Scheduler-based Defenses against Cross-VM Side- channels Venkat(anathan) Varadarajan, Thomas Ristenpart, and Michael Swift 1 D EPARTMENT OF C OMPUTER S.

Slides:



Advertisements
Similar presentations
Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)
Advertisements

Rohit Kugaonkar CMSC 601 Spring 2011 May 9 th 2011
Cross-VM Side Channels and Their Use to Extract Private Keys
KAIST Computer Architecture Lab. The Effect of Multi-core on HPC Applications in Virtualized Systems Jaeung Han¹, Jeongseob Ahn¹, Changdae Kim¹, Youngjin.
Lecture 4: Cloud Computing Security: a first look Xiaowei Yang (Duke University)
Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 3 02/15/2010 Security and Privacy in Cloud Computing.
Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds Yan Qiang,
Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.
Managing NymBoxes for Identity and Tracking Protection David Wolinsky, Daniel Jackowitz, and Bryan Ford Yale University.
Bart Miller. Outline Definition and goals Paravirtualization System Architecture The Virtual Machine Interface Memory Management CPU Device I/O Network,
Performance Anomalies Within The Cloud 1 This slide includes content from slides by Venkatanathan Varadarajan and Benjamin Farley.
Resource-Freeing Attacks: Improve Your Cloud Performance (at Your Neighbor's Expense) (Venkat)anathan Varadarajan, Thawan Kooburat, Benjamin Farley, Thomas.
VSphere vs. Hyper-V Metron Performance Showdown. Objectives Architecture Available metrics Challenges in virtual environments Test environment and methods.
Public Clouds (EC2, Azure, Rackspace, …) VM Multi-tenancy Different customers’ virtual machines (VMs) share same server Provider: Why multi-tenancy? Improved.
Hardware Support for Spin Management in Overcommitted Virtual Machines Philip Wells Koushik Chakraborty Gurindar Sohi {pwells, kchak,
XENMON: QOS MONITORING AND PERFORMANCE PROFILING TOOL Diwaker Gupta, Rob Gardner, Ludmila Cherkasova 1.
COMMA: Coordinating the Migration of Multi-tier applications 1 Jie Zheng* T.S Eugene Ng* Kunwadee Sripanidkulchai† Zhaolei Liu* *Rice University, USA †NECTEC,
A Secure System-wide Process Scheduling across Virtual Machines Hidekazu Tadokoro (Tokyo Institute of Technology) Kenichi Kourai (Kyushu Institute of Technology)
NoHype: Virtualized Cloud Infrastructure without the Virtualization Eric Keller, Jakub Szefer, Jennifer Rexford, Ruby Lee ISCA 2010 Princeton University.
PREVENTING CRYPTOGRAPHIC KEY LEAKAGE IN CLOUD VIRTUAL MACHINES STUDENT: FATEMAH ALHARBI PROFESSOR: NAEL ABU-GHAZALEH EE260 SEMINAR IN ELECTRICAL ENGINEERING.
Towards High-Availability for IP Telephony using Virtual Machines Devdutt Patnaik, Ashish Bijlani and Vishal K Singh.
Progress Report Design, implementation, experiments, and demo plan 2014/12/03 1.
Authors: Thomas Ristenpart, et at.
Virtualization Performance H. Reza Taheri Senior Staff Eng. VMware.
Virtualization: An Overview Brendan Lynch. Forms of virtualization In all cases virtualization is taking a physical component and simulating the interface.
TitleEfficient Timing Channel Protection for On-Chip Networks Yao Wang and G. Edward Suh Cornell University.
Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds Written by Thomas Ristenpart Eran Tromer Hovav Shacham Stehan.
Eliminating Fine Grained Timers in Xen Bhanu Vattikonda with Sambit Das and Hovav Shacham.
Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人:張逸文.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
Virtual Machine Scheduling for Parallel Soft Real-Time Applications
Improving Network I/O Virtualization for Cloud Computing.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 4 09/10/2013 Security and Privacy in Cloud Computing.
Timing Channel Protection for a Shared Memory Controller Yao Wang, Andrew Ferraiuolo, G. Edward Suh Feb 17 th 2014.
Politecnico di Torino Dipartimento di Automatica ed Informatica TORSEC Group Performance of Xen’s Secured Virtual Networks Emanuele Cesena Paolo Carlo.
Embedded System Lab. 오명훈 Memory Resource Management in VMware ESX Server Carl A. Waldspurger VMware, Inc. Palo Alto, CA USA
Our work on virtualization Chen Haogang, Wang Xiaolin {hchen, Institute of Network and Information Systems School of Electrical Engineering.
Revisiting Hardware-Assisted Page Walks for Virtualized Systems
MClock: Handling Throughput Variability for Hypervisor IO Scheduling in USENIX conference on Operating Systems Design and Implementation (OSDI ) 2010.
Thomas Ristenpart,Eran Tromer, Horav Shahcham and Stefan Savage
Quantifying and Improving I/O Predictability in Virtualized Systems Cheng Li, Inigo Goiri, Abhishek Bhattacharjee, Ricardo Bianchini, Thu D. Nguyen 1.
Cloud security Tom Ristenpart CS Software-as-a-service Infrastructure-as-a- service Cloud providers Cloud computing NIST: Cloud computing is a model.
A paper by Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage, Proceedings of the ACM Conference on Computer and Communications Security,
Instrumentation of Xen VMs for efficient VM scheduling and capacity planning in hybrid clouds. Kurt Vermeersch Coordinator: Sam Verboven.
Micro-sliced Virtual Processors to Hide the Effect of Discontinuous CPU Availability for Consolidated Systems Jeongseob Ahn, Chang Hyun Park, and Jaehyuk.
The xCloud and Design Alternatives Presented by Lavone Rodolph.
VGreen: A System for Energy Efficient Manager in Virtualized Environments G. Dhiman, G Marchetti, T Rosing ISLPED 2009.
VTurbo: Accelerating Virtual Machine I/O Processing Using Designated Turbo-Sliced Core Embedded Lab. Kim Sewoog Cong Xu, Sahan Gamage, Hui Lu, Ramana Kompella,
Introduction to virtualization
Modeling Virtualized Environments in Simalytic ® Models by Computing Missing Service Demand Parameters CMG2009 Paper 9103, December 11, 2009 Dr. Tim R.
Full and Para Virtualization
Technical Reading Report Virtual Power: Coordinated Power Management in Virtualized Enterprise Environment Paper by: Ripal Nathuji & Karsten Schwan from.
References: “Hey, You, Get Off My Cloud: Exploring Information Leakage in Third-Party Compute Clouds” by Thomas Ristenpart, Eran Tromer – UC San Diego;
Hey, You, Get Off of My Cloud Thomas Ristenpart, Eran Tromer, Hovav Shacham, Stefan Savage Presented by Daniel De Graaf.
COMP SYSTEM ARCHITECTURE PRACTICAL CACHES Sergio Davies Feb/Mar 2014COMP25212 – Lecture 3.
© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Understanding Virtualization Overhead.
Thomas Ristenpart , Eran Tromer, Hovav Shacham ,Stefan Savage CCS’09
Secure Offloading of Legacy IDSes Using Remote VM Introspection in Semi-trusted IaaS Clouds Kenichi Kourai Kazuki Juda Kyushu Institute of Technology.
vCAT: Dynamic Cache Management using CAT Virtualization
Presented by Yoon-Soo Lee
Hey, You, Get Off of My Cloud
Written by : Thomas Ristenpart, Eran Tromer, Hovav Shacham,
Mengjia Yan, Yasser Shalabi, Josep Torrellas
Comparison of the Three CPU Schedulers in Xen
Professor, No school name
ConfMVM: A Hardware-Assisted Model to Confine Malicious VMs
Manjunath Shevgoor, Rajeev Balasubramonian, University of Utah
Maria Méndez Real, Vincent Migliore, Vianney Lapotre, Guy Gogniat
University of Illinois at Urbana-Champaign
Xing Pu21 Ling Liu1 Yiduo Mei31 Sankaran Sivathanu1 Younggyun Koh1
Presentation transcript:

