© 2010 Andreas Haeberlen 1 Accountable Virtual Machines OSDI (October 4, 2010) Andreas Haeberlen University of Pennsylvania Paarijaat Aditya Rodrigo Rodrigues.

Slides:



Advertisements
Similar presentations
UNIX System Programming Installing OpenSolaris. 2/86 Contents How to setup a virtual machine guest How to install OpenSolaris as a guest How to update.
Advertisements

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
1 The Case for Byzantine Fault Detection. 2 Challenge: Byzantine faults Distributed systems are subject to a variety of failures and attacks Hacker break-in.
Reliable Client Accounting for P2P-Infrastructure Hybrids Paarijaat Aditya †, Ming-Chen Zhao ‡, Yin Lin *, Andreas Haeberlen ‡, Peter Druschel †, Bruce.
LADIS workshop (Oct 11, 2009) A Case for the Accountable Cloud Andreas Haeberlen MPI-SWS.
P. Kouznetsov, 2006 Abstracting out Byzantine Behavior Peter Druschel Andreas Haeberlen Petr Kouznetsov Max Planck Institute for Software Systems.
Network synchronization of Online Games Li, Zetan.
 Max Planck Institute for Software Systems Towards trusted cloud computing Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues MPI-SWS.
Trustworthy and Personalized Computing Christopher Strasburg Department of Computer Science Iowa State University November 12, 2008.
1 Attested Append-Only Memory: Making Adversaries Stick to their Word Byung-Gon Chun (ICSI) October 15, 2007 Joint work with Petros Maniatis (Intel Research,
2.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 2: Installing Windows Server.
Intrusion Detection Systems and Practices
SRG PeerReview: Practical Accountability for Distributed Systems Andreas Heaberlen, Petr Kouznetsov, and Peter Druschel SOSP’07.
Execution Replay for Multiprocessor Virtual Machines George W. Dunlap Dominic Lucchetti Michael A. Fetterman Peter M. Chen.
NSDI (April 24, 2009) © 2009 Andreas Haeberlen, MPI-SWS 1 NetReview: Detecting when interdomain routing goes wrong Andreas Haeberlen MPI-SWS / Rice Ioannis.
Chapter 14 Chapter 14: Server Monitoring and Optimization.
Virtual Machines Measure Up John Staton Karsten Steinhaeuser University of Notre Dame December 15, 2005 Graduate Operating Systems, Fall 2005 Final Project.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
© 2006 Andreas Haeberlen, MPI-SWS 1 The Case for Byzantine Fault Detection Andreas Haeberlen MPI-SWS / Rice University Petr Kouznetsov MPI-SWS Peter Druschel.
Building and Programming the Cloud, Mysore, Jan Accountable distributed systems and the accountable cloud Peter Druschel joint work with Andreas.
11 MONITORING MICROSOFT WINDOWS SERVER 2003 Chapter 3.
Towards Application Security On Untrusted OS
Virtualization for Cloud Computing
Security Information Management Firewall Management, Intrusion Detection, and Intrusion Prevention Intrusion Detection Busters Katherine Jackowski Elizabeth.
Introduction to HP LoadRunner Getting Familiar with LoadRunner >>>>>>>>>>>>>>>>>>>>>>
Hands-On Virtual Computing
Security Evaluation of Pattern Classifiers under Attack.
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
1 Software Testing and Quality Assurance Lecture 33 – Software Quality Assurance.
Accountability Aditya Akella. Outline Accountable Virtual Machines Accountability in and via SDN.
Hosted Virtualization Lab Last Update Copyright Kenneth M. Chipps Ph.D.
