scotch combining software guard extensions and system
play

Scotch: Combining Software Guard Extensions and System Management - PowerPoint PPT Presentation

Jul 24, 2023 •221 likes •704 views

Scotch: Combining Software Guard Extensions and System Management Mode to Monitor Cloud Resource Usage Kevin Leach 1 , Fengwei Zhang 2 , and Westley Weimer 1 1 University of Michigan, 2 Wayne State University Leach, Zhang, & Weimer 1 / 19

  1. Scotch: Combining Software Guard Extensions and System Management Mode to Monitor Cloud Resource Usage Kevin Leach 1 , Fengwei Zhang 2 , and Westley Weimer 1 1 University of Michigan, 2 Wayne State University Leach, Zhang, & Weimer 1 / 19

  2. Summary We use Intel Software Guard Extensions (SGX) and System Management Mode (SMM) to accurately monitor resource consumption of virtual machines (VMs) in the presence of a compromised VM or hypervisor Leach, Zhang, & Weimer 2 / 19

  3. Motivation ◮ Multi-tenant cloud computing increases utilization ◮ Client agrees to pay Cloud provider for a particular service level ◮ e.g., $1 per hour of CPU time Leach, Zhang, & Weimer 3 / 19

  4. Motivation ◮ Multi-tenant cloud computing increases utilization ◮ Client agrees to pay Cloud provider for a particular service level ◮ e.g., $1 per hour of CPU time ◮ Cloud provider depends on hypervisor/virtual machine monitor (VMM) platform to distribute resources ◮ Xen, QEMU, etc. Cloud VMM VM 1 VM 2 VM 3 Leach, Zhang, & Weimer 3 / 19

  5. Motivation ◮ Multi-tenant cloud computing increases utilization ◮ Client agrees to pay Cloud provider for a particular service level ◮ e.g., $1 per hour of CPU time ◮ Cloud provider depends on hypervisor/virtual machine monitor (VMM) platform to distribute resources ◮ Xen, QEMU, etc. Cloud VMM 1 1 1 3 CPU 3 CPU 3 CPU VM 1 VM 2 VM 3 If all 3 VMs peg the CPU, the VMM must decide how to allocate CPU time based on each client’s service level. Leach, Zhang, & Weimer 3 / 19

  6. Motivation ◮ Cloud provider depends on VMM platform to distribute resources Leach, Zhang, & Weimer 4 / 19

  7. Motivation ◮ Cloud provider depends on VMM platform to distribute resources ◮ Two issues Leach, Zhang, & Weimer 4 / 19

  8. Motivation ◮ Cloud provider depends on VMM platform to distribute resources ◮ Two issues 1. What if the VMM/cloud provider is malicious? ◮ Manipulate resource consumption to bill customers more Leach, Zhang, & Weimer 4 / 19

  9. Motivation ◮ Cloud provider depends on VMM platform to distribute resources ◮ Two issues 1. What if the VMM/cloud provider is malicious? ◮ Manipulate resource consumption to bill customers more 2. What if the VMM is vulnerable to malicious VMs? ◮ Malicious VM manipulates resource consumption to steal resources from benign customers Leach, Zhang, & Weimer 4 / 19

  10. Resource Accounting Attacks ◮ Benign Behavior VMM decides to bill a guest: 1 2 1 2 1 2 1 1 2 1 2 1 2 1 . . . 0ms 30ms 60ms 90ms 120ms 150ms 180ms CPU time The Xen hypervisor regularly checks which VM is active to determine how much CPU time each VM uses Leach, Zhang, & Weimer 5 / 19

  11. Resource Accounting Attacks ◮ Malicious Behavior VMM decides to bill a guest: 1 1 1 1 1 2 1 2 1 2 1 . . . 0ms 30ms 60ms 90ms 120ms 150ms 180ms CPU time A malicious VM (2) with knowledge of the VMM can affect the appearance of resource consumption by itself and benign VMs. Leach, Zhang, & Weimer 6 / 19

  12. Resource Interference Attacks Attacker can take advantage of known victim behavior Victim VM Flood HTTP server Malicious VM (webserver) Free CPU cycles Thrash from I/O Malicious VM can cause benign VM to free up resources for itself Leach, Zhang, & Weimer 7 / 19

  13. VM Escape Attack Malicious VM can exploit buggy VMM implementation, allowing code execution with VMM privilege ◮ Could potentially alter resource consumption to hide itself Leach, Zhang, & Weimer 8 / 19

