1
Moving from Logical Sharing of Guest OS to Physical Sharing of Deduplication on Virtual Machine* Kuniyasu Suzaki† Toshiki Yagi† Kengo Iijima† Nguyen Anh Quynh† Cyrille Artho† Yoshihito Watanebe‡ † National Institute of Advanced Industrial Science and Technology ‡ Alpha Systems Inc. Main Problem: Logical Sharing (dynamic-link shared library, symbolic link, etc) has security and management problems which come from the dynamic management. Idea : Static-link shared library and substantial copy can solve the problem, but they require more memory and storage (problem1). (solution1) Current virtual machines have deduplication, which is a technique to share same-content chunks of virtual device (memory and storage), reducing the total real usage. Memory Deduplication: VMware’s Content-Based Page Sharing [SOSP’02], Xen’s Differential Engine [OSDI’08] and Satori [USENIX’09], KVM’s KSM (Kernel Samepage Management) [LinuxSymp’09]. Storage Deduplication: Venti [FAST’02], HydraStar (problem2) Unfortunately, current applications are not easy to re-compile with static-link. (solution2) “pseudo-static” converter integrates dynamic-link shared libraries into an ELF binary file. However, it requires more memory and storage than static-link, because each ELF file (Sub Problems) • search path replacement attack • GOT overwrite attack • Dependency Hell Storage Deduplication: Venti [FAST’02], HydraStar [FAST’09], LBCAS [LinuxSymp’09] storage than static-link, because each ELF file has same copy of libraries. Pseudo-static converter: statifier, ermine, and autopackage on Linux (Goal) Deduplication (Physical Sharing) mitigates the redundancy caused by “pseudo-static” converter . The combination increases security of an OS on a VM. (Implementation and evaluation) Gentoo Linux is customized by statifier on KVM virtual machine with deduplication. The storage image was increased 1.88 times (7,075MB/3,754MB). It was mitigated by LBCAS (16KB block storage deduplication) into 1.16 times (4,352MB). The memory usage at boot time was increased 2.64 times (344.2MB/130.8MB) and it was mitigated by KSM (4KB bock memory dedulicatoin) into 0.91times (101.2MB). Statifier prevents search path replacement attack and Dependency Hell, because shared libraries are included. GOT overwrite attack is mitigated because the table is prefixed and verified. Effect of Memory Deduplication * Details are presented at HotSec 2010.
