Usenix security10-poster-suzaki

694 views

Published on

USENIX Security 2010 Poster. TItle is "Moving from Logical Sharing of Guest OS to Physical Sharing of Deduplication on Virtual Machine".

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
694
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Usenix security10-poster-suzaki

  1. 1. Moving from Logical Sharing of Guest OS to Physical Sharing of Deduplication on Virtual Machine* Kuniyasu Suzaki† Toshiki Yagi† Kengo Iijima† Nguyen Anh Quynh† Cyrille Artho† Yoshihito Watanebe‡ † National Institute of Advanced Industrial Science and Technology ‡ Alpha Systems Inc. Main Problem: Logical Sharing (dynamic-link shared (Sub Problems) library, symbolic link, etc) has security and management • search path replacement attack problems which come from the dynamic management. • GOT overwrite attack • Dependency Hell Idea : Static-link shared library and substantial copy can solve the problem, but they require more memory and storage (problem1). (solution1) Current virtual machines have (problem2) Unfortunately, current applications deduplication, which is a technique to share are not easy to re-compile with static-link. same-content chunks of virtual device (memory and storage), reducing the total real usage. Memory Deduplication: VMware’s Content-Based Page (solution2) “pseudo-static” converter integrates Sharing [SOSP’02], Xen’s Differential Engine [OSDI’08] and Satori [USENIX’09], KVM’s KSM (Kernel Samepage dynamic-link shared libraries into an ELF binary Management) [LinuxSymp’09]. file. However, it requires more memory and Storage Deduplication: Venti [FAST’02], HydraStar storage than static-link, because each ELF file [FAST’09], LBCAS [LinuxSymp’09] has same copy of libraries. Pseudo-static converter: statifier, ermine, and autopackage on Linux (Goal) Deduplication (Physical Sharing) mitigates the redundancy caused by “pseudo-static” converter. The combination increases security of an OS on a VM. (Implementation and evaluation) Gentoo Linux is customized by statifier on KVM virtual machine with deduplication. The storage image was increased 1.88 times (7,075MB/3,754MB). It was mitigated by LBCAS (16KB block storage deduplication) into 1.16 times (4,352MB). The memory usage at boot time was increased 2.64 times (344.2MB/130.8MB) and it was mitigated by KSM (4KB bock memory dedulicatoin) into 0.91times (101.2MB). Statifier prevents search path replacement attack and Dependency Hell, because shared libraries are included. Effect of Memory Deduplication GOT overwrite attack is mitigated because the table is * Details are presented at HotSec 2010. prefixed and verified.

×