  14. Scotch: Transparent Cloud Resource Accounting Two desired properties 1. Transparent ◮ The underlying VMM and VMs are not aware accounting occurs 2. Tamper-resistant ◮ A malicious VMM or VM guest cannot reliably alter accounting data Leach, Zhang, & Weimer 9 / 19

  15. Insights for Scotch ◮ System Management Mode High priority System Management Interrupt causes CPU to atomically execute SMM handler code Leach, Zhang, & Weimer 10 / 19

  16. Insights for Scotch ◮ System Management Mode High priority System Management Interrupt causes CPU to atomically execute SMM handler code ◮ Use SMM to collect raw resource consumption data Leach, Zhang, & Weimer 10 / 19

  17. Insights for Scotch ◮ System Management Mode High priority System Management Interrupt causes CPU to atomically execute SMM handler code ◮ Use SMM to collect raw resource consumption data ◮ SMM logically collects data, then relays it to SGX enclave Leach, Zhang, & Weimer 10 / 19

  18. Insights for Scotch ◮ Software Guard Extensions Enclave-based trusted execution environment (TEE); userspace code runs in isolation Leach, Zhang, & Weimer 11 / 19

  19. Insights for Scotch ◮ Software Guard Extensions Enclave-based trusted execution environment (TEE); userspace code runs in isolation ◮ Use SGX enclave so that benign user can monitor and verify their resource consumption Leach, Zhang, & Weimer 11 / 19

  20. Insights for Scotch ◮ Software Guard Extensions Enclave-based trusted execution environment (TEE); userspace code runs in isolation ◮ Use SGX enclave so that benign user can monitor and verify their resource consumption ◮ Raw data collected by SMM is relayed to SGX enclave Leach, Zhang, & Weimer 11 / 19

  21. Scotch: Transparent Cloud Resource Accounting Protected System VMM (e.g., Xen) SGX Enclave 1 VM1 data VM1 VM2 VM3 VM2 data VM3 data 2 SGX Enclave 4 True timer 3 5 SMI Handler Data 1. VMM decides to switch between VM guests Leach, Zhang, & Weimer 12 / 19

  22. Scotch: Transparent Cloud Resource Accounting Protected System VMM (e.g., Xen) SGX Enclave 1 VM1 data VM1 VM2 VM3 VM2 data VM3 data 2 SGX Enclave 4 True timer 3 5 SMI Handler Data 2. Scotch measures resource consumption by invoking SMM every context switch Leach, Zhang, & Weimer 12 / 19

  23. Scotch: Transparent Cloud Resource Accounting Protected System VMM (e.g., Xen) SGX Enclave 1 VM1 data VM1 VM2 VM3 VM2 data VM3 data 2 SGX Enclave 4 True timer 3 5 SMI Handler Data 3. SMM handler executes resource accounting in isolation Leach, Zhang, & Weimer 12 / 19

  24. Scotch: Transparent Cloud Resource Accounting Protected System VMM (e.g., Xen) SGX Enclave 1 VM1 data VM1 VM2 VM3 VM2 data VM3 data 2 SGX Enclave 4 True timer 3 5 SMI Handler Data 4. Data is marshalled to SGX enclave within VM Leach, Zhang, & Weimer 12 / 19

  25. Scotch: Transparent Cloud Resource Accounting Protected System VMM (e.g., Xen) SGX Enclave 1 VM1 data VM1 VM2 VM3 VM2 data VM3 data 2 SGX Enclave 4 True timer 3 5 SMI Handler Data 5. Benign VM can monitor resource accounting data with high integrity Leach, Zhang, & Weimer 12 / 19

  26. Evaluation Research Questions ◮ RQ1: Can we maintain accurate accounting during scheduler attacks? ◮ RQ2: What is our overhead on benign workloads? ◮ RQ3: Can we maintain accurate accounting during resource interference attacks? ◮ RQ4: Can we maintain accurate accounting during VM escape attacks? Leach, Zhang, & Weimer 13 / 19

  27. RQ1: Scheduler Attacks ◮ Implement controllable scheduler ◮ Simulate attacker by altering the CPU time allocation by a varying degree Leach, Zhang, & Weimer 14 / 19

  28. RQ1: Scheduler Attacks ◮ Implement controllable scheduler ◮ Simulate attacker by altering the CPU time allocation by a varying degree ◮ Run two VMs, one simulated attacker and one benign ◮ Both are computing indicative workloads: pi , gzip , and the PARSEC benchmarks Leach, Zhang, & Weimer 14 / 19

