220 likes | 347 Views
Verifiable Resource Accounting for Cloud Computing Services. Vyas Sekar, Petros Maniatis ISTC for Secure Computing . State of cloud computing today .
E N D
Verifiable Resource Accountingfor Cloud Computing Services Vyas Sekar, Petros Maniatis ISTC for Secure Computing
State of cloud computing today .. As it turns out, Microsoft's doesn't disclose revenues related to its cloud services. And on that matter, it's not alone. Neither do Amazon, Google, or IBM. It's that dreaded time of the month again, the time of the month that we, the 400,000+ Amazon Web Service consumers await with great anticipation / horror. What I'm talking about is the Amazon Web Services Billing Statement sent at beginning of each month. Need stronger, verifiable resource accounting!
Divided opinions on “better accounting” vs. Non-problem Technically “easy” Market forces will solve this! “Obviously” critical problem But, we don’t know how!! Little systematic research on this topic!
Goal of this work • Stimulate active discussion • Our own position: “obviously critical” • Sketch a technical framework for how
Outline • Motivation • Problem definition • Did-I verifiability • Should-I verifiability • Discussion • Ongoing work
Problem Setup Verifier T,R,W,A Task (T) Provider Report (R) Trusted Layer Customer Witness (W) Attribution Model (A) e.g., SLA-like contract
What does verifiability mean? Task,Report,Witness,Attribution (T,R,W,A) Verifier Customer • Did I use the resources billed? • T did physically consume X cycles, Y GB RAM, Z MB bandwidth • Is P double counting or overcharging? 2. Should I have used these resources? e.g., Was it because of poor scheduling by P? Did T consume more due to “contention” with T’ on same CPU?
Outline • Motivation • Problem definition • Did-I verifiability • Should-I verifiability • Discussion • Ongoing work
Did-I Verifiability Provider P C1 R2 R1 T2 T1 C2 • T1, T2 did physically consume X1, X2 cycles • i.e., P is not “double counting” or overcharging
A Clean-slate Solution Task1 Task2 No spurious reports Visibility into low-level Resource 1 Resource 2 “Trusted” Hardware-root-of-trust “Witness”
Challenges with Clean Slate Performance slowdown Task1 Task2 Bandwidth overhead Resource 1 Resource 2 Doesn’t exist yet!
Practical Approximations • Bandwidth overhead Aggregation • Performance slowdown • Sampling or snapshots • Relaxing hardware dependence • Small instruction stream recorder (not online) • Shim layer for monitoring
Outline • Motivation • Problem definition • Did-I verifiability • Should-I verifiability • Discussion • Ongoing work
Should-I Verifiability Provider P R’ R T Consumer T Ideal Provider P’ • Is R very different from R’ in ideal case? • e.g., is P scheduling/allocating as it promised? • e.g., is R high because of contention?
Clean-slate Should-I Verifier Customer Provider Log of Requests, interrupts Requests Decisions Allocator Allocator Log of Decisions Decisions Interrupts e.g., this is the VMM or cluster scheduler implementing “weighted fair queuing” “Witness”
Challenges with Clean-Slate Leak proprietary logic Verifier Customer Provider Log of Requests, interrupts Requests Decisions Allocator Allocator Log of Decisions Decisions Interrupts Log overhead e.g., locate verifier or agent close to P
Balancing privacy vs accountability Verifier Customer Provider Requests Log of Requests, interrupts Hidden Private Policy Allocator Template Decisions Allocator Template Log of Decisions Decisions Interrupts e.g., Is the provider running a “fair queueing” scheduler? But “weights” are private policy
Alternative “Quantitative” Should-I Leak proprietary logic Verifier Customer Provider Log of Requests, interrupts Requests Decisions Allocator Allocator Allocator Log of Decisions Decisions Task Interrupts Report Very different from SLA verification Not promising lower bound on “resources” Rather computing upper bound on “consumption”
Outline • Motivation • Problem definition • Did-I verifiability • Should-I verifiability • Discussion • Ongoing work
Discussion • Provider incentives • More adoption to avoid underutilization • Less conservative in accounting • Prevent customers from gaming the system • Why markets may not suffice? • Infrastructure few players • Cost of migrating is non-trivial • Relaxing provider assistance • Resource prediction or collaborative inference
Summary • Honeymoon phase for cloud is over Need stronger verifiable accounting • Benefits to consumers & providers • Side benefit: may encourage better practices • Sketch a framework, potential solutions • Did-Iand Should-Iverifiability • Working toward a practical realization