Tzi-cker Chiueh

Real-time deep virtual machine introspection and its applications

Virtual Machine Introspection (VMI) provides the ability to monitor virtual machines (VM) in an agentless fashion by gathering VM execution states from the hypervisor and analyzing those states to extract information about a running operating system (OS) without installing an agent inside the VM. VMIs main challenge lies in the difficulty in converting low-level byte string values into high-level semantic states of the monitored VMs OS. In this work, we tackle this challenge by developing a real-time kernel data structure monitoring (RTKDSM) system that leverages the rich OS analysis capabilities of Volatility, an open source computer forensics framework, to significantly simplify and automate analysis of VM execution states. The RTKDSM system is designed as an extensible software framework that is meant to be extended to perform application-specific VM state analysis. In addition, the RTKDSM system is able to perform real-time monitoring of any changes made to the extracted OS states of guest VMs. This real-time monitoring capability is especially important for VMI-based security applications. To minimize the performance overhead associated with real-time kernel data structure monitoring, the RTKDSM system has incorporated several optimizations whose effectiveness is reported in this paper.

Introspection-based memory de-duplication and migration

Memory virtualization abstracts a physical machines memory resource and presents to the virtual machines running on it a piece of physical memory that could be shared, compressed and moved. To optimize the memory resource utilization by fully leveraging the flexibility afforded by memory virtualization, it is essential that the hypervisor have some sense of how the guest VMs use their allocated physical memory. One way to do this is virtual machine introspection (VMI), which interprets byte values in a guest memory space into semantically meaningful data structures. However, identifying a guest VMs memory usage information such as free memory pool is non-trivial. This paper describes a bootstrapping VM introspection technique that could accurately extract free memory pool information from multiple versions of Windows and Linux without kernel version-specific hard-coding, how to apply this technique to improve the efficiency of memory de-duplication and memory state migration, and the resulting improvement in memory de-duplication speed, gain in additional memory pages de-duplicated, and reduction in traffic loads associated with memory state migration.

Secure I/O device sharing among virtual machines on multiple hosts

Virtualization allows flexible mappings between physical resources and virtual entities, and improves allocation efficiency and agility. Unfortunately, most existing virtualization technologies are limited to resources in a single host. This paper presents the design, implementation and evaluation of a multi-host I/O device virtualization system called Ladon, which enables I/O devices to be shared among virtual machines running on multiple hosts in a secure and efficient way. Specifically, Ladon uses a PCIe network to connect multiple servers with PCIe devices and allows VMs running on these servers to directly interact with these PCIe devices without interfering with one another. Through an evaluation of a fully operational Ladon prototype, we show that there is no throughput and latency penalty of the multi-host I/O virtualization enabled by Ladon compared to those of the existing single-host I/O virtualization technology.

A Comprehensive Implementation and Evaluation of Direct Interrupt Delivery

As the performance overhead associated with CPU and memory virtualization becomes largely negligible, research efforts are directed toward reducing the I/O virtualization overhead, which mainly comes from two sources: DMA set-up and payload copy, and interrupt delivery. The advent of SRIOV and MRIOV effectively reduces the DMA-related virtualization overhead to a minimum. Therefore, the last battleground for minimizing virtualization overhead is how to directly deliver every interrupt to its target VM without involving the hypervisor. This paper describes the design, implementation, and evaluation of a KVM-based direct interrupt delivery system called DID. DID delivers interrupts from SRIOV devices, virtual devices, and timers to their target VMs directly, completely avoiding VM exits. Moreover, DID does not require any modifications to the VMs operating system and preserves the correct priority among interrupts in all cases. We demonstrate that DID reduces the number of VM exits by a factor of 100 for I/O-intensive workloads, decreases the interrupt invocation latency by 80%, and improves the throughput of a VM running Memcached by a factor of 3.

Marlin: a memory-based rack area network

Disaggregation of hardware resources that are traditionally embedded within individual servers into separate resource pools is an emerging architectural trend in hyperscale data center design, as exemplified by Facebooks disaggregated rack architecture. This paper presents the design, implementation and evaluation of a PCIe-based rack area network system called Marlin, which is designed to support the communications and resource sharing needs of disaggregated racks. By virtue of being based on PCIe, Marlin presents a memory-based addressing model for both I/O device sharing among multiple hosts and inter-host communications. That is, when a node communicates with other nodes or accesses resources in the same rack, it uses memory read and write operations. In the area of inter-node communications, Marlin offers hardware-based remote direct memory access (HRDMA) as a first-class communications primitive between servers within a rack. In addition, Marlin supports socket-based communications for legacy network applications and cross-machine zero memory copying for applications designed specifically to take full advantage of memory-based communications. Empirical measurements on a fully operational Mar-lin prototype based on 4-lane Gen3 PCIe technology show that the one-way kernel-to-kernel latency is 8.5μsec and the end-to-end sustainable TCP throughput is 19.6 Gbps.