Beyond Kernel-level Integrity Measurement: Enabling Remote Attestation for the Android Platform Mohammad Nauman, Sohail Khan, Xinwen Zhang, Jean- Pierre.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
Our work on virtualization Chen Haogang, Wang Xiaolin {hchen, Institute of Network and Information Systems School of Electrical Engineering.
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 MSE Virtual Appliance Presenter Name: Patrick Nicholson.
IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Jeny Carrasco and Jai Nayar English 393 Process Manual Assignment 12/08/04 McAfee 7.1 Process Manual.
A data-centric platform for analyzing distributed systems Provenance Maintenance and Querying on Log-structured Databases.
BFTW 3 workshop (Sep 22, 2009)© 2009 Andreas Haeberlen 1 The Fault Detection Problem Andreas Haeberlen MPI-SWS Petr Kuznetsov TU Berlin / Deutsche Telekom.
A. Haeberlen Fault Tolerance and the Five-Second Rule 1 HotOS XV (May 18, 2015) Ang Chen Hanjun Xiao Andreas Haeberlen Linh Thi Xuan Phan Department of.
SIGCOMM 2012 (August 16, 2012) Private and Verifiable Interdomain Routing Decisions Mingchen Zhao * Wenchao Zhou * Alexander Gurney * Andreas Haeberlen.
1 Copyright © 2015 Pexus LLC Patriot PS Personal Server Importing Virtual Appliance Image.
Project Name Program Name Project Scope Title Project Code and Name Insert Project Branding Image Here.
Security Vulnerabilities in A Virtual Environment
Trusted Passages: Managing Trust Properties of Open Distributed Overlays Faculty: Mustaque Ahamad, Greg Eisenhauer, Wenke Lee and Karsten Schwan PhD Students:
PeerReview: Practical Accountability for Distributed Systems SOSP 07.
CSC190 Introduction to Computing Operating Systems and Utility Programs.
SOSP 2007 © 2007 Andreas Haeberlen, MPI-SWS 1 Practical accountability for distributed systems Andreas Haeberlen MPI-SWS / Rice University Petr Kuznetsov.
© 2015 A. Haeberlen NETS 212: Scalable and Cloud Computing 1 University of Pennsylvania Special topics December 3, 2015.
Configuring Debugging as Search: Finding the Needle in the Haystack Andrew Whitaker, Richard S. Cox and Steven D. Gribble. University of Washington Presented.
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
Virtual Machines Module 2. Objectives Define virtual machine Define common terminology Identify advantages and disadvantages Determine what software is.
A. Haeberlen CIS 455/555: Internet and Web Systems 1 University of Pennsylvania Special topics April 22, 2016.
Run the on your PC to start the firmware configuration process Run IP Config Tool.
CACI Proprietary Information | Date 1 PD² v4.2 Increment 2 SR13 and FPDS Engine v3.5 Database Upgrade Name: Semarria Rosemond Title: Systems Analyst, Lead.
MCSA Windows Server 2012 Pass Upgrading Your Skills to MCSA Windows Server 2012 Exam By The Help Of Exams4Sure Get Complete File From
Computer System Structures
Monitoring Windows Server 2012
Problem: Internet diagnostics and forensics
Outline What does the OS protect? Authentication for operating systems
MONITORING MICROSOFT WINDOWS SERVER 2003
FPGA: Real needs and limits
Outline What does the OS protect? Authentication for operating systems
Creating a Windows 7 Professional SP1 Virtual machine
Hardware Support for Embedded Operating System Security
StreamInsight in SQL Server 2012
The iPremier Company: Denial of Service Attack
Accountable Virtual Machines
Security in SDR & cognitive radio
Presentation transcript:

