1 / 24

Accountable Virtual Machines

Accountable Virtual Machines. Andreas Haeberlen, Paarijaat Aditya, Rodrigo Rodrigues, Peter Druschel OSDI 2010 Presenter: Lili Sun 2020/1/4. Outline. What is accountable virtual machine (AVM) and why do we need it? What AVM can do and how? How to evaluate its performance?

kshort
Download Presentation

Accountable Virtual Machines

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Accountable Virtual Machines Andreas Haeberlen, Paarijaat Aditya, Rodrigo Rodrigues, Peter Druschel OSDI 2010 Presenter: Lili Sun 2020/1/4

  2. Outline • What is accountable virtual machine (AVM) and why do we need it? • What AVM can do and how? • How to evaluate its performance? • What’s the advantages and disadvantages of AVM?

  3. The concept of AVM and Goals • Motivation X X Services Providers X Users

  4. The Concept of AVM and Goals • Concept • AVM provides strong accountability. It provides users with the capacity to audit the execution of a software system by obtaining a log of the execution, and comparing it to a known-good execution. • Goals • Detection • Evidence

  5. AVM Software S a tamper-evident log nondeterministic events AVMM a1 a2 m1 m2 Accountable Virtual Machine • AVM approach • Bob installs an AVMM and runs the software S • AVMM maintains a tamper-evident log and records nondeterministic events • Alice receives a message from M ——authenticator • Alice periodically audits M • If a fault is detected, give the evidence (MR, S, log, am) replay verify a1 a2

  6. Accountable Virtual Machine • Users do not have to check the entire log • AVMM can enable users do spot check • spot check can save time. • an incorrect state transition in an unchecked segment will not be detected. • AVMM offers two guarantees • Completeness: if the machine is faulty, the audit of M will report a fault and produce the evidence • Accuracy: if a machine is not faulty, no audit of M will report a fault

  7. Accountable Virtual Machine • AVM can be extended to multiple parties. • such as symmetric multi-party scenario or asymmetric multi-party scenario. • collect authenticators from other users • prevent using the network problem • distribute the evidence to other users

  8. removes signatures AVM Software S logs the signatures and messages AVMM a1 s1 m1 m1 AVMM Design • The tamper-evident log • It is structured as a hash chain, ei := (si, ti, ci, hi) • When a user sends a message to M, the user signs the message with her own private key. • When M sends a message to the user, the AVMM attaches an authenticator which includes a signature with M’s private key. Acknowledgment Acknowledgment

  9. AVM Software S AVMM a1 s1 m1 m1 AVMM Design • Accountable Virtual Machine Monitor (AVMM) • Recording nondeterministic inputs • Detecting inconsistencies • Checking snapshot Nondeterministic inputs logs the signatures and messages Acknowledgment Acknowledgment

  10. AVM Software S AVMM aj ai mj mi AVMM Design • Auditing and replay • Verify the log's integrity • Verify a snapshot • Verify the execution • syntactic check • semantic check verify Download a snapshot Recompute the hash tree verify Download log: Lij Log segment (ei,…ej) ai aj

  11. AVMM Design • Syntactic Check • Determines whether the log itself is well-formed • Including the cryptographic signature in the message and the acknowledgement, the sequence of the messages • Fast (6.9 seconds) • Semantic check • Determines whether the information in the log corresponds to a correct execution of MR • Instantiates a VM, and initializes with the snapshot • Reads Lij, and replays the inputs, and check the outputs • Verify the snapshot hashes in Lij against that of the replayed execution • Take as long as the application (1,977 seconds)

  12. Application: Cheat Detection in Games • The three cheats that are used in Counterstrike are as follows: • aimbot, a cheat that works by feeding the game with forged inputs; • wallhack, a cheat that violate secrecy; • unlimited ammunition, cheats that rely on modifying local in-memory state. • AVMs are effective against two specific classes of cheats • cheats that need to be installed along with the game; • cheats that make the network-visible behavior of the cheater’s machine inconsistent with any correct execution.

  13. Evaluation • Prototype Implementation • VMM: VMware workstation • Extended the VMM to record extra information • Adapted code from PeerReview, a system that provide accountability • Audit tool implements syntactic check and semantic check • If one of them fails, the log and the authenticators will be given to a third party as the evidences.

  14. Evaluation • Experiment Setup • Three workstations, each for one player • Each CPU has four cores and two hyperthreads per core • The machines are connected to switch via 1Gbps Ethernet links • Five different configurations • Barehw, the game runs directly on the hardware, without virtualization • vmware-norec, adds the virtual machine monitor without modifications • vmware-rec, adds the logging for deterministic replay • avmm-nosig, uses AVMM implementation without signatures • avmm-rsa768, is the full system as described.

  15. Evaluation • Log sizes and contents • Figure 3 shows the growth of the AVMM log • Figure 4 shows the average log growth rate about the content • 8MB/minute or 2.47MB/minute after compression 30% 27% 14% 70% 59%

  16. Evaluation • Network traffic • AVMM increases network traffic for two reasons • first, it adds a cryptographic signature to each packet • second, it encapsulates all packets in a TCP connection • Compare bare-hw and avmm-rsa768 configuration • bare-hw: 22 kbps • avmm-rsa768: 215.5 kbps • The per-package overhead is much higher

  17. 5 ms 2 ms 525 μs 621 μs 192 μs Evaluation • Latency • AVMM adds some latency to packet transmissions because of the logging and processing of authenticators • In AVMM (RSA-768), both the ping and pong are acknowledged • Critical threshold of latency for interactive applications is 100ms

  18. Evaluation • CPU utilization • AVMM requires additional CPU power for virtualization and for the tamper-evident log. • The utilization of HT0 is below 8%, while the average utilization over 8HTs is 12.5% • The overhead from the tamper-evident log is relatively low

  19. Evaluation • Frame rate • The frame rate on the AVMM is 13% lower than the baseline. • Generally frame rate is about 60-80 fps, and AVMM is 137fps. • Recording in VMware workstation causes the average frame rate to drop 11%.

  20. Evaluation • Online auditing • Online auditing can affect game performance • The frame rate drops from 137fps with no audits to 104fps with 2 audits • The audits can leverage the unused cores

  21. Evaluation • Spot checking • the amount of data that must be transferred over the network, and the time it takes to replay the log segments chunk. • The cost grows with the k, and there is an additional fixed cost per chunk for transferring the corresponding memory and disk snapshots.

  22. Advantages and Disadvantages of AVMs • Advantages • AVMs are application independent. • AVMs do not have to be trusted by the auditors. • AVMs can produce evidence. • AVMs are generic and effective against an entire class of cheats. • AVMs protect the player’s privacy for anti-cheating. • Disadvantages • AVMs cannot detect the bug or weakness in the software S. • AVMs cannot detect the correctness of inputs. • AVMs face additional challenges in the cloud: • auditors cannot easily replay the entire execution for lack of resources; • accountable services must be able to interact with non-accountable clients • it may not be practical to sign every single packet.

  23. Discussion clues • For some long-running applications, it is impossible to check the entire log, but the spot check will lose the completeness, so is there a trade-off between completeness, accuracy and effectiveness? • The application in this paper is non-cloud based game and not a practical scenario, so it that sufficient to evaluate AVMs? • AVMs rely on the server to record all incoming and outgoing messages and assume that all the users agree on a virtual machine in which the application is executed. However, it is not practical in existing cloud platforms, which do not provide this functionality to their clients. • Because different operating systems are available for virtual machines, so how to manage the logging of AVMs in the cloud which use a large number of different operating systems?

  24. Thank you!

More Related