Scheduler-based Defenses against Cross-VM Side- channels Venkat(anathan) Varadarajan, Thomas Ristenpart, and Michael Swift 1 D EPARTMENT OF C OMPUTER S CIENCES

VMM Public Clouds (EC2, Azure, Rackspace, …) Interface VM Multi-tenancy Different customers’ virtual machines (VMs) share same server VM 2 VMM VM VMM VM VMM VM Benefits: 1.High resource utilization, 2.Low service cost Benefits: 1.High resource utilization, 2.Low service cost VM

Core Private Caches Branch Predictor Shared Resources and Isolation VM (m-VCPUs) VM (m-VCPUs) Hypervisor Core Private Caches Branch Predictor VM (m-VCPUs) VM (m-VCPUs) VM (m-VCPUs) VM (m-VCPUs) VM (m-VCPUs) VM (m-VCPUs) VM (m-VCPUs) VM (m-VCPUs) VM (m-VCPUs) VM (m-VCPUs) System shared resources (LLC, memory, disk, n/w etc.) via per-core sharing [Zhang et al’12, Ristenpart al’09] via system-level sharing [Yarom & Falkner’14, Varadarajan et al’12] Core Private Caches Branch Predictor 3

Problem: Cache-based Side- channels * 4 VM Time Core: A A V V cache sets cache ways Prime A A Probe Attacker Timing Profile Extract secret information C RYPTO _F UNCTION (s): s  secret bit if (s = 0) { O PERATION _A } if (s = 1) { O PERATION _B } Secret *Zhang, Juels, Reiter, Ristenpart, “Cross-VM Side-channels …”, CCS’12 I-cache

Requirements for Successful Side- channel 5 VM Time Core: A A V V cache sets cache ways Prime A A Probe Attacker Timing Profile Extract secret information C RYPTO _F UNCTION (s): s  secret bit if (s = 0) { O PERATION _A } if (s = 1) { O PERATION _B } Secret *Zhang, Juels, Reiter, Ristenpart, “Cross-VM Side-channels …”, CCS’12 I-cache quick preemption shared resource high-precision timer

Defenses against Side-channels 1.Sharing – Resource Partitioning [NoHype’10] – Specialized Hardware [RPcache’07] – Software-based partitioning [StealthMem’12] 2.Access to high-resolution timers – Reduce resolution [TimeWarp’12] – Removing timing channel [StopWatch’13] 3.Quick cross-VM preemptions – No prior work! 6 No countermeasures deployed by providers!