© 2010 Andreas Haeberlen 1 Accountable Virtual Machines OSDI (October 4, 2010) Andreas Haeberlen University of Pennsylvania Paarijaat Aditya Rodrigo Rodrigues Peter Druschel Max Planck Institute for Software Systems (MPI-SWS) Max Planck Institute for Software Systems

© 2010 Andreas Haeberlen Scenario: Multiplayer game Alice decides to play a game of Counterstrike with Bob and Charlie 2 OSDI (October 4, 2010) Alice Bob Charlie Network I'd like to play a game

© 2010 Andreas Haeberlen What Alice sees OSDI (October 4, 2010) Movie 3 Alice

© 2010 Andreas Haeberlen Could Bob be cheating? In Counterstrike, ammunition is local state Bob can manipulate counter and prevent it from decrementing Such cheats (and many others) do exist, and are being used 4 OSDI (October 4, 2010) Charlie Network Alice Bob Ammo

© 2010 Andreas Haeberlen This talk Cheating is a serious problem in itself Multi-billion-dollar industry But we address a more general problem: Alice relies on software that runs on a third-party machine Examples: Competitive system (auction), federated system... How does Alice know if the software running as intended? 5 OSDI (October 4, 2010) Network Alice Bob Software is not (just) about cheating!

© 2010 Andreas Haeberlen Goal: Accountability We want Alice to be able to Detect when the remote machine is faulty Obtain evidence of the fault that would convince a third party Challenges: Alice and Bob may not trust each other Possibility of intentional misbehavior (example: cheating) Neither Alice nor Bob may understand how the software works Binary only - no specification of the correct behavior 6 OSDI (October 4, 2010) Network Alice Bob Software

© 2010 Andreas Haeberlen Outline Problem: Detecting faults on remote machines Example: Cheating in multiplayer games Solution: Accountable Virtual Machines Evaluation Using earlier example (cheating in Counterstrike) Summary 7 OSDI (October 4, 2010) NEXT

© 2010 Andreas Haeberlen Overview Bob runs Alice's software image in an AVM AVM maintains a log of network in-/outputs Alice can check this log with a reference image AVM correct: Reference image can produce same network outputs when started in same state and given same inputs AVM faulty: Otherwise 8 OSDI (October 4, 2010) Network Alice Bob Virtual machine image AVMM AVM Accountable Virtual Machine (AVM) Accountable Virtual Machine Monitor (AVMM) Log What if Bob manipulates the log? Alice must trust her own reference image How can Alice find this execution, if it exists?

© 2010 Andreas Haeberlen Firing Tamper-evident logging Message log is tamper-evident [SOSP'07] Log is structured as a hash chain Messages contain signed authenticators Result: Alice can either detect that the log has been tampered with, or... get a complete log with all the observable messages 9 OSDI (October 4, 2010) 473: SEND(Charlie, Got ammo) 472: RECV(Alice, Got medipack) 471: SEND(Charlie, Moving left) : SEND(Alice, Firing) Moving right AVMM AVM

© 2010 Andreas Haeberlen Execution logging How does Alice know whether the log matches a correct execution of her software image? Idea: AVMM can specify an execution AVMM additionally logs all nondeterministic inputs AVM correct: Can replay inputs to get execution AVM faulty: Replay inevitably (!) fails 10 OSDI (October 4, 2010) 474: SEND(Alice, Firing) 473: SEND(Charlie, Got ammo) 472: RECV(Alice, Got medipack) 471: SEND(Charlie, Moving left)... AVMM AVM 474: SEND(Alice, Firing) 473: Mouse button clicked 472: SEND(Charlie, Got ammo) 471: RECV(Alice, Got medipack) 470: Got network interrupt 469: SEND(Charlie, Moving left)

© 2010 Andreas Haeberlen Auditing and replay 11 OSDI (October 4, 2010) Network Alice Bob AVMM AVM AVMM AVM : SEND(Alice, Firing) 370: SEND(Alice, Firing) 369: SEND(Alice, Firing) 368: Mouse button clicked 367: SEND(Alice, Got medipack) 366: Mouse moved left Modification Evidence 371: SEND(Alice, Firing) 370: SEND(Alice, Firing) 369: SEND(Alice, Firing) 368: Mouse button clicked 367: SEND(Alice, Got medipack) 366: Mouse moved left 372: SEND(Alice, Firing) 373: SEND(Alice, Firing)

© 2010 Andreas Haeberlen AVM properties Strong accountability Detects faults Produces evidence No false positives Works for arbitrary, unmodified binaries Nondeterministic events can be captured by AVM Monitor Alice does not have to trust Bob, the AVMM, or any software that runs on Bob's machine If Bob tampers with the log, Alice can detect this If Bob's AVM is faulty, ANY log Bob could produce would inevitably cause a divergence during replay 12 OSDI (October 4, 2010) If it runs in a VM, it will work

© 2010 Andreas Haeberlen Outline Problem: Detecting faults on remote machines Example: Cheating in multiplayer games Solution: Accountable Virtual Machines Evaluation Using earlier example (cheating in Counterstrike) Summary 13 OSDI (October 4, 2010) NEXT

© 2010 Andreas Haeberlen Methodology We built a prototype AVMM Based on logging/replay engine in VMware Workstation Extended with tamper-evident logging and auditing Evaluation: Cheat detection in games Setup models competition / LAN party Three players playing Counterstrike 1.6 Nehalem machines (i7 860) Windows XP SP3 14 OSDI (October 4, 2010)

© 2010 Andreas Haeberlen Evaluation topics Effectiveness against real cheats Overhead Disk space (for the log) Time (auditing, replay) Network bandwidth (for authenticators) Computation (signatures) Latency (signatures) Impact on game performance Online auditing Spot checking tradeoffs Using a different application: MySQL on Linux 15 OSDI (October 4, 2010) Please refer to the paper for additional results!

