NoHype: Virtualized Cloud Infrastructure

without the Virtualization

Eric Keller, Jakub Szefer, Jennifer Rexford, Ruby Lee

(ISCA 2010 + follow up soon to be “in submission”)

Princeton University

Virtualized Cloud Infrastructure• Run virtual machines on a hosted infrastructure

• Benefits…– Economies of scale– Dynamically scale (pay for what you use)

3

Without the Virtualization• Virtualization used to share servers

– Software layer running under each virtual machine

Physical Hardware

Hypervisor

OS OS

Apps Apps

Guest VM1 Guest VM2

servers

4

Without the Virtualization• Virtualization used to share servers

– Software layer running under each virtual machine

• Malicious software can run on the same server– Attack hypervisor– Access/Obstruct other VMs

Physical Hardware

Hypervisor

OS OS

Apps Apps

Guest VM1 Guest VM2

servers

5

Are these vulnerabilities imagined?• No headlines… doesn’t mean it’s not real

– Not enticing enough to hackers yet?(small market size, lack of confidential data)

6

Are these vulnerabilities imagined?• No headlines… doesn’t mean it’s not real

– Not enticing enough to hackers yet?(small market size, lack of confidential data)

Physical Hardware

Hypervisor

OS OS

Apps Apps

Guest VM1 Guest VM2 Large Attack Surface* 56 different exit reasons* Tremendous interaction Modest load => 20,000 exits/sec During boot => 600,000 exits/sec (Only VM, dedicated device, etc.)

7

Are these vulnerabilities imagined?• No headlines… doesn’t mean it’s not real

– Not enticing enough to hackers yet?(small market size, lack of confidential data)

Complex Underlying Code* 100K lines of code in hypervisor* 600K++ lines of code in dom0* Derived from existing OS

Physical Hardware

Hypervisor

OS OS

Apps Apps

Guest VM1 Guest VM2 Large Attack Surface* 56 different exit reasons* Tremendous interaction Modest load => 20,000 exits/sec During boot => 600,000 exits/sec (Only VM, dedicated device, etc.)

8

NoHype• NoHype removes the hypervisor

– There’s nothing to attack– Complete systems solution– Still retains the needs of a virtualized cloud infrastructure

Physical Hardware

OS OS

Apps Apps

Guest VM1 Guest VM2

No hypervisor

9

Virtualization in the Cloud• Why does a cloud infrastructure use virtualization?

– To support dynamically starting/stopping VMs– To allow servers to be shared (multi-tenancy)

• Do not need full power of modern hypervisors– Emulating diverse (potentially older) hardware– Maximizing server consolidation

10

Roles of the Hypervisor• Isolating/Emulating resources

– CPU: Scheduling virtual machines– Memory: Managing memory– I/O: Emulating I/O devices

• Networking• Managing virtual machines

Push to HW /Pre-allocation

Remove

Push to side

NoHype has a double meaning… “no hype”

11

Scheduling Virtual Machines• Scheduler called each time hypervisor runs

(periodically, I/O events, etc.)– Chooses what to run next on given core– Balances load across cores

hypervisor

timer

switc

h

I/O

switc

h

timer

switc

h

VMs

time

Today

12

Dedicate a core to a single VM• Ride the multi-core trend

– 1 core on 128-core device is ~0.8% of the processor

• Cloud computing is pay-per-use– During high demand, spawn more VMs– During low demand, kill some VMs– Customer maximizing each VMs work,

which minimizes opportunity for over-subscription

NoHype

13

Managing Memory• Goal: system-wide optimal usage

– i.e., maximize server consolidation

• Hypervisor controls allocation of physical memory0

100

200

300

400

500

600

VM/app 3 (max 400)VM/app 2 (max 300)VM/app 1 (max 400)

Today

14

Pre-allocate Memory• In cloud computing: charged per unit

– e.g., VM with 2GB memory

• Pre-allocate a fixed amount of memory– Memory is fixed and guaranteed– Guest VM manages its own physical memory

(deciding what pages to swap to disk)

• Processor support for enforcing:– allocation and bus utilization

NoHype

15

Emulate I/O Devices• Guest sees virtual devices

– Access to a device’s memory range traps to hypervisor– Hypervisor handles interrupts– Privileged VM emulates devices and performs I/O

Physical Hardware

Hypervisor

OS OS

Apps Apps

Guest VM1 Guest VM2

RealDrivers

Priv. VMDevice

Emulation

traptraphypercall

Today

16

• Guest sees virtual devices– Access to a device’s memory range traps to hypervisor– Hypervisor handles interrupts– Privileged VM emulates devices and performs I/O

Emulate I/O Devices

Physical Hardware

Hypervisor

OS OS

Apps Apps

Guest VM1 Guest VM2

RealDrivers

Priv. VMDevice

Emulation

traptraphypercall

Today

17

Dedicate Devices to a VM• In cloud computing, only networking and storage• Static memory partitioning for enforcing access

– Processor (for to device), IOMMU (for from device)

Physical Hardware

OS OS

Apps Apps

Guest VM1 Guest VM2

NoHype

18

Virtualize the Devices• Per-VM physical device doesn’t scale• Multiple queues on device

– Multiple memory ranges mapping to different queues

Processor Chipset

MemoryC

lass

ifyM

UX M

AC

/PH

Y

Network Card

Peripheralbus

NoHype

19

• Ethernet switches connect servers

Networking

server server

Today

20

• Software Ethernet switches connect VMs

Networking (in virtualized server)

