Power Attack Defense: Securing Battery-Backed Data Centers

Transcription

1 Power Attack Defense: Securing Battery-Backed Data Centers Presented by Chao Li, PhD Shanghai Jiao Tong University , Seoul, Korea

2 Risk of Power Oversubscription 2

3 3

4 01. Access Control 02. Central Antivirus 03. Network Intrusion Detection 04. Central Malware Protection 05. Application Firewall 06. Centralized Log Aggregation 07. Security Info. & Event Mgnt. 08. Host-Based Firewalls 09. Network Packet Monitoring 10. Host Intrusion Detection 11. Disk Encryption 12. Application Control 13. Data Loss Prevention 14. Antivirus for VM 15. Data at Rest Encryption 16. Host-Based Firewalls 17. Host App. Monitoring 18. Database Firewalls 19. Data Masking/Redaction 20. Per-Server Antivirus 21. Other Techniques 0% 50% 100% Adoption Rate Power-Related Security Issue Security Technologies 4

5 Outlines 1. Background and Motivation 2. Threat Model and Attack Analysis 3. Power Attack Defense 4. Evaluation and Discussion 5

6 Outlines 1. Background and Motivation 2. Threat Model and Attack Analysis 3. Power Attack Defense 4. Evaluation and Discussion 6

7 Power Delivery in Data Center 7

8 Power Infrastructure Oversubscription 8

9 Aggressive Power Oversubscription 9

10 Facebook s Battery Cabinets Facebook Battery Cabinet 10

11 Microsoft s Local Energy Storage 15% PUE improvement and 5X TCO reduction 11

12 Two Sides of the Same Coin Green Low-Cost Low-Power Security Availability Dependability 12

13 Primary Root Causes of Outages Generator Failure IT Equipment Failure Other UPS System Failure (Battery) 29% Battery Failure Weather Related 12% Weather Issue Water, Heat, CRAC Failure Accidental / Human Error 5% IT Equip. Issue 13

14 Unplanned Power Failure Do Happen [1] In the News What if an attacker tries to bring down a data center [1] Source: Ponemon Institute 14

15 Related Work Utility grid power anomaly Data center CB tripping Peak power surge System voltage noises Power Anomaly Security and Reliability Virtualizing power infrastructure (ISCA 13) Software-defined battery system (SOSP 15) Power emergency handling (ASPLOS 12) Heterogeneous battery system (ISCA 15) 15

16 Outlines 1. Background and Motivation 2. Threat Model and Attack Analysis 3. Power Attack Defense 4. Evaluation and Discussion 16

17 Understanding the Vulnerability Software Not Sensitive to Individual Power Peak Each server is allowed to reach its peak power as long as the total rack utilization is within the budget. Infrastructure Coarse-Grained Monitoring Calculate power demand based on the monitored the total energy consumption at coarse-grained intervals Hardware Slow Power Capping Normal power capping mechanisms cannot respond quickly enough to limit the sudden spikes 17

18 Threat Model A sophisticated adversary can manipulate its subscribed nodes to overload a larger cluster Opportunistically look for such a host by monitoring the VM IP Keep rebooting a few VMs until they reach the same desired location Generate simultaneously occurred power surge to overload the system 18

19 A Two-Phase Attack Phase-I: Wide Peak Power Aims at drain the UPS battery system Visible to data centers Phase-II: Narrow Power Spikes Aims at overload the server rack Invisible to data center 19

20 A Two-Phase Attack (Cont d) 20

21 Effective Power Attack Power(W) Budget Normal Load with Malicious Load Failed Attempt Effective Attack Time(s) A single spike may not result in effective attack Depend on the overcurrent and the peak current duration Repeatedly creating hidden power spikes Have good chance to overload the system Power Trace of a Rack with/without Malicious attacker 21

22 What Determines Effective Attack? Peak Height (Node Number) Peak Frequency (Intervals) Peak Width (Runtime) Power Monitor (Granularity) Power Budget (Tight or Not) Other Workloads (Type/Timing) 22

23 Outlines 1. Background and Motivation 2. Threat Model and Attack Analysis 3. PAD: Power Attack Defense 4. Evaluation and Discussion 23

24 PAD: An Overview Slow down Phase-I Attack 24

25 vdeb: Virtual Distributed Energy Backup Rack SeverA Sever Battery BatteryA SeverB BatteryB SeverC BatteryC 25

26 μdeb: Micro Distributed Energy Backup Virtual DEB alone cannot defeat a well-planned power attack Require HW mechanisms to handle the transient power spikes Micro DEB can react to any voltage surge/sags automatically Without any energy and lifetime issue 26

27 Hierarchical Security Levels 27

28 Outlines 1. Background and Motivation 2. Threat Model and Attack Analysis 3. PAD: Power Attack Defense 4. Evaluation and Discussion 28

29 PDU PAD - Evaluation Methodology Network Switch Precision Power Analyzer Charge Controller Mgmt. Node Attacker s Node VM Xen VM Server Node Server Node Server Node Server Node Battery Battery Battery SNMP Card Ethernet Sensor Circuitry 29

30 PAD - Evaluation Methodology 30

31 Attack Effectiveness Results Survival Time: 36,606 Seconds Survival Time: 60,793 Seconds Balancing battery usage could increase survival time Gives operators more time to identify malicious loads and figure out any possible solutions. 31

32 Time (Seconds) Data Center Survival Time The sustained operation duration of the evaluated Google cluster under various power attacks Conv PS PSPC udeb vdeb PAD Dense Attack Sparse Attack Dense Attack Sparse Attack Dense Attack Sparse Attack CPU Intensive Memory Intensive IO Intensive Avg. The impact of vdeb are bigger Visible power peaks dominate in overall attacking period Combing μdeb and vdeb = Better survival time 1.6X compared to the state-of-the-art baseline 32

33 Attack Effectiveness Results A B Load Shedding Ratio (%) Timestamp (x 5min) C PAD never use aggressive server shedding to save battery energy. Shutting down a small amount of servers may eliminate overload 33

34 udeb/ vdeb (%) Normalized Time Cost Impact Cost Ratio Survival Time udeb Capacity (microfarad) 15X more μdeb 40X survival time 34

35 Conclusions Modern data centers that oversubscribe their power infrastructure are prone to power attack Energy storage systems are the last line of protection against power anomaly in data centers SW and HW support are both necessary for successful power attack defense Security-aware power management allows us to safely exploit the benefits of power-constrained data centers 35

36 Thanks! 36