© 2010 Andreas Haeberlen AVMs can detect real cheats If the cheat needs to be installed in the AVM to be effective, AVM can trivially detect it Reason: Event timing + control flow change Examined real 26 cheats from the Internet; all detectable 16 OSDI (October 4, 2010) 98: RECV(Alice, Missed) 97: SEND(Alice, 96: Mouse button clicked 95: Interrupt received 94: RECV(Alice, Jumping)... BC=53 BC=52 BC=47 BC=44 BC=37... Bob's log EIP=0xb382 EIP=0x3633 EIP=0xc490 EIP=0x6771 EIP=0x570f... Event timing (for replay) AVMM AVM BC=59 BC=54 BC=49 BC=44 BC=37... EIP=0x861e EIP=0x2d16 EIP=0xc43e EIP=0x6771 EIP=0x570f... 97: SEND(Alice, 98: RECV(Alice, Hit)

© 2010 Andreas Haeberlen 96: RECV(Alice, Missed) 95: SEND(Alice, 94: Mouse button clicked 93: Interrupt received 92: RECV(Alice, Jumping)... BC=53 BC=52 BC=47 BC=44 BC=37... EIP=0xb382 EIP=0x3633 EIP=0xc490 EIP=0x6771 EIP=0x570f... 99: RECV(Alice, Hit) 98: SEND(Alice, 97: Mouse button clicked 96: Mouse move right 1 inch 94: Mouse move up 1 inch 92: RECV(Alice, Jumping)... BC= BC= BC= BC= BC= BC=... EIP= EIP= EIP= EIP= EIP= EIP=... AVMs can detect real cheats Couldn't cheaters adapt their cheats? There are three types of cheats: 1. Detection impossible (Example: Collusion) 2. Detection not guaranteed, but evasion technically difficult 3. Detection guaranteed (  15% of the cheats in our sample) 17 OSDI (October 4, 2010) AVMM AVM ? ? ? ? ? ? ? ? ? ? ?

© 2010 Andreas Haeberlen Impact on frame rate Frame rate is ~13% lower than on bare hw 137fps is still a lot! fps generally recommended 11% due to logging; additional cost for accountability is small 18 OSDI (October 4, 2010) Average frame rate Bare hardware VMware (no logging) VMware (logging) AVMM (no crypto) AVMM  158fps -13% Different machines with different players -11% No fps cap Window mode 800x600 Softw. rendering

© 2010 Andreas Haeberlen Cost of auditing When auditing a player after a one-hour game, How big is the log we have to download? How much time is needed for replay? 19 OSDI (October 4, 2010) VMware AVMM Average log growth (MB/minute) ~8 MB per minute 2.47 MB per minute (compressed) 148 MB Added by accountability ~ 1 hour

© 2010 Andreas Haeberlen Online auditing Idea: Stream logs to auditors during the game Result: Detection within seconds after fault occurs Replay can utilize unused cores; frame rate penalty is low 20 OSDI (October 4, 2010) Average frame rate No online auditing One audit per player Two audits per player Alice Bob Charlie Game Logging Replay

© 2010 Andreas Haeberlen Summary Accountable Virtual Machines (AVMs) offer strong accountability for unmodified binaries Useful when relying on software executing on remote machines: Federated system, multiplayer games,... No trusted components required AVMs are practical Prototype implementation based on VMware Workstation Evaluation: Cheat detection in Counterstrike 21 OSDI (October 4, 2010) Questions?

© 2010 Andreas Haeberlen Thank you! 22 OSDI (October 4, 2010) Our enthusiastic Counterstrike volunteers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.