Virtual server Virtual server

Software Virtual switch

Today

21

• Software Ethernet switches connect VMs

Networking (in virtualized server)

OS

Apps

Guest VM1

Hypervisor

OS

Apps

Guest VM2

hypervisor

Today

22

• Software Ethernet switches connect VMs

Networking (in virtualized server)

OS

Apps

Guest VM1

Hypervisor

OS

Apps

Guest VM2

SoftwareSwitch

Priv. VM

Today

23

Do Networking in the Network• Co-located VMs communicate through software

– Performance penalty for not co-located VMs– Special case in cloud computing– Artifact of going through hypervisor anyway

• Instead: utilize hardware switches in the network– Modification to support hairpin turnaround

NoHype

24

Removing the Hypervisor Summary• Scheduling virtual machines

– One VM per core

• Managing memory– Pre-allocate memory with processor support

• Emulating I/O devices– Direct access to virtualized devices

• Networking– Utilize hardware Ethernet switches

• Managing virtual machines– Decouple the management from operation

25

NoHype Double MeaningMeans no hypervisor, also means “no hype”

• Multi-core processors• Extended Page Tables• SR-IOV and Directed I/O (VT-d)• Virtual Ethernet Port Aggregator (VEPA)

26

NoHype on Commodity HardwareGoal: semantics of today’s virtualization

– xm create guest_01.cfg– xm shutdown guest_01

• Pre-allocate resources• Use only Virtualized I/O• Short circuit the discovery process• Unwind indirection

27

Pre-allocate ResourcesSo a hypervisor doesn’t need to manage dynamically

• CPU– Pin a VM to a core– Give complete control over that core

(including per core timer and interrupt controller)

• Memory– Utilize processor mechanism to partition memory– In Intel, EPT can be used for this

28

Use Only Virtualized I/OSo a hypervisor doesn’t have to emulate• Network card: supports virtualization today• Disk: use network boot, iSCSI

presence)

hypervisor

Guest VM1Priv. VM

core core

Loader/OS

DHCP/gPXE

servers

iSCSIservers

29

Short Circuit System DiscoverySo a hypervisor doesn’t have to respond to queries

(at run time)

• Allow guest VM to do queries during boot up– Requires a temporary hypervisor– Modify guest OS to read this during initialization

(save results for later)

• Cloud provider supplies the kernel– For security purposes and functionality

OS

hypervisor

What devices are there?

What are the processor’s features?

What is the clock freq.?

30

Unwind IndirectionSo a hypervisor doesn’t have to do mappings

– Send IPI from core 0 to core 1 (actually core 2 to 3)

– Interrupt vector 64 arrives at core 2(actually vector 77 of Guest 2)

OS

Apps

Guest 2

VCPU1

Core 3Core 2

OS

Apps

Guest 0

VCPU0

OS

Apps

Guest 2

VCPU0

VMs can move VMs can share

31

Bring it together: Setup

Xen

Guest VM1Priv. VM

xm

core core

e.g., Pre-set EPT,assign virtual devices

GuestVMspace

VMX Root

loader kernel Customer codecreate

32

Bring it together: Network Boot

Xen

Guest VM1Priv. VM

xm

core core

DHCPgPXE

servers

GuestVMspace

VMX Root

loader kernel Customer codecreate

33

Bring it together: OS Boot-up

Xen

Guest VM1Priv. VM

xm

core core

kernelSystem Discovery

GuestVMspace

VMX Root

loader kernel Customer codecreate

34

Bring it together: Switchover

Xen

Guest VM1Priv. VM

xm

core core

kernel Hypercall from kernel

Before any user code(last command in initrd)

GuestVMspace

VMX Root

loader kernel Customer codecreate

35

Block All Hypervisor Access

Xen

Guest VM1Priv. VM

xm

core core

kernel

Kill VM

iSCSIservers

GuestVMspace

VMX Root

loader kernel Customer codecreate

Any VM Exit kills the VM

36

Evaluation• Raw performance

• Assess main limitations on today’s hardware:– Ability to send IPIs– Resource sharing (side channels)

37

Raw PerformanceAbout 1%performance improvement over Xen(VTd and EPT alleviate main bottlenecks)

38

IPI DoS Attack• Victim: SPEC (libquantum), Apache

– Less than 1% performance degradation

Victim VM

Attacker VM

core

core corecore core …

39

Memory Side Channel Information• Can attacker tell how loaded victim is?

0%, 25%, 50%, 75%, 100%

0 25 50 75 1000

5

10

15

20

25

30

MCF

Load (%)

Run

tim

e

0 25 50 75 10015

16

17

18

19

20

21

22

Apache

Load (%)

40

Next Steps• Assess needs for future processors

– e.g., receiver should know source of IPI (and can mask)

• Assess OS modifications– e.g., push configuration instead of discovery

• Asses vulnerabilities from outside– e.g., management channel from customer to start VM

41

Conclusions• Trend towards hosted and shared infrastructures• Significant security issue threatens adoption• NoHype solves this by removing the hypervisor• Performance improvement is a side benefit

42

Questions?

Contact info:

ekeller@princeton.edu

http://www.princeton.edu/~ekeller

szefer@princeton.edu

http://www.princeton.edu/~szefer