skip to main content
research-article

Hardware-Assisted Secure Resource Accounting under a Vulnerable Hypervisor

Published:14 March 2015Publication History
Skip Abstract Section

Abstract

With the proliferation of cloud computing to outsource computation in remote servers, the accountability of computational resources has emerged as an important new challenge for both cloud users and providers. Among the cloud resources, CPU and memory are difficult to verify their actual allocation, since the current virtualization techniques attempt to hide the discrepancy between physical and virtual allocations for the two resources. This paper proposes an online verifiable resource accounting technique for CPU and memory allocation for cloud computing. Unlike prior approaches for cloud resource accounting, the proposed accounting mechanism, called Hardware-assisted Resource Accounting (HRA), uses the hardware support for system management mode (SMM) and virtualization to provide secure resource accounting, even if the hypervisor is compromised. Using a secure isolated execution support of SMM, this study investigates two aspects of verifiable resource accounting for cloud systems. First, this paper presents how the hardware-assisted SMM and virtualization techniques can be used to implement the secure resource accounting mechanism even under a compromised hypervisor. Second, the paper investigates a sample-based resource accounting technique to minimize performance overheads. Using a statistical random sampling method, the technique estimates the overall CPU and memory allocation status with 99%~100% accuracies and performance degradations of 0.1%~0.5%.