Our Solution: Soft Isolation Allow sharing but limit frequency of dangerous VM interactions Goals: 1.Secure: Controlled information leakage 2.Commodity: Easy to adopt 3.Efficient: Allow sharing, low overhead 7 … with simple changes to Hypervisor’s CPU scheduler Core (per core state) Core (per core state) Private Caches VM Hypervisor

Rest of the talk … 1.Background: Quick Preemptions & Schedulers 1.Soft-Isolation: Scheduler-based defense 1.Evaluation: Security and Performance 8

Requirement for Quick Preemptions 9 VM V V Time Core: A A cache sets Prime A A Probe cache ways Preemption Interval V V V V Rate of preemption > Rate of event to measure C RYPTO _F UNCTION (s): s  secret bit if (s = 0) { O PERATION _A } if (s = 1) { O PERATION _B } Next subsequent code/task execution … (or noise)

Why do schedulers allow quick preemptions? 10 Prime-probe attacker: Abuses BOOST priority, using interrupts. Throughput- oriented: Benefits from longer scheduler timeslices Latency-oriented: Benefits from quick wakeups, BOOST priority State-of-art CPU schedulers V V Time Core: A A V V A A < 10µs Batch VMs Interactive VMs … Malicious VM

V V Time A A A A Min. runtime (scheduler parameter) Interrupt (boosted) V V V V Soft-Isolation: Ratelimit Preemptions 11 VM Core: Available in Xen (and KVM) ratelimit_us (and sched_min_granularity_ns) Reduces VM-switches  Boosts batch-workload’s performance Minimum RunTime (MRT) guarantee  soft-isolation

MRT Guarantee and Open Questions 12 Time Core: A A V V V V 1.Can MRT defend against Cross-VM Side-channels? (security evaluation) delay 2.Trade-off between security and performance? (performance overhead) MRT value

Xen Version4.2.1 SchedulerCredit Scheduler 1 Configuration (Non-work conserving) 40% cap on DomU VCPUs with equal weight # VMs6 # VCPUs per VM2 Experimental Methodology Two VMs: 1.Attacker 2.Victim 13 MachineIntel Xeon E5645, 2.4GHz, 6 cores, single package Memory Hierarchy Private 32KB L1 (I- and D- Cache), 256KB unified L2, 12MB shared L3 & 16GB DDR3 RAM. Machine Configuration Xen Configuration Core VM Hypervisor Setting similar to public clouds (e.g. EC2)

Security Evaluation : Prime-Probe Timing Profile 14 Idle Victim VM Simple Victim VM Under Zero-MRT Alternating usage patterni-cache access timing

Security Evaluation : Prime-Probe Timing Profile 15 Simple Victim VM Under Zero-MRT Simple Victim VM Under 1ms MRT Side-channel not discernible Alternating usage pattern

Security Evaluation: ElGamal Victim 16 Avg: ops S QUARE M ULT (x, e, N): Let e n,..., e 1 be the bits of e y ← 1 for i = n down to 1 do y ← S QUARE (y) y ← M OD R EDUCE (y, N) if e i = 1 then y ← M ULT (y, x) y ← M OD R EDUCE (y, N) end if end for return y ElGamal Side-channel require multiple preemptions within single iteration for noise-reduction [Zhang et al’12]

MRT Guarantee and Open Questions 17 Time Core: A A V V V V 1.Can MRT defend against Cross-VM Side-channels? (security evaluation) delay 2.Trade-off between security and performance? (performance overhead)

Performance Evaluation: Overall System Performance 18 Core VCPU Hypervisor workload-mix Measured workload: 1.Interactive  memcached, cassandra, etc. and 2.Batch  graph500, specJBB, etc. Competing workloads: microbenchmarks  highly cache-thrashing + (interactive or batch)

Performance Evaluation: Overall System Performance 19 Avg. 95 th Percentile Latency (interactive workloads) Avg. Runtime (batch workloads) At 5ms MRT < 7% overhead

More details in the paper … Per-core State-Cleansing – Interactive VMs may still leak information – MRT + State-cleansing incur low overhead Detailed Performance and Security Analysis – 20+ graphs in the paper 20 It is cheap and easy to deploy!

Conclusion 5ms MRT + selective state-cleansing -known attacks no longer work -negligible overhead -easy to adopt Introduce new scheduler principle -soft-isolation = allow sharing + limit dangerous cross-VM interactions contact: 21