  29. RQ1: Scheduler Attacks ◮ Implement controllable scheduler ◮ Simulate attacker by altering the CPU time allocation by a varying degree ◮ Run two VMs, one simulated attacker and one benign ◮ Both are computing indicative workloads: pi , gzip , and the PARSEC benchmarks ◮ Compare observed CPU time consumption presented by Xen vs. Scotch Leach, Zhang, & Weimer 14 / 19

  30. RQ1: Scheduler Attacks ◮ Implement controllable scheduler ◮ Simulate attacker by altering the CPU time allocation by a varying degree ◮ Run two VMs, one simulated attacker and one benign ◮ Both are computing indicative workloads: pi , gzip , and the PARSEC benchmarks ◮ Compare observed CPU time consumption presented by Xen vs. Scotch ◮ TL;DR Scotch shows significant difference in allocated CPU time Leach, Zhang, & Weimer 14 / 19

  31. RQ1: Scheduler Attacks Table : Ratio of attacker VM CPU time to guest VM CPU time. Scheduler attack severity level Benign 1 3 5 7 9 10 Scotch 1.00 1.04 1.10 1.17 1.26 1.36 1.41 ground truth 0.99 1.05 1.12 1.17 1.25 1.35 1.39 Leach, Zhang, & Weimer 15 / 19

  32. RQ1: Scheduler Attacks Table : Ratio of attacker VM CPU time to guest VM CPU time. Scheduler attack severity level Benign 1 3 5 7 9 10 Scotch 1.00 1.04 1.10 1.17 1.26 1.36 1.41 ground truth 0.99 1.05 1.12 1.17 1.25 1.35 1.39 The attacker receives disproportionate CPU time. Ground truth obtained with Xentrace. Leach, Zhang, & Weimer 15 / 19

  33. RQ2: Overhead ◮ Invoking SMIs to run accounting code can be costly Leach, Zhang, & Weimer 16 / 19

  34. RQ2: Overhead ◮ Invoking SMIs to run accounting code can be costly ◮ Accounting code takes 2248 ± 69 cycles to execute ◮ Roughly 1 µ s incurred every context switch Leach, Zhang, & Weimer 16 / 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Scotch Whisky From humble beginnings to global success The Scotch Whisky Association is the trade

Scotch Whisky From humble beginnings to global success The Scotch Whisky Association is the trade

Scotch Whisky From humble beginnings to global success The Scotch Whisky Association is the trade body for the Scotch Whisky industry. Established in 1912 70 member companies, including Diageo, Chivas, Edrington & William Grants

349 views • 12 slides
BRAND PRESENTATION THE BLENDED SCOTCH WHISKY MARKET SCOTCH WHISKY, THE 1 ST WHISKY CATEGORY

BRAND PRESENTATION THE BLENDED SCOTCH WHISKY MARKET SCOTCH WHISKY, THE 1 ST WHISKY CATEGORY

BRAND PRESENTATION THE BLENDED SCOTCH WHISKY MARKET SCOTCH WHISKY, THE 1 ST WHISKY CATEGORY RANKING WHISKY CATEGORIES WORLDWIDE WHISKY CAT. SCOTCH #1 #2 US LENDED WHI IES BLEN HISKIE Blended Scotch Whisky #1 of the category CANADIAN

401 views • 36 slides
The Perfect Mix Building a brand for Millennials The Brand No.1 Scotch Whisky in Europe No. 2

The Perfect Mix Building a brand for Millennials The Brand No.1 Scotch Whisky in Europe No. 2

The Perfect Mix Building a brand for Millennials The Brand No.1 Scotch Whisky in Europe No. 2 Scotch Whisky Globally No.1 Scotch Whisky in Europe No. 2 Scotch Whisky Globally But needing to attract new consumers The Challenge Connecting

666 views • 35 slides
Practical implications of Intel SGX with Graphene July 4th, 2019 Derk Barten Robin Klusman

Practical implications of Intel SGX with Graphene July 4th, 2019 Derk Barten Robin Klusman

Practical implications of Intel SGX with Graphene July 4th, 2019 Derk Barten Robin Klusman Software Guard Untrusted system Trusted enclave Extensions Attestation (SGX) Encrypted & isolated memory Integrity,

266 views • 22 slides
How to mature a 20 y.o. Scotch Franois Pellegrini EQUIPE PROJET BACCHUS Bordeaux 02/02/2012

