We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byGordon Seaver
Modified about 1 year ago
© 2010 Andreas Haeberlen 1 Accountable Virtual Machines OSDI (October 4, 2010) Andreas Haeberlen University of Pennsylvania Paarijaat Aditya Rodrigo Rodrigues Peter Druschel Max Planck Institute for Software Systems (MPI-SWS) Max Planck Institute for Software Systems
© 2010 Andreas Haeberlen Scenario: Multiplayer game Alice decides to play a game of Counterstrike with Bob and Charlie 2 OSDI (October 4, 2010) Alice Bob Charlie Network I'd like to play a game
© 2010 Andreas Haeberlen What Alice sees OSDI (October 4, 2010) Movie 3 Alice
© 2010 Andreas Haeberlen Could Bob be cheating? In Counterstrike, ammunition is local state Bob can manipulate counter and prevent it from decrementing Such cheats (and many others) do exist, and are being used 4 OSDI (October 4, 2010) Charlie Network Alice Bob Ammo
© 2010 Andreas Haeberlen This talk Cheating is a serious problem in itself Multi-billion-dollar industry But we address a more general problem: Alice relies on software that runs on a third-party machine Examples: Competitive system (auction), federated system... How does Alice know if the software running as intended? 5 OSDI (October 4, 2010) Network Alice Bob Software is not (just) about cheating!
© 2010 Andreas Haeberlen Goal: Accountability We want Alice to be able to Detect when the remote machine is faulty Obtain evidence of the fault that would convince a third party Challenges: Alice and Bob may not trust each other Possibility of intentional misbehavior (example: cheating) Neither Alice nor Bob may understand how the software works Binary only - no specification of the correct behavior 6 OSDI (October 4, 2010) Network Alice Bob Software
© 2010 Andreas Haeberlen Outline Problem: Detecting faults on remote machines Example: Cheating in multiplayer games Solution: Accountable Virtual Machines Evaluation Using earlier example (cheating in Counterstrike) Summary 7 OSDI (October 4, 2010) NEXT
© 2010 Andreas Haeberlen Overview Bob runs Alice's software image in an AVM AVM maintains a log of network in-/outputs Alice can check this log with a reference image AVM correct: Reference image can produce same network outputs when started in same state and given same inputs AVM faulty: Otherwise 8 OSDI (October 4, 2010) Network Alice Bob Virtual machine image AVMM AVM Accountable Virtual Machine (AVM) Accountable Virtual Machine Monitor (AVMM) Log What if Bob manipulates the log? Alice must trust her own reference image How can Alice find this execution, if it exists?
© 2010 Andreas Haeberlen Firing Tamper-evident logging Message log is tamper-evident [SOSP'07] Log is structured as a hash chain Messages contain signed authenticators Result: Alice can either detect that the log has been tampered with, or... get a complete log with all the observable messages 9 OSDI (October 4, 2010) 473: SEND(Charlie, Got ammo) 472: RECV(Alice, Got medipack) 471: SEND(Charlie, Moving left) : SEND(Alice, Firing) Moving right AVMM AVM
© 2010 Andreas Haeberlen Execution logging How does Alice know whether the log matches a correct execution of her software image? Idea: AVMM can specify an execution AVMM additionally logs all nondeterministic inputs AVM correct: Can replay inputs to get execution AVM faulty: Replay inevitably (!) fails 10 OSDI (October 4, 2010) 474: SEND(Alice, Firing) 473: SEND(Charlie, Got ammo) 472: RECV(Alice, Got medipack) 471: SEND(Charlie, Moving left)... AVMM AVM 474: SEND(Alice, Firing) 473: Mouse button clicked 472: SEND(Charlie, Got ammo) 471: RECV(Alice, Got medipack) 470: Got network interrupt 469: SEND(Charlie, Moving left)
© 2010 Andreas Haeberlen Auditing and replay 11 OSDI (October 4, 2010) Network Alice Bob AVMM AVM AVMM AVM : SEND(Alice, Firing) 370: SEND(Alice, Firing) 369: SEND(Alice, Firing) 368: Mouse button clicked 367: SEND(Alice, Got medipack) 366: Mouse moved left Modification Evidence 371: SEND(Alice, Firing) 370: SEND(Alice, Firing) 369: SEND(Alice, Firing) 368: Mouse button clicked 367: SEND(Alice, Got medipack) 366: Mouse moved left 372: SEND(Alice, Firing) 373: SEND(Alice, Firing)
© 2010 Andreas Haeberlen AVM properties Strong accountability Detects faults Produces evidence No false positives Works for arbitrary, unmodified binaries Nondeterministic events can be captured by AVM Monitor Alice does not have to trust Bob, the AVMM, or any software that runs on Bob's machine If Bob tampers with the log, Alice can detect this If Bob's AVM is faulty, ANY log Bob could produce would inevitably cause a divergence during replay 12 OSDI (October 4, 2010) If it runs in a VM, it will work
© 2010 Andreas Haeberlen Outline Problem: Detecting faults on remote machines Example: Cheating in multiplayer games Solution: Accountable Virtual Machines Evaluation Using earlier example (cheating in Counterstrike) Summary 13 OSDI (October 4, 2010) NEXT
© 2010 Andreas Haeberlen Methodology We built a prototype AVMM Based on logging/replay engine in VMware Workstation Extended with tamper-evident logging and auditing Evaluation: Cheat detection in games Setup models competition / LAN party Three players playing Counterstrike 1.6 Nehalem machines (i7 860) Windows XP SP3 14 OSDI (October 4, 2010)
© 2010 Andreas Haeberlen Evaluation topics Effectiveness against real cheats Overhead Disk space (for the log) Time (auditing, replay) Network bandwidth (for authenticators) Computation (signatures) Latency (signatures) Impact on game performance Online auditing Spot checking tradeoffs Using a different application: MySQL on Linux 15 OSDI (October 4, 2010) Please refer to the paper for additional results!
