The Turtles Project: Design and Implementation of Nested Virtualization

by Muli Ben-yehuda, Michael D. Day, Zvi Dubitzky, Michael Factor, Abel Gordon, Anthony Liguori, Orit Wasserman, Ben-ami Yassour
Results 1 - 10 of 56

CloudVisor: Retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization

by Fengzhe Zhang, Jin Chen, Haibo Chen, Binyu Zang - IN PROC. OF ACM SOSP, CAS CAIS, PORTUGAL, , 2011
"... Multi-tenant cloud, which usually leases resources in the form of virtual machines, has been commercially available for years. Unfortunately, with the adoption of commodity virtualized infrastructures, software stacks in typical multi-tenant clouds are non-trivially large and complex, and thus are p ..."
Abstract - Cited by 77 (2 self) - Add to MetaCart
Multi-tenant cloud, which usually leases resources in the form of virtual machines, has been commercially available for years. Unfortunately, with the adoption of commodity virtualized infrastructures, software stacks in typical multi-tenant clouds are non-trivially large and complex, and thus are prone to compromise or abuse from adversaries including the cloud operators, which may lead to leakage of security-sensitive data. In this paper, we propose a transparent, backward-compatible approach that protects the privacy and integrity of customers ’ virtual machines on commodity virtualized infrastructures, even facing a total compromise of the virtual machine monitor (VMM) and the management VM. The key of our approach is the separation of the resource management from security protection in the virtualization layer. A tiny security monitor is introduced underneath the commodity VMM using nested virtualization and provides protection to the hosted VMs. As a result, our approach allows virtualization software (e.g., VMM, management VM and tools) to handle complex tasks of managing leased VMs for the cloud, without breaking security of users ’ data inside the VMs. We have implemented a prototype by leveraging commercially-available hardware support for virtualization. The prototype system, called CloudVisor, comprises only 5.5K LOCs and supports the Xen VMM with multiple Linux and Windows as the guest OSes. Performance evaluation shows that CloudVisor incurs moderate slowdown for I/O intensive applications and very small slowdown for other applications.
(Show Context)

Dune: Safe User-level Access to Privileged CPU Features

by Adam Belay, Andrea Bittau, Ali Mashtizadeh, David Terei, David Mazières, Christos Kozyrakis
"... Dune is a system that provides applications with direct but safe access to hardware features such as ring protection, page tables, and tagged TLBs, while preserving the existing OS interfaces for processes. Dune uses the virtualization hardware in modern processors to provide a process, rather than ..."
Abstract - Cited by 40 (4 self) - Add to MetaCart
Dune is a system that provides applications with direct but safe access to hardware features such as ring protection, page tables, and tagged TLBs, while preserving the existing OS interfaces for processes. Dune uses the virtualization hardware in modern processors to provide a process, rather than a machine abstraction. It consists of a small kernel module that initializes virtualization hardware and mediates interactions with the kernel, and a user-level library that helps applications manage privileged hardware features. We present the implementation of Dune for 64bit x86 Linux. We use Dune to implement three userlevel applications that can benefit from access to privileged hardware: a sandbox for untrusted code, a privilege separation facility, and a garbage collector. The use of Dune greatly simplifies the implementation of these applications and provides significant performance advantages. 1
(Show Context)

baremetal performance for I/O virtualization

by Abel Gordon, Nadav Amit, Muli Ben-yehuda, Alex Landau, Assaf Schuster, Dan Tsafrir - In ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS , 2012
"... Direct device assignment enhances the performance of guest virtual machines by allowing them to communicate with I/O devices with-out host involvement. But even with device assignment, guests are still unable to approach bare-metal performance, because the host intercepts all interrupts, including t ..."
Abstract - Cited by 38 (7 self) - Add to MetaCart
Direct device assignment enhances the performance of guest virtual machines by allowing them to communicate with I/O devices with-out host involvement. But even with device assignment, guests are still unable to approach bare-metal performance, because the host intercepts all interrupts, including those interrupts generated by as-signed devices to signal to guests the completion of their I/O requests. The host involvement induces multiple unwarranted guest/host con-text switches, which significantly hamper the performance of I/O intensive workloads. To solve this problem, we present ELI (Exit-Less Interrupts), a software-only approach for handling interrupts within guest virtual machines directly and securely. By removing the host from the interrupt handling path, ELI manages to improve the throughput and latency of unmodified, untrusted guests by 1.3x– 1.6x, allowing them to reach 97%–100 % of bare-metal performance even for the most demanding I/O-intensive workloads.
(Show Context)

