NoHype: Virtualized Cloud Infrastructure without theVir tualizationEric Keller Jakub Szefer Jennifer Rexford Rub y B. LeePrinceton University, Princeton, NJ, USA{ekeller, sz efer}@princeton.edu [email protected] [email protected] computing is a disruptive trend that is changing theway we use computers. The key underlying technology incloud infrastructures is virtualization – so much so thatmany consider virtualization to be one of the key featuresrather than simply an implementation detail. Unfortunately,the use of virtualization is the source of a significant securityconcern. Because multiple virtual machines run on the sameserver and since the virtualization layer plays a considerablerole in the operation of a virtual machine, a malicious partyhas the opportunity to attack the virtualization layer. Asuccessful attack would give the malicious party control overthe all-powerful virtualization layer, potentially compromis-ing the confidentiality and integrity of the software and dataof any virtual machine. In this paper we propose removingthe virtualization layer, while retaining the key features en-abled by virtualization. Our NoHype architecture, namedto indicate the removal of the hypervisor, addresses each ofthe key roles of the virtualization layer: arbitrating accessto CPU, memory, and I/O devices, acting as a network de-vice (e.g., Ethernet switch), and managing the starting andstopping of guest virtual machines. Additionally, we showthat our NoHype architecture may indeed be “no hype” sincenearly all of the needed features to realize the NoHype ar-chitecture are currently available as hardware extensions toprocessors and I/O devices.Categories and Subject DescriptorsC.1.0 [Processor architectures]: General; D.4.6 [Operatingsystems]: Security and protection—invasive softwareGeneral TermsDesign, Management, SecurityKeywordsCloud computing, Multi-core, Many-core, Security, Hyper-visor, Virtualization, System architecturePermission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial adv antage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on serv e rs or to redistribute to lists, requires prior specificpermission and/or a fee.ISCA’10, June 19–23, 2010, Saint-Malo, France.Copyright 2010 ACM 978-1-4503-0053-7/10/06 ...$10.00.1. INTRODUCTIONThere is no doubt that“cloud computing”has tremendouspromise. The end user of a service running “in the cloud”is unaware of how the infrastructure is architected – it justworks. The provider of that service (the cloud customer inFig. 1(a)) is able to dynamically provision infrastructure tomeet the currene demand by leasing resources from a host-ing company (the cloud provider). The cloud provider canleverage economies of scale to provide dynamic, on-demand,infrastructure at a favorable cost.While there is debate over the exact definition, the mainidea behind cloud computing, common to all approaches,is enabling a virtual machine to run on any server. Sincethere are many customers and many servers, the manage-ment of the infrastructure must be highly automated – acustomer can request the creation (or removal) of a virtualmachine and without human intervention a virtual machineis started (or stopped) on one of the servers. To take ad-vantage of the economic benefits, the cloud providers usemulti-tenancy, where virtual machines from multiple cus-tomers share a server.Unfortunately, this multi-tenancy is the source of a majorsecurity concern with cloud computing as it gives maliciousparties direct access to the server where their victim maybe executing in the cloud. The malicious party can activelyattack the virtualization layer. If successful, as many vul-nerabilities have shown to be possible [1, 2, 3, 4, 5, 6], theattacker has an elevated level of execution capabilities ona system running other virtual machines. The maliciousparty can then inspect the memory, exposing confidentialinformation such as encryption keys and customer data,or even modify the software a virtual machine is running.Even without compromising the hypervisor, multi-tenancyexposes side-channels that can be used to learn confiden-tial information [7]. These security risks make companieshesitant to use hosted virtualized infrastructures [8].In fact, if not for this security concern, running applica-tions in the cloud can actually be more secure than whenrun in private facilities. Commonly cited are the economicbenefits that the economies of scale provide to the cloud in-frastructure providers [9]. There is a similar principle withregards to security that is, however, not often discussed. Inmany organizations, physical security is limited to a lockedcloset which stores the servers in the company’s office. Sincecloud providers are served out of large data centers, thereare surveillance cameras, extra security personnel, and bythe very nature of the environment, the access is much morecontrolled. That level of physical security is cost prohibitive350for a single organization, but when spread out across many,it almost comes for free to the customer of the cloud. Sim-ilarly, in a private organization, network security of serversis commonly limited to a firewall. Cloud providers can in-stall and maintain special intrusion detection (or prevention)systems which inspect packets for matches to known attacksthat exploit bugs in commonly used software. As with physi-cal security, these devices may be cost prohibitive for a singleorganization but can be provided by the cloud provider forasmallcost.Rather than attempting to make the virtualization layermore secure by reducing its size or protecting it with addi-tional hardware [10], we instead take the position that thevirtualization layer should be removed altogether.Inthispaper we propose getting rid of the virtualization layer (thehypervisor) running beneath each guest operating system(OS) in order to make running a virtual machine in the cloudas secure as running it in the customer’s private facilities –and possibly even more secure. As a side benefit, removingthe active hypervisor removes the ‘virtualization tax’ whichis incurred when needing to invoke a hypervisor for manyoperations. We argue that today’s virtualization technologyis used as a convenience, but is not
View Full Document
Unlocking...