© 2010 Andreas Haeberlen AVMs can detect real cheats If the cheat needs to be installed in the AVM to be effective, AVM can trivially detect it Reason: Event timing + control flow change Examined real 26 cheats from the Internet; all detectable 16 OSDI (October 4, 2010) 98: RECV(Alice, Missed) 97: SEND(Alice, 96: Mouse button clicked 95: Interrupt received 94: RECV(Alice, Jumping)... BC=53 BC=52 BC=47 BC=44 BC=37... Bob's log EIP=0xb382 EIP=0x3633 EIP=0xc490 EIP=0x6771 EIP=0x570f... Event timing (for replay) AVMM AVM BC=59 BC=54 BC=49 BC=44 BC=37... EIP=0x861e EIP=0x2d16 EIP=0xc43e EIP=0x6771 EIP=0x570f... 97: SEND(Alice, 98: RECV(Alice, Hit)
© 2010 Andreas Haeberlen 96: RECV(Alice, Missed) 95: SEND(Alice, 94: Mouse button clicked 93: Interrupt received 92: RECV(Alice, Jumping)... BC=53 BC=52 BC=47 BC=44 BC=37... EIP=0xb382 EIP=0x3633 EIP=0xc490 EIP=0x6771 EIP=0x570f... 99: RECV(Alice, Hit) 98: SEND(Alice, 97: Mouse button clicked 96: Mouse move right 1 inch 94: Mouse move up 1 inch 92: RECV(Alice, Jumping)... BC= BC= BC= BC= BC= BC=... EIP= EIP= EIP= EIP= EIP= EIP=... AVMs can detect real cheats Couldn't cheaters adapt their cheats? There are three types of cheats: 1. Detection impossible (Example: Collusion) 2. Detection not guaranteed, but evasion technically difficult 3. Detection guaranteed ( 15% of the cheats in our sample) 17 OSDI (October 4, 2010) AVMM AVM ? ? ? ? ? ? ? ? ? ? ?
© 2010 Andreas Haeberlen Impact on frame rate Frame rate is ~13% lower than on bare hw 137fps is still a lot! fps generally recommended 11% due to logging; additional cost for accountability is small 18 OSDI (October 4, 2010) Average frame rate Bare hardware VMware (no logging) VMware (logging) AVMM (no crypto) AVMM 158fps -13% Different machines with different players -11% No fps cap Window mode 800x600 Softw. rendering
© 2010 Andreas Haeberlen Cost of auditing When auditing a player after a one-hour game, How big is the log we have to download? How much time is needed for replay? 19 OSDI (October 4, 2010) VMware AVMM Average log growth (MB/minute) ~8 MB per minute 2.47 MB per minute (compressed) 148 MB Added by accountability ~ 1 hour
© 2010 Andreas Haeberlen Online auditing Idea: Stream logs to auditors during the game Result: Detection within seconds after fault occurs Replay can utilize unused cores; frame rate penalty is low 20 OSDI (October 4, 2010) Average frame rate No online auditing One audit per player Two audits per player Alice Bob Charlie Game Logging Replay
© 2010 Andreas Haeberlen Summary Accountable Virtual Machines (AVMs) offer strong accountability for unmodified binaries Useful when relying on software executing on remote machines: Federated system, multiplayer games,... No trusted components required AVMs are practical Prototype implementation based on VMware Workstation Evaluation: Cheat detection in Counterstrike 21 OSDI (October 4, 2010) Questions?
© 2010 Andreas Haeberlen Thank you! 22 OSDI (October 4, 2010) Our enthusiastic Counterstrike volunteers
Accountability Aditya Akella. Outline Accountable Virtual Machines Accountability in and via SDN.
A. Haeberlen CIS 455/555: Internet and Web Systems 1 University of Pennsylvania Special topics April 22, 2016.
© 2015 A. Haeberlen NETS 212: Scalable and Cloud Computing 1 University of Pennsylvania Special topics December 3, 2015.
SOSP 2007 © 2007 Andreas Haeberlen, MPI-SWS 1 Practical accountability for distributed systems Andreas Haeberlen MPI-SWS / Rice University Petr Kuznetsov.
© 2006 Andreas Haeberlen, MPI-SWS 1 The Case for Byzantine Fault Detection Andreas Haeberlen MPI-SWS / Rice University Petr Kouznetsov MPI-SWS