References

  1. AdvancedMicro Dvices. AMD64 Architecture Programmer's Mannual: Volume 2: System Programming, 2007.Google ScholarGoogle Scholar
  2. Apache HTTP Server. http://httpd.apache.org, 2011.Google ScholarGoogle Scholar
  3. A. M. Azab, P. Ning, Z. Wang, X. Jiang, X. Zhang, and N. C. Skalsky. HyperSentry: enabling stealthy in-context measurement of hypervisor integrity. In Proceedings of 17th ACMConference on Computer and Communications Security, CCS 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. A. M. Azab, P. Ning, and X. Zhang. Sice: a hardware-level strongly isolated computing environment for x86 multi-core platforms. In Proceedings of the 18th ACM conference on Computer and communications security, CCS 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. S. A. Baset. Cloud SLAs: Present and Future. ACM SIGOPS Operating Systems Review, 46(2):57--66, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. S. Bouchenak, G. Chockler, H. Chockler, G. Gheorghe, N. Santos, and A. Shraer. Verifying Cloud Services: Present and Future. ACM SIGOPS Operating Systems Review, 47(2):6--19, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. C. Chen, P. Maniatis, A. Perrig, A. Vasudevan, and V. Sekar. Towards Verifiable Resource Accounting for Outsourced Computation. In Proceedings of the 9th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. K. L. Chung. A Course In Probability Theory. Academic press, 2001.Google ScholarGoogle Scholar
  9. Damn Small Linux. http://www.damnsmalllinux. org/, 2014.Google ScholarGoogle Scholar
  10. V. C. Emeakaroha, T. C. Ferreto, M. A. S. Netto, I. Brandic, and C. A. De Rose. CASViD: Application Level Monitoring for SLA Violation Detection in Clouds. In Proceedings of the 36th IEEE Computer Software and Applications Conference, COMPSAC 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. H. C. Fengzhe Zhang, Jin Chen and B. Zang. CloudVisor: Retrofitting Protection of Virtual Machines in Multi-tenant Cloud with Nested Virtualization. In Proceedings of the 23rd ACM Symposium on Operating Systems Principles, SOSP 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Intel Corporation. Software Developer's Mannual vol. 3: System Programming Guide, 2009.Google ScholarGoogle Scholar
  13. S. Jin, J. Ahn, S. Cha, and J. Huh. Architectural support for secure virtualization under a vulnerable hypervisor. In Proceedings of the 44th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. J. Lango. Toward Software-defined SLAs. Communications of the ACM, 57(1):54--60, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. M. Macias and J. Guitart. Client Classification Policies for SLA Enforcement in Shared Cloud Datacenters. In Proceedings of the 12th IEEE/ACMInternational Symposium on Cluster, Cloud and Grid Computing, CCGrid 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. D. Magenheimer. Xen developer's mailing list: http://secunia.com/advisories/26986/, 2010.Google ScholarGoogle Scholar
  17. M. Maurer, I. Brandic, and R. Sakellariou. Self-adaptive and Resource-efficient SLA Enactment for Cloud Computing Infrastructures. In Proceedings of the 5th IEEE International Conference on Cloud Computing, CLOUD 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. R. Y. Rubinstein and D. P. Kroese. Simulation and the Monte Carlo method, volume 707. John Wiley & Sons, 2011.Google ScholarGoogle Scholar
  19. RUBiS Benchmark. http://rubis.ow2.org, 2008.Google ScholarGoogle Scholar
  20. Secunia Vulnerability Report. http://secunia.com/advisories/15863/, 2010.Google ScholarGoogle Scholar
  21. Secunia Vulnerability Report. http://secunia.com/advisories/25985/, 2010.Google ScholarGoogle Scholar
  22. Secunia Vulnerability Report: Xen 3.x. http://secunia.com/advisories/product/15863/, 2010.Google ScholarGoogle Scholar
  23. V. Sekar and P. Maniatis. Verifiable Resource Accounting for Cloud Computing Services. In Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop, CCSW 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. S. Setty, V. Vu, N. Panpalia, B. Braun, A. J. Blumberg, and M. Walfish. Taking Proof-based Verified Computation a Few Steps Closer to Practicality. In Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. SPECCPU2006 Benchmark. http://www.spec.org/cpu2006, 2005.Google ScholarGoogle Scholar
  26. SPECjbb2005 Benchmark. http://www.spec.org/jbb2005, 2005.Google ScholarGoogle Scholar
  27. Trusted Platform Module. http://www.trustedcomputinggroup.org/developers/trusted_platform_module.Google ScholarGoogle Scholar
  28. V. Varadarajan, T. Kooburat, B. Farley, T. Ristenpart, and M. M. Swift. Resource-freeing Attacks: Improve Your Cloud Performance. In Proceedings of the 19th ACM Conference on Computer and Communications Security, CCS 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. J. Wang, A. Stavrou, and A. K. Ghosh. HyperCheck: A Hardware-Assisted Integrity Monitor. In Proceedings of 13th International Symposium on Recent Advances in Intrusion Detection, RAID 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. R. Wojtczuk. Subverting the Xen Hypervisor, 2008.Google ScholarGoogle Scholar
  31. R. Wojtczuk and J. Rutkowska. Xen 0wning trilogy, 2008.Google ScholarGoogle Scholar
  32. Xen Hypervisor. http://www.xen.org/, 2010.Google ScholarGoogle Scholar
  33. F. Zhang, K. Leach, K. Sun, and A. Stavrou. SPECTRE: A Dependable Introspection Framework via System Management Mode. In Proceedings of the 43rd IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. F. Zhou, M. Goel, P. Desnoyers, and R. Sundaram. Scheduler Vulnerabilities and Coordinated Attacks in Cloud Computing. In Proceedings of the 10th IEEE International Symposium on Networking Computing and Applications, NCA 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Hardware-Assisted Secure Resource Accounting under a Vulnerable Hypervisor

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM SIGPLAN Notices
      ACM SIGPLAN Notices  Volume 50, Issue 7
      VEE '15
      July 2015
      221 pages
      ISSN:0362-1340
      EISSN:1558-1160
      DOI:10.1145/2817817
      • Editor:
      • Andy Gill
      Issue’s Table of Contents
      • cover image ACM Conferences
        VEE '15: Proceedings of the 11th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments
        March 2015
        238 pages
        ISBN:9781450334501
        DOI:10.1145/2731186

      Copyright © 2015 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 14 March 2015

      Check for updates

      Qualifiers

      • research-article

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!