skip to main content
research-article
Public Access

Enabling Efficient Hypervisor-as-a-Service Clouds with Ephemeral Virtualization

Authors Info & Claims
Published:25 March 2016Publication History
Skip Abstract Section

Abstract

When considering a hypervisor, cloud providers must balance conflicting requirements for simple, secure code bases with more complex, feature-filled offerings. This paper introduces Dichotomy, a new two-layer cloud architecture in which the roles of the hypervisor are split. The cloud provider runs a lean hyperplexor that has the sole task of multiplexing hardware and running more substantial hypervisors (called featurevisors) that implement features. Cloud users choose featurevisors from a selection of lightly-modified hypervisors potentially offered by third-parties in an "as-a-service" model for each VM. Rather than running the featurevisor directly on the hyperplexor using nested virtualization, Dichotomy uses a new virtualization technique called eemeral virtualization which efficiently (and repeatedly) transfers control of a VM between the hyperplexor and featurevisor using memory mapping techniques. Nesting overhead is only incurred when the VM is accessed by the featurevisor. We have implemented Dichotomy in KVM/QEMU and demonstrate average switching times of 80 ms, two to three orders of magnitude faster than live VM migration. We show that, for the featurevisor applications we evaluated, VMs hosted in Dichotomy deliver up to 12% better performance than those hosted on nested hypervisors, and continue to show benefit even when the featurevisor applications run as often as every 2.5~seconds.

