Verifiable Cloud Outsourcing for Network Func9ons (+ Verifiable Resource Accoun9ng for Cloud Services)

Transcription

1 1 Verifiable Cloud Outsourcing for Network Func9ons (+ Verifiable Resource Accoun9ng for Cloud Services) Vyas Sekar vnfo joint with Seyed Fayazbakhsh, Mike Reiter VRA joint with Chen Chen, Petros Mania9s, Adrian Perrig, Amit Vasudevan

2 Middleboxes are valuable, Type of appliance Number Firewalls 166 NIDS 127 Media gateways 110 Load balancers 67 Proxies 66 VPN gateways 45 WAN Op9mizers 44 Voice gateways 11 but have many pain points! Based on survey responses + discussions High Capital Expenses Device Sprawl High Opera9ng Expenses e.g., separate management teams need manual tuning? Inflexible, difficult to extend à need for new boxes! [COMB, NSDI 12] 2

3 Case for Network Func9on Outsourcing (NFO) Today: High CapEx, OpEx, Delay in innova9on Cloud Provider + Economies of scale, pay- per use Internet + Simplifies configura9on & deployment [APLOMB, SIGCOMM 12] 3

4 Concerns with ceding control Cloud Provider Internet Correctness proper9es: Behavior, Performance, Accoun9ng Outside scope: Isola9on, privacy,.. [vnfo, HotMiddlebox 13] 4

5 5 What makes this challenging? Lack of visibility into the workload Dynamic, traffic- dependent, and proprietary ac9ons of the network func9ons Stochas9c effects introduced by the network

6 6 Outline Mo9va9on for verifiable NFO Formalizing proper9es A roadmap for vnfo Discussion

7 Formal Framework CPU, Mem Management Interface Net CPU, Mem B CPU, B Mem, B Net f 1 σ 1. in in,,... f n σ n Packet Space State Space f :( )! ( ) Reference implementa9on Customer sto bf i 7

8 8 Blackbox Behavioral Correctness in ˆf 1 σ 1. ˆfn σ n visible to customer in?? σ 1 σ n ˆf 1 ˆfn viable state? Is there some.

9 9 Snapshot Behavioral Correctness in ˆf 1 σ 1. ˆfn σ n visible to customer in ˆf 1 ˆfn same put? Would I get the σ 1. σ n?

10 Performance Correctness ˆf 1 σ 1. in in,,... ˆfn σ n t 1, t 2,... in in, ˆf 1 ˆfn take this long? Would it really σ 1. σ n t 1, t 2,... π 1, π 2,... Observed provider performance Reference performance 10

11 11 Did- I Accoun9ng Correctness ˆf 1 σ 1. in in,,... ˆfn σ n Did It actually consume? Charged value of resource r Consump9on of resource r by provider

12 12 Should- I Accoun9ng Correctness ˆf 1 σ 1. in in,,... ˆfn σ n Should It really cost this much? Consump9on of resource r by provider Consump9on of resource r by reference implementa9on

13 13 Outline Mo9va9on for NFO + vnfo Formalizing vnfo proper9es A roadmap for vnfo Discussion

14 14 Verifiable NFO (vnfo) Overview CPU, Mem Management Interface Net CPU, Mem B CPU, B Mem, B Net. in in,,... Each func9on is implemented as a virtual appliance. NFO provider deploys a trusted shim for logging. Customer

15 15 Behavioral + Performance Correctness CPU, Mem Management Interface Net CPU, Mem B CPU, B Mem, B Net. in in,,... Customer Shim logs: every packet, VM state, 9mestamps per packet

16 16 Challenges! CPU, Mem Management Interface Net CPU, Mem B CPU, B Mem, B Net. in in,, Middlebox ac9ons make it difficult to correlate logs 2. Scalability and performance impact due to logging Customer

17 Poten9al solu9ons to challenges 1. Lack of visibility into middlebox ac9ons: Packets may be modified by middleboxes. FlowTags: NSDI Scalability Infeasible to log all packets and processing stats. Trajectory Sampling 17

18 18 Outline Mo9va9on for NFO + vnfo Formalizing vnfo proper9es A roadmap for vnfo Verifiable accoun9ng for Did- I correctness Discussion

19 19 Did- I Accoun9ng Correctness ˆf 1 σ 1. in in,,... ˆfn σ n Did It actually consume? Charged value of resource r Consump9on of resource r by provider

20 Desired Proper9es Image Integrity What is running Execu9on Integrity How it is running Accoun9ng Integrity Only chargeable events are accounted 20

21 ALIBI Design Overview Co-tenant Instance Customer s Instance (VM) Integrity protected Trusted Untrusted Provider Software Observer chargeable event Report Verifier HW Image Integrity via Aqested Instance Launch Execu9on Integrity Accoun9ng Integrity via Guest- Plarorm Isola9on via Bracke9ng 21

22 22 ALIBI architecture Enhance KVM nested virtualiza9on with resource accoun9ng and protec9on L2 Guest KVM-L1 KVM-L0 HW L2 Guest Alibi Advantage Intercept cri9cal events No modifica9on to L1 hypervisor Current Implementa9on CPU accoun9ng Memory accoun9ng

23 Guest- Plarorm Isola9on (Execu9on Integrity) Memory Integrity Isolate memory pages M by instances M i is writeable only when instance i is running Control Flow Integrity Protect program stack by memory protec9on Monitor and validate guest- CPU state changes Storage Integrity Integrity protected file system 23

24 Bracke9ng (Accoun9ng integrity) map page unmap page A Instance 0 B Instance 1 Event Detec9on Control transfer Memory mapping and unmapping Event Aqribu9on Associate resource usage with CPU ownership Instance 0 C CPU Execution Event Repor9ng Collect event measurements Store and protect event measurements 24

25 25 CPU Accoun9ng Case Study Account CPU cycles directly used by L2 guest Protect Time Stamp Counter (TSC) register L2 Guest KVM-L1 KVM-L0 HW L2 Guest Alibi Get CPU cycles, e.g., RDTSC Entry into L2 guest Exit from L2 guest Virtualize TSC register Read Timestamp Counter

26 Overhead of ALIBI HW: Intel Xeon E (3.10Ghz) with 8GB RAM L2/L1: Ubuntu 9.04 (kernel version ) L0: Ubuntu (kernel version 3.5.0) and ALIBI single-level nested nested with accounting % Native (higher the better) Single- level virt. vs. na9ve (no virt.) : ~9.5% slowdown Nested virt. vs. Single- level virt. : ~6.3% slowdown ALIBI addi9onal: ~0.5% slowdown 26

27 27 Outline Mo9va9on for verifiable NFO Formalizing proper9es A roadmap for vnfo Discussion

28 Discussion Is the NFO provider willing to deploy a shim? What are the market implica9ons for customers? What is the role of SLAs? Should- I accoun9ng? I/O accoun9ng? Interes9ng anecdotes of correctness or accoun9ng problems? Minimal TCB? with nested? Crowdsourcing correctness? 28