An update-aware storage system for low-locality update-intensive workloads

Traditional storage systems provide a simple read/write interface, which is inadequate for low-locality update-intensive workloads because it limits the disk scheduling flexibility and results in inefficient use of buffer memory and raw disk bandwidth. This paper describes an update-aware disk access interface that allows applications to explicitly specify disk update requests and associate with such requests call-back functions that will be invoked when the requested disk blocks are brought into memory. Because call-back functions offer a continuation mechanism after retrieval of requested blocks, storage systems supporting this interface are given more flexibility in scheduling pending disk update requests. In particular, this interface enables a simple but effective technique called Batching mOdifications with Sequential Commit (BOSC), which greatly improves the sustained throughput of a storage system under low-locality update-intensive workloads. In addition, together with a space-efficient low-latency disk logging technique, BOSC is able to deliver the same durability guarantee as synchronous disk updates. Empirical measurements show that the random update throughput of a BOSC-based B+ tree is more than an order of magnitude higher than that of the same B+ tree implementation on a traditional storage system.

In-Band Control for an Ethernet-Based Software-Defined Network

A distinguishing characteristic of a software-defined network is separation of the networks control plane from its data plane. Especially when the granularity of control is an individual network flow, such separation entails frequent communications between these two planes. This communication pattern demands the same level of resilience from the control plane as that from the data plane, and thus calls into question the conventional out-of-band control network design as used in many existing SDN systems. Peregrine is an Ethernet-based software-defined network that was originally designed as the internal network of a container computer, and unifies storage access, inter-server communication, and network control into a single network comprising only commodity off-the-shelf Ethernet switches. To fully utilize all available physical network links, Peregrine treats the physical network as an explicitly routed mesh and equalizes the loads of its links using a global load-balancing routing algorithm running on a centralized controller. The in-band control architecture of Peregrine leads to two issues: (1) how to evolve a Peregrine network from its initial bootstrapping mode to the explicit routing mode at run time, and (2) how to support fast fail-over for physical failures that break both the control and data plane. This paper describes how Peregrine addresses these two issues, and shows its effectiveness with performance measurements collected from a fully operational test-bed.

Scalable Index Update for Block-Level Continuous Data Protection

A block-level continuous data protection (CDP) system logs every disk update to a network storage server it protects, so as to support more flexible recovery time objective (RTO) and recovery point objective (RPO). To provide efficient access to historical snapshots, block-level CDP systems maintain multiple index structures, each of which needs to be updated whenever a disk block update operation is logged. Because these index structures are too large to be held in memory, updating their on-disk versions in real time becomes a major performance bottleneck that prevents existing CDP systems from scaling to large data backup applications. This paper describes the design and implementation of a high-performance index update mechanism that logs index updates, batches them in memory, and commits them using mostly sequential disk I/O. Sequential commit greatly reduces the cost of bringing in and writing back each on-disk index page. Update batching further amortizes this cost over multiple index update operations. Empirical performance measurements demonstrate that the proposed technique improves the index update throughput by more than an order of magnitude and reduces the performance overhead associated with index updates from 95% to under 15%.

Invited - Wireless sensor nodes for environmental monitoring in internet of things

This paper presents a self-sustainable landslide surveillance system that detects hazardous water content level in soils and provides real-time landslide warnings to residents, without requiring wired electricity transmission. A self-powered soil water content sensor was applied as the trigger of alert event. It solves the energy supply problem by an environmental interrupt mechanism, which wakes up the sensor and communication circuits in a sensing node only when the water content in monitored soils exceeds a certain threshold, and thus completely eliminates the need for an ALS node to periodically wake up, sense and communicate. By tightly integrating energy harvesting, environment sensing and circuit wake-up, it may well be the most energy-efficient landslide surveillance system designed to monitor water content in soils in the world.

Tracking payment card data flow using virtual machine state introspection

Credit and debit card payment processing systems are key elements in financial transactions. Negligence in securing these systems makes them vulnerable to hacking attacks, which may lead to significant monetary losses for both merchants and the financial organizations. To reduce this risk, mandatory security compliance regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), were developed and adopted by the industry. A key pre-requisite of the PCI DSS compliance process is the ability to identify the components of the payment systems directly involved with the card data (i.e. process, transmit, or store). However, existing data flow tracking tools cannot fully automate the process of identifying system components that touch card data, because they either can not examine encrypted communications or they use an instrumentation-based approach and thus require a priori detailed knowledge of the payment card processing systems. We describe the implementation and evaluation of a novel tool to identify the card data flow in commercial payment card processing systems running on virtualized servers. The tool performs realtime monitoring of network communications between virtual machines and inspects the memory of the communicating processes for unencrypted card data. Our implementation does not require instrumentation of application binaries and can accurately identify the system components involved in card data flow even when the communications among system components are encrypted. Effectiveness of this tool is demonstrated through its successful discovery of the card data flow of several open- and closed-source payment card processing applications.