How to mature a 20 y.o. Scotch Franois Pellegrini EQUIPE PROJET BACCHUS Bordeaux 02/02/2012

How to mature a 20 y.o. Scotch Franois Pellegrini EQUIPE PROJET BACCHUS Bordeaux 02/02/2012 Sud-Ouest Outline of the talk Graph partitioning The Scotch project and history Licensing issues Some lessons (to be) learnt

583 views • 30 slides
CSci 5271 Software-based Fault Isolation Navid Emamdoost navid@cs.umn.edu Oct-16-2014 Need for

CSci 5271 Software-based Fault Isolation Navid Emamdoost navid@cs.umn.edu Oct-16-2014 Need for

CSci 5271 Software-based Fault Isolation Navid Emamdoost navid@cs.umn.edu Oct-16-2014 Need for extensibility Problem with extensions UNIX vnode interface Security! Extensions may be o Add new file system Postgres database o

583 views • 6 slides
Combining a Formal Method and PSP for Improving Software Process: An Initial Report -

Combining a Formal Method and PSP for Improving Software Process: An Initial Report -

Combining a Formal Method and PSP for Improving Software Process: An Initial Report - (Work-In-Progress Report) - Shigeru KUSAKABE , Yoichi OMORI, Keijiro ARAKI Kyushu University, Japan Outline Background Personal Software Process

343 views • 31 slides
Ants, Mutants and Beyond Combining formal and stochastic techniques to improve software

Ants, Mutants and Beyond Combining formal and stochastic techniques to improve software

Nature-inspired Computing Search Based Software Engineering Genetic Improvement Automatic Improvement References References Ants, Mutants and Beyond Combining formal and stochastic techniques to improve software jerry.swan@york.ac.uk

487 views • 26 slides
Tomasz ciso Software Engineer Samsung R&D Center Poland The Earth Guard development

Tomasz ciso Software Engineer Samsung R&D Center Poland The Earth Guard development

Highly portable HTML5 games on Tizen Developer Conference May 2013 San Francisco USA Tomasz ciso Software Engineer Samsung R&D Center Poland The Earth Guard development story Code once - for Tizen and deploy your application on

350 views • 15 slides
U.S. Coast Guard Deepwater Horizon Incident Response Summary 1 More than 48,000 people

U.S. Coast Guard Deepwater Horizon Incident Response Summary 1 More than 48,000 people

U.S. Coast Guard Deepwater Horizon Incident Response Summary 1 More than 48,000 people 7,000 Coast Guard 1,625 National Guard 41,470 Contractors 723 BP 4,000 Volunteers United States Coast Guard 2 U.S. Department of

337 views • 19 slides
Extensions to the ripe-dbase Whois software Manage your IP Address Space with a customized

Extensions to the ripe-dbase Whois software Manage your IP Address Space with a customized

Extensions to the ripe-dbase Whois software Manage your IP Address Space with a customized version of the ripe database whois software Tobias Cremer, Arnd Vehling av@nethead.de Cable & Wireless, Munich, Germany nethead.de, Cologne,

1.09k views • 82 slides
SEA-PT 2017 Dave Mc Myler Pollution and Ship Casualty Irish Coast Guard Irish Coast Guard -

SEA-PT 2017 Dave Mc Myler Pollution and Ship Casualty Irish Coast Guard Irish Coast Guard -

SEA-PT 2017 Dave Mc Myler Pollution and Ship Casualty Irish Coast Guard Irish Coast Guard - Garda Csta na hireann Economic health of the State depends on Shipping as a Safe form of transport Introduction Brief on Irish Coast Guard

102 views • 9 slides
Enabling System Transactions via Lightweight Kernel Extensions R.P. Spillane, S. Gaikwad. M.

Enabling System Transactions via Lightweight Kernel Extensions R.P. Spillane, S. Gaikwad. M.