The XenBlanket: Virtualize Once, Run Everywhere

by Dan Williams, Hani Jamjoom, Hakim Weatherspoon - In EuroSys , 2012
"... Current Infrastructure as a Service (IaaS) clouds operate in isolation from each other. Slight variations in the virtual ma-chine (VM) abstractions or underlying hypervisor services prevent unified access and control across clouds. While stan-dardization efforts aim to address these issues, they wil ..."
Abstract - Cited by 26 (2 self) - Add to MetaCart
Current Infrastructure as a Service (IaaS) clouds operate in isolation from each other. Slight variations in the virtual ma-chine (VM) abstractions or underlying hypervisor services prevent unified access and control across clouds. While stan-dardization efforts aim to address these issues, they will take years to be agreed upon and adopted, if ever. Instead of stan-dardization, which is by definition provider-centric, we ad-vocate a user-centric approach that gives users an unprece-dented level of control over the virtualization layer. We in-troduce the Xen-Blanket, a thin, immediately deployable vir-tualization layer that can homogenize today’s diverse cloud infrastructures. We have deployed the Xen-Blanket across Amazon’s EC2, an enterprise cloud, and a private setup at Cornell University. We show that a user-centric approach to homogenize clouds can achieve similar performance to a paravirtualized environment while enabling previously im-possible tasks like cross-provider live migration. The Xen-Blanket also allows users to exploit resource management opportunities like oversubscription, and ultimately can re-duce costs for users.
(Show Context)

De-indirection for flash-based ssds with nameless writes

by Yiying Zhang, Leo Prasath Arulraj, Andrea C. Arpaci-dusseau, Remzi H. Arpaci-dusseau - In FAST , 2012
"... We present Nameless Writes, a new device interface that removes the need for indirection in modern solid-state storage devices (SSDs). Nameless writes allow the device to choose the location of a write; only then is the client informed of the name (i.e., address) where the block now resides. Doing s ..."
Abstract - Cited by 16 (4 self) - Add to MetaCart
We present Nameless Writes, a new device interface that removes the need for indirection in modern solid-state storage devices (SSDs). Nameless writes allow the device to choose the location of a write; only then is the client informed of the name (i.e., address) where the block now resides. Doing so allows the device to control blockallocation decisions, thus enabling it to execute critical tasks such as garbage collection and wear leveling, while removing the need for large and costly indirection tables. We demonstrate the effectiveness of nameless writes by porting the Linux ext3 file system to use an emulated nameless-writing device and show that doing so both reduces space and time overheads, thus making for simpler, less costly, and higher-performance SSD-based storage. 1
(Show Context)

Isolating Commodity Hosted Hypervisors with HyperLock

by Zhi Wang, Chiachih Wu, Michael Grace, Xuxian Jiang - In Proceedings of the 7th ACM SIGOPS/EuroSys European Conference on Computer Systems , 2012
"... Hosted hypervisors (e.g., KVM) are being widely deployed. One key reason is that they can effectively take advantage of the mature features and broad user bases of commodity oper-ating systems. However, they are not immune to exploitable software bugs. Particularly, due to the close integration with ..."
Abstract - Cited by 13 (2 self) - Add to MetaCart
Hosted hypervisors (e.g., KVM) are being widely deployed. One key reason is that they can effectively take advantage of the mature features and broad user bases of commodity oper-ating systems. However, they are not immune to exploitable software bugs. Particularly, due to the close integration with the host and the unique presence underneath guest virtual machines, a hosted hypervisor – if compromised – can also jeopardize the host system and completely take over all guests in the same physical machine. In this paper, we present HyperLock, a systematic ap-proach to strictly isolate privileged, but potentially vul-nerable, hosted hypervisors from compromising the host OSs. Specifically, we provide a secure hypervisor isolation runtime with its own separated address space and a restricted instruction set for safe execution. In addition, we propose another technique, i.e., hypervisor shadowing, to efficiently create a separate shadow hypervisor and pair it with each guest so that a compromised hypervisor can affect only the paired guest, not others. We have built a proof-of-concept HyperLock prototype to confine the popular KVM hypervisor on Linux. Our results show that HyperLock has a much smaller (12%) trusted computing base (TCB) than the original KVM. Moreover, our system completely removes QEMU, the companion user program of KVM (with> 531K SLOC), from the TCB. The security experiments and performance measurements also demonstrated the practical-ity and effectiveness of our approach.
(Show Context)

Software Techniques for Avoiding Hardware Virtualization Exits

by Ole Agesen, Jim Mattson, Radu Rugina, Jeffrey Sheldon - In Proc. of the 2012 USENIX conference on USENIX Annual Technical Conference
"... On modern processors, hardware-assisted virtualization outperforms binary translation for most workloads. But hardware virtualization has a potential problem: virtualization exits are expensive. While hardware virtualization executes guest instructions at native speed, guest/VMM transitions can sap ..."
Abstract - Cited by 12 (0 self) - Add to MetaCart
On modern processors, hardware-assisted virtualization outperforms binary translation for most workloads. But hardware virtualization has a potential problem: virtualization exits are expensive. While hardware virtualization executes guest instructions at native speed, guest/VMM transitions can sap performance. Hardware designers attacked this problem both by reducing guest/VMM transition costs and by adding architectural extensions such as nested paging support to avoid exits. This paper proposes complementary software techniques for reducing the exit frequency. In the simplest form, our VMM inspects guest code dynamically to detect back-to-back pairs of instructions that both exit. By handling a pair of instructions when the first one exits, we save 50 % of the transition costs. Then, we generalize from pairs to clusters of instructions that may include loops and other control flow. We use a binary translator to generate, and cache, custom translations for handling exits. The analysis cost is paid once, when the translation is generated, but amortized over all future executions. Our techniques have been fully implemented and validated in recent versions of VMware products. We show that clusters consistently reduce the number of exits for all examined workloads. When execution is dominated by exit costs, this translates into measurable runtime improvements. Most importantly, clusters enable substantial gains for nested virtual machines, delivering speedups as high as 1.52x. Intuitively, this result stems from the fact that transitions between the inner guest and VMM are extremely costly, as they are implemented in software by the outer VMM. 1
(Show Context)