References

  1. AMD Virtualization (AMD-V). http://www.amd.com/us/solutions/servers/virtualization.Google ScholarGoogle Scholar
  2. A. Arcangeli, I. Eidus, and C. Wright. Increasing memory density by using ksm. In Proc. of Linux Symposium, Ottawa, Canada, July 2009.Google ScholarGoogle Scholar
  3. S. F. Barrett and D. J. Pack. Microcontrollers Fundamentals for Engineers and Scientists, chapter 4, pages 51--64. Morgan & Claypool Publishers, San Rafael, CA, July 2006.Google ScholarGoogle Scholar
  4. G. Belpaire and N.-T. Hsu. Formal properties of recursive virtual machine architectures. In Proc. of ACM SOSP, Austin, TX, pages 89--96, Nov. 1975.Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. M. Ben-Yehuda, M. D. Day, Z. Dubitzky, M. Factor, N. Har'El, A. Gordon, A. Liguori, O. Wasserman, and B.-A. Yassour. The turtles project: Design and implementation of nested virtualization. In Proc. of USENIX OSDI, Vancouver, Canada, Oct. 2010.Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. S. Butt, H. A. Lagar-Cavilla, A. Srivastava, and V. Ganapathy. Self-service cloud computing. In Proc. of ACM CCS, Raleigh, NC, pages 253--264, Oct. 2012.Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. H. Chen, R. Chen, F. Zhang, B. Zang, and P. Yew. Live updating operating systems using virtualization. In Proc. of ACM VEE, Ottawa, Canada, June 2006.Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. H. Chen, R. Chen, F. Zhang, B. Zang, and P.-C. Yew. Mercury: Combining performance with dependability using self-virtualization. In Proc. of IEEE ICPP, Xi'an, China, Sept. 2007.Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. C. Clark, K. Fraser, S. Hand, J. G. Hansen, E. Jul, C. Limpach, I. Pratt, and A. Warfield. Live Migration of Virtual Machines. In Proc. of USENIX NSDI, Boston, MA, May 2005.Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. P. Colp, M. Nanavati, J. Zhu, W. Aiello, G. Coker, T. Deegan, P. Loscocco, and A. Warfield. Breaking up is hard to do: Security and functionality in a commodity hypervisor. In Proc. of ACM SOSP, Cascais, Portugal, Oct. 2011.Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. B. Cully, G. Lefebvre, D. Meyer, M. Feeley, N. Hutchinson, and A. Warfield. Remus: high availability via asynchronous virtual machine replication. In Proc. of USENIX NSDI, San Francisco, CA, Apr. 2008.Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether: malware analysis via hardware virtualization extensions. In Proc. of ACM CCS, pages 51--62, 2008.Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. G. W. Dunlap, S. T. King, S. Cinar, M. A. Basrai, and P. M. Chen. ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proc. of USENIX OSDI, Boston, MA, Dec. 2002.Google ScholarGoogle ScholarCross RefCross Ref
  14. B. Ford, M. Hibler, J. Lepreau, P. Tullmann, G. Back, and S. Clawson. Microkernels meet recursive virtual machines. In Proc. of USENIX OSDI, Seattle, WA, Oct. 1996.Google ScholarGoogle Scholar
  15. T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proc. of NDSS Symposium, San Diego, CA, Feb. 2003.Google ScholarGoogle Scholar
  16. A. Graf and J. Roedel. Nesting the virtualized world. In Linux Plumbers Conference, Portland, OR, Sept. 2009.Google ScholarGoogle Scholar
  17. D. Gupta, S. Lee, M. Vrable, S. Savage, A. C. Snoeren, G. Varghese, G. M. Voelker, and A. Vahdat. Difference engine: Harnessing memory redundancy in virtual machines. In Proc. of USENIX OSDI, San Diego, CA, Dec. 2008.Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. M. Hines and K. Gopalan. Post-copy based live virtual machine migration using adaptive pre-paging and dynamic self-ballooning. In Proc. of ACM VEE, Washington, DC, Mar. 2009.Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. A. Ho, M. Fetterman, C. Clark, A. Warfield, and S. Hand. Practical taint-based protection using demand emulation. In Proc. of ACM EuroSys, Leuven, Belgium, Apr. 2006.Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Intel 64 and IA-32 Architectures. Software Developer's Manual, Combined Volumes: 1, 2A, 2B, 2C, 3A, 3B, 3C and 3D. http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-manual-325462.pdf.Google ScholarGoogle Scholar
  21. A. Kivity, Y. Kamay, D. Laor, U. Lublin, and A. Liguori. KVM: the linux virtual machine monitor. In Proc. of Linux Symposium, Ottawa, Canada, June 2007.Google ScholarGoogle Scholar
  22. C. Kolivas. Kernbench: http://ck.kolivas.org/apps/kernbench/kernbench-0.50/.Google ScholarGoogle Scholar
  23. T. Kooburat and M. Swift. The best of both worlds with on-demand virtualization. In Proc. of USENIX HOTOS, Napa, CA, May 2011.Google ScholarGoogle Scholar
  24. K. Kourai and S. Chiba. HyperSpector: Virtual Distributed Monitoring Environments for Secure Intrusion Detection. In Proc. of ACM VEE, Chicago, IL, June 2005.Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. J. Levon. OProfile: System-wide profiler for Linux systems, http://oprofile.sourceforge.net/about/.Google ScholarGoogle Scholar
  26. D. E. Lowell, Y. Saito, and E. J. Samberg. Devirtualizable virtual machines enabling general, single-node, online maintenance. In Proc. of ACM ASPLOS, Boston, MA, Oct. 2004.Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. A. C. Macdonell. Shared-memory optimizations for virtual machines. D thesis, University of Alberta, Edmonton, Canada, 2011.Google ScholarGoogle Scholar
  28. D. G. Murray, G. Milos, and S. Hand. Improving xen security through disaggregation. In Proc. of ACM VEE, Seattle, WA, Mar. 2008.Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. G. Natapov. Nested EPT to make nested VMX faster. In KVM Forum, Edinburgh, UK, Oct. 2013.Google ScholarGoogle Scholar
  30. Netperf. http://www.netperf.org/netperf/.Google ScholarGoogle Scholar
  31. D. L. Osisek, K. M. Jackson, and P. H. Gum. ESA/390 interpretive-execution architecture, foundation for VM/ESA. IBM Systems Journal, 30 (1): 34--51, Feb. 1991.Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. B. D. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An architecture for secure active monitoring using virtualization. In IEEE Symposium on Security and Privacy, Oakland, CA, pages 233--247, May 2008.Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. RedHat CloudForms. http://www.redhat.com/en/technologies/cloud-computing/cloudforms.Google ScholarGoogle Scholar
  34. R. Riley, X. Jiang, and D. Xu. Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In Recent Advances in Intrusion Detection, Boston, MA, pages 1--20, Sept. 2008.Google ScholarGoogle ScholarCross RefCross Ref
  35. U. Steinberg and B. Kauer. Nova: A microhypervisor-based secure virtualization architecture. In Proc. of EuroSys, Paris, France, pages 209--222, 2010.Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. S. Suneja, C. Isci, V. Bala, E. de Lara, and T. Mummert. Non-intrusive, out-of-band and out-of-the-box systems monitoring in the cloud. In SIGMETRICS'14, Austin, TX, 2014.Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. uikys, and Ziberkas]toldinas2009rootkitJ. Toldinas, D. Rudzika, V.vStuikys, and G. Ziberkas. Rootkit detection experiment within a virtual environment. Electronics and Electrical Engineering--Kaunas: Technologija, (8): 104, 2009.Google ScholarGoogle Scholar
  38. R. Uhlig, G. Neiger, D. Rodgers, A. Santoni, F. Martins, A. Anderson, S. Bennett, A. Kagi, F. Leung, and L. Smith. Intel virtualization technology. Computer, 38 (5): 48--56, 2005.Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. vmitools. https://code.google.com/p/vmitools/.Google ScholarGoogle Scholar
  40. VMware, Inc. Virtual Machine to ysical Machine Migration. http://www.vmware.com/support/v2p/doc/V2P_TechNote.pdf, 2004.Google ScholarGoogle Scholar
  41. VMware, Inc. VMware Converter User's Manual. http://www.vmware.com/pdf/VMware_Converter_manual.pdf, 2006.Google ScholarGoogle Scholar
  42. VMWare vRealize. https://www.vmware.com/products/vrealize-suite.Google ScholarGoogle Scholar
  43. Volatility Framework. http://code.google.com/p/volatility/.Google ScholarGoogle Scholar
  44. C. A. Waldspurger. Memory resource management in VMware ESX server. In Proc. of USENIX OSDI, Boston, MA, Dec. 2002.Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. J. Wang, K.-L. Wright, and K. Gopalan. XenLoop: a transparent high performance inter-VM network loopback. In Proc. of ACM HPDC, Boston, MA, pages 109--118, June 2008.Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. O. Wasserman. Nested Virtualization: Shadow Turtles. In KVM Forum, Edinburgh, UK, Oct. 2013.Google ScholarGoogle Scholar
  47. D. Williams, H. Jamjoom, and H. Weatherspoon. The Xen-Blanket: Virtualize once, run everywhere. In EuroSys, Bern, Switzerland, Apr. 2012.Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Xen Cloud Platform. http://wiki.xenproject.org/wiki/XCP\_Overview.Google ScholarGoogle Scholar
  49. F. Zhang, J. Chen, H. Chen, and B. Zang. CloudVisor: Retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In Proc. of ACM SOSP, Cascais, Portugal, Oct. 2011.Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Enabling Efficient Hypervisor-as-a-Service Clouds with Ephemeral Virtualization

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!