Enabling System Transactions via Lightweight Kernel Extensions R.P. Spillane, S. Gaikwad. M. Chinni, C.P. Wright, E. Zadok Stony Brook University http://www.fsl.cs.sunysb.edu/ Summary What is the design complexity of system transactions

288 views • 26 slides
Learning about the Earth from a scotch egg: How children learn with analogies and how to teach

Learning about the Earth from a scotch egg: How children learn with analogies and how to teach

Learning about the Earth from a scotch egg: How children learn with analogies and how to teach with them effectively Matthew Slocombe Centre for Educational Neuroscience University of London Primary Science Education Conference Edinburgh 8

749 views • 60 slides
CopyCat: Controlled Instruction-Level Attacks on Enclaves Daniel Moghimi Jo Van Bulck

CopyCat: Controlled Instruction-Level Attacks on Enclaves Daniel Moghimi Jo Van Bulck

CopyCat: Controlled Instruction-Level Attacks on Enclaves Daniel Moghimi Jo Van Bulck Nadia Heninger Frank Piessens Berk Sunar Trusted Execution Environment (TEE) Intel SGX Intel Software Guard eXtensions (SGX) App

894 views • 42 slides
Restrictions and Extensions of Data Automata Zhilin Wu Institute of Software, Chinese Academy of

Restrictions and Extensions of Data Automata Zhilin Wu Institute of Software, Chinese Academy of

Restrictions and Extensions of Data Automata Zhilin Wu Institute of Software, Chinese Academy of Sciences LOCALI 2013, Fragrant Hill Hotel, Nov. 04-07, 2011 Zhilin Wu (ISCAS) Restrictions and Extensions of Data Automata LOCALI 2013, Nov.

1.01k views • 66 slides
PathArmor : Practical Context-Sensitive CFI Dennis Andriesse , Victor van der Veen ,

PathArmor : Practical Context-Sensitive CFI Dennis Andriesse , Victor van der Veen ,

PathArmor : Practical Context-Sensitive CFI Dennis Andriesse , Victor van der Veen , s , Ben Gras , Lionel Sambuc , Asia Slowinska , Enes G okta Herbert Bos , Cristiano Giuffrida Joint first authorship

588 views • 42 slides
Overview of Indeterminate Cytology Scott Boerner MD FRCPC Head Cytopathology, University Health

Overview of Indeterminate Cytology Scott Boerner MD FRCPC Head Cytopathology, University Health

83 rd Annual Meeting American Thyroid Association Overview of Indeterminate Cytology Scott Boerner MD FRCPC Head Cytopathology, University Health Network University of Toronto PRESENTATION FROM THE 83rd ANNUAL MEETING OF THE AMERICAN THYROID

662 views • 26 slides
Chris Hopkins, PhD, MBA and CSO patient variant drug p.R292H pathogenicity Is this variant in

Chris Hopkins, PhD, MBA and CSO patient variant drug p.R292H pathogenicity Is this variant in

Chris Hopkins, PhD, MBA and CSO patient variant drug p.R292H pathogenicity Is this variant in my patient pathogenic or benign? "The Doctor" by Sir Luke Fildes (1891) Drop in genome price drives increase in patient variant

500 views • 22 slides
Possible & Impossible Infinities Michael Huemer owl232@earthlink.net Problem When is an

Possible & Impossible Infinities Michael Huemer owl232@earthlink.net Problem When is an

Possible & Impossible Infinities Michael Huemer owl232@earthlink.net Problem When is an infinite series impossible? 6 Infinite 3 False A Better Series Theories Theory Six Infinities The Truth Regress Series: P. Its true that P.

464 views • 30 slides
SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun,

SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun,

SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun, Zhiqiang Li, Qiben Yan, Witawas Srisa-an and Yu Pan Department of Computer Science and Engineering University of Nebraska Lincoln Presenters: Yu

999 views • 24 slides
Adaptive Routing in Dragonfly Networks Peyman Faizian , ShafayatRahman Scott Pakin AtiqulMollah,

Adaptive Routing in Dragonfly Networks Peyman Faizian , ShafayatRahman Scott Pakin AtiqulMollah,

Traffic Pattern-based C Adaptive Routing in Dragonfly Networks Peyman Faizian , ShafayatRahman Scott Pakin AtiqulMollah, Xin Yuan Mike Lang Florida State University Los Alamos National Laboratory Motivation Dragonfly has been known as a

491 views • 33 slides
Ranking and classifying the VUS for family counseling: Using a model from cancer researchers

Ranking and classifying the VUS for family counseling: Using a model from cancer researchers

Ranking and classifying the VUS for family counseling: Using a model from cancer researchers Martin Tristani-Firouzi, MD Division of Pediatric Cardiology Nora Eccles Harrison CVRTI University of Utah School of Medicine Disclosure The speaker

883 views • 33 slides
seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE

seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE

Protecting Web-based Single Sign-on Protocols against Relying Party seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA Yinzhi Cao

704 views • 45 slides

More recommend