Design, Implementation and Verification of an eXtensible and Modular Hypervisor Framework*

by Amit Vasudevan, Sagar Chaki, Limin Jia, Jonathan Mccune, James Newsome, Anupam Datta
"... Abstract — We present the design, implementation, and verification of XMHF – an eXtensible and Modular Hypervisor Framework. XMHF is designed to achieve three goals – modular extensibility, automated verification, and high performance. XMHF includes a core that provides functionality common to many ..."
Abstract - Cited by 12 (3 self) - Add to MetaCart
Abstract — We present the design, implementation, and verification of XMHF – an eXtensible and Modular Hypervisor Framework. XMHF is designed to achieve three goals – modular extensibility, automated verification, and high performance. XMHF includes a core that provides functionality common to many hypervisor-based security architectures and supports extensions that augment the core with additional security or functional properties while preserving the fundamental hypervisor security property of memory integrity (i.e., ensuring that the hypervisor’s memory is not modified by software running at a lower privilege level). We verify the memory integrity of the XMHF core – 6018 lines of code – using a combination of automated and manual techniques. The model checker CBMC automatically verifies 5208 lines of C code in about 80 seconds using less than 2GB of RAM. We manually audit the remaining 422 lines of C code and388 lines of assembly language code that are stable and unlikely to change as development proceeds. Our experiments indicate that XMHF’s performance is comparable to popular high-performance general-purpose hypervisors for the single guest that it supports.
(Show Context)

Detecting failures in distributed systems with the FALCON spy network

by Joshua B. Leners, Hao Wu, Wei-lun Hung, Marcos K. Aguilera, Michael Walfish
"... A common way for a distributed system to tolerate crashes is to explicitly detect them and then recover from them. Interestingly, detection can take much longer than recovery, as a result of many advances in recovery techniques, making failure detection the dominant factor in these systems ’ unavail ..."
Abstract - Cited by 12 (2 self) - Add to MetaCart
A common way for a distributed system to tolerate crashes is to explicitly detect them and then recover from them. Interestingly, detection can take much longer than recovery, as a result of many advances in recovery techniques, making failure detection the dominant factor in these systems ’ unavailability when a crash occurs. This paper presents the design, implementation, and evaluation of Falcon, a failure detector with several features. First, Falcon’s common-case detection time is sub-second, which keeps unavailability low. Second, Falcon is reliable: it never reports a process as down when it is actually up. Third, Falcon sometimes kills to achieve reliable detection but aims to kill the smallest needed component. Falcon achieves these features by coordinating a network of spies, each monitoring a layer of the system. Falcon’s main cost is a small amount of platform-specific logic. Falcon is thus the first failure detector that is fast, reliable, and viable. As such, it could change the way that a class of distributed systems is built.
(Show Context)

Towards verifiable resource accounting for outsourced computation

by Chen Chen, Petros Maniatis, Adrian Perrig, Amit Vasudevan, Vyas Sekar - in Proc. of ACM VEE , 2013
"... Outsourced computation services should ideally only charge customers for the resources used by their applications. Unfortunately, no verifiable basis for service providers and customers to reconcile resource accounting exists today. This leads to undesirable outcomes for both providers and consumers ..."
Abstract - Cited by 11 (3 self) - Add to MetaCart
Outsourced computation services should ideally only charge customers for the resources used by their applications. Unfortunately, no verifiable basis for service providers and customers to reconcile resource accounting exists today. This leads to undesirable outcomes for both providers and consumers—providers cannot prove to customers that they really devoted the resources charged, and customers cannot verify that their invoice maps to their actual usage. As a result, many practical and theoretical attacks exist, aimed at charging customers for resources that their applications did not consume. Moreover, providers cannot charge consumers precisely, which causes them to bear the cost of unaccounted resources or pass these costs inefficiently to their customers. We introduce ALIBI, a first step toward a vision for verifiable resource accounting. ALIBI places a minimal, trusted reference monitor underneath the service provider’s software platform. This monitor observes resource allocation to customers ’ guest virtual machines and reports those observations to customers, for verifiable reconciliation. In this paper, we show that ALIBI efficiently and verifiably tracks guests ’ memory use and CPU-cycle consumption.
(Show Context)