Switch Guest VM 1 Guest VM 1 Guest VM 1 • Decouple software switch from Dom0 • Introduce a Switch Domain (DomS) • Decouple software switch from the hypervisor • Eliminate the hypervisor attack surface Dom0 Polling DomS DomS Polling Polling Software Switch Software Switch Software Switch FIFO Virtual Interface Virtual Interface Virtual Interface FIFO FIFO FIFO FIFO FIFO Hypervisor Hypervisor Dom0 Dom0 Hypervisor

  16. Dom0 Guest VM 1 Software Switch Hypervisor Preliminary Prototype Guest VM 1 Dom0 • Prototype based on • Xen 4.1: used to boot up/shut down VMs • Linux 3.1: kernel module to implement polling/FIFO • Open vSwitch 1.3 DomS Polling Software Switch Virtual Interface FIFO Virtual Interface Hypervisor FIFO Hardware Hardware Native Xen Our Solution

  17. Dom0 Guest VM 1 Software Switch Hypervisor Preliminary Evaluation Guest VM 1 Dom0 • Evaluate the throughput between DomS and a guest VM, compared with native Xen • Traffic measurement: Netperf • Configuration: each VM has 1 core and 1GB of RAM DomS Polling Software Switch Virtual Interface FIFO Virtual Interface Hypervisor FIFO Hardware Hardware Native Xen Our Solution

  18. Evaluation on Throughput • FIFO Size • Polling period is fixed to 1ms • Reach high throughput with just 256 FIFO pages (Only 1MB) • Polling Period • Shorter polling period, higher throughput • CPU resource consumption? ―> Future work

  19. Comparison with Native Xen • Outperforms native Xen when message size is smaller than 8 KB. • Future work: incorporate more optimization

  20. Conclusion and Future Work • Trend towards software switching in the cloud • Security in hypervisor and Dom0 is a big concern • Improve security by enabling software switching without hypervisor involvement • Future work • Detection and remediation of DomS compromise

  21. Thanks!Q&A

More Related