eliminating fine grained timers in xen
DESCRIPTION
Eliminating Fine Grained Timers in Xen. Bhanu Vattikonda with Sambit Das and Hovav Shacham. Motivation Project goals Goals of the paper Discussion Future work. Motivation. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/1.jpg)
Eliminating Fine Grained Timers in Xen
Bhanu Vattikondawith Sambit Das and Hovav Shacham
![Page 2: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/2.jpg)
2
• Motivation
• Project goals
• Goals of the paper
• Discussion
• Future work
![Page 3: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/3.jpg)
Motivation
3
Recent research efforts have shown that covert channel attacks are possible in the cloud using fine grained timers [Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds, Ristenpart et al.]
Presence of covert channels indicates the likelihood of side channels
Side channels could be exploited to obtain confidential information from the victim VM
![Page 4: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/4.jpg)
Motivation
4
Some attacks do not require fine grained timers:Determining whether two VMs are co-resident This is done by using network addresses and verifying that the dom0 IP address is the same for both the VMs
Server
VM1
VM2
dom0ProberTraceroute probes
![Page 5: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/5.jpg)
Motivation
5
Whereas some attacks require access to fine grained timers:
Sanboxed VMs can communicate using cache as a covert channelThis attack assumes that the VMs are co-located
Load cache and de-schedule
1
Disturb cache2
High read time for loaded data
3
Load cache and de-schedule
1
Do nothing2
Low read time for loaded data
3
SenderReceiverSend “1” Send “0”
![Page 6: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/6.jpg)
6
• Motivation
• Project goals
• Goals of the paper
• Discussion
• Future work
![Page 7: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/7.jpg)
Project goals
7
Prevent covert channel and side channel attacks
Eliminating access to fine grained timers could prevent such attacks [Reducing timing channels with fuzzy time, Wei-Ming Hu]
![Page 8: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/8.jpg)
8
• Motivation
• Project goals
• Goals of the paper
• Discussion
• Future work
![Page 9: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/9.jpg)
Goals of the paper
9
Can fine grained timers be eliminated from the system?
What impact does it have on the utility of the system?
How coarse can the timers be?
![Page 10: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/10.jpg)
Not addressed in the paper
10
Thorough evaluation of security benefits
Preventing alternative attack strategies to obtain fine grained timers
![Page 11: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/11.jpg)
Can fine grained timers be eliminated from the system?
11
Various sources of fine grained timersRDTSC instruction (cycle counter on x86 processors)gettimeofday clock_gettime
System time read by gettimeofday and clock_gettime gets updated using the value of RDTSC register Modifying value
returned by RDTSC instruction should affect all timers
![Page 12: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/12.jpg)
Can fine grained timers be eliminated from the system?
12
Yes!
Xen has a mode in which it traps and emulates the RDTSC instruction
![Page 13: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/13.jpg)
Can fine grained timers be eliminated from the system?
13
In our experiments, we returned the actual RDTSC value rounded off to a certain number of cycles
To measure the impact, we measure the difference between return values of consecutive RDTSC instructions
![Page 14: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/14.jpg)
What impact does it have on the utility of the system?
14
We evaluate the impact of clock fuzziness on a small testbed of two machines running Xen 4.0.1 on Centos 5.5
Server1
VM1
Server2
VM2
![Page 15: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/15.jpg)
What impact does it have on the utility of the system?
15
Compute intensive jobs are not affected
We run a fast fourier transform and measure the completion time
![Page 16: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/16.jpg)
What impact does it have on the utility of the system?
16
Network performance is not affected either, impact on throughput and RTT is insignificant
RTT is measured using a UDP based ping between the VMs
Throughput is measured using a long lasting TCP flow between the VMs
![Page 17: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/17.jpg)
What impact does it have on the utility of the system?
17
Negligible impact on the finish times of all to all transfer
The two VMs send 1GB of data to each other and we measure the completion time
![Page 18: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/18.jpg)
What impact does it have on the utility of the system?
18
Performance of Apache web server is also unaffected
Requests per second measured by requesting a ~200KB file
Throughput measured by requesting a ~15MB file from a web server running on the VM
![Page 19: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/19.jpg)
19
• Motivation
• Project goals
• Goals of the paper
• Discussion
• Future work
![Page 20: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/20.jpg)
How coarse can the timers be?
Para-virtualized system becomes unusable at a fuzziness of 10000 cycles (10s of microseconds)
In the case of fully virtualized systems the system becomes unusable at a fuzziness of 100 million cycles (100s of milliseconds)
![Page 21: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/21.jpg)
How coarse can the timers be?
Performance of TCP applications begins to degrade at high fuzziness (1ms)
Performance of other applications is not affected
It should be possible to modify granularity of
clock to 100s of microseconds
![Page 22: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/22.jpg)
Fine grained timing using userspace counter
22
On a multi-processor system, a thread can be dedicated to maintain a counter and used in place of RDTSC counterThe amount of time taken for a constant number of nops has variance
![Page 23: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/23.jpg)
23
• Motivation
• Project goals
• Goals of the paper
• Discussion
• Future work
![Page 24: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/24.jpg)
Future work
24
Push the limit on coarseness of the timer in the case of para-virtualized system
We only explored a step function for eliminating fine grained timers, other functions need to be explored
Evaluate the feasibility of existing attack strategies on the modified system
![Page 25: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/25.jpg)
Summary
25
Fine grained timers in Xen can be eliminated
Performance of typical cloud based applications is not affected by the elimination of fine grained timers
Security benefits achieved due to the elimination of timers must be evaluated
Impact of using other methods to obtain fine grained timers, on security must be evaluated
![Page 26: Eliminating Fine Grained Timers in Xen](https://reader035.vdocuments.site/reader035/viewer/2022062222/5681680b550346895ddd906c/html5/thumbnails/26.jpg)
Thank you!
26