Moving from Logical Sharing of Guest OS
to Physical Sharing of Deduplication on Virtual Machine*
Kuniyasu Suzaki† Toshiki Yagi† Kengo Iijima† Nguyen Anh Quynh† Cyrille Artho† Yoshihito Watanebe‡
† National Institute of Advanced Industrial Science and Technology ‡ Alpha Systems Inc.
Main Problem: Logical Sharing (dynamic-link shared (Sub Problems)
library, symbolic link, etc) has security and management • search path replacement attack
problems which come from the dynamic management. • GOT overwrite attack
• Dependency Hell
Idea : Static-link shared library and substantial copy can solve the problem, but they
require more memory and storage (problem1).
(solution1) Current virtual machines have
(problem2) Unfortunately, current applications
deduplication, which is a technique to share
are not easy to re-compile with static-link.
same-content chunks of virtual device
(memory and storage), reducing the total real
Memory Deduplication: VMware’s Content-Based Page (solution2) “pseudo-static” converter integrates
Sharing [SOSP’02], Xen’s Differential Engine [OSDI’08] and
Satori [USENIX’09], KVM’s KSM (Kernel Samepage
dynamic-link shared libraries into an ELF binary
Management) [LinuxSymp’09]. file. However, it requires more memory and
Storage Deduplication: Venti [FAST’02], HydraStar storage than static-link, because each ELF file
[FAST’09], LBCAS [LinuxSymp’09]
has same copy of libraries.
Pseudo-static converter: statifier, ermine, and autopackage on
(Goal) Deduplication (Physical Sharing) mitigates the redundancy caused by
“pseudo-static” converter. The combination increases security of an OS on a VM.
(Implementation and evaluation) Gentoo
Linux is customized by statifier on KVM
virtual machine with deduplication.
The storage image was increased 1.88 times
(7,075MB/3,754MB). It was mitigated by LBCAS
(16KB block storage deduplication) into 1.16 times
The memory usage at boot time was increased 2.64 times
(344.2MB/130.8MB) and it was mitigated by KSM
(4KB bock memory dedulicatoin) into 0.91times
Statifier prevents search path replacement attack and
Dependency Hell, because shared libraries are included. Effect of Memory Deduplication
GOT overwrite attack is mitigated because the table is * Details are presented at HotSec 2010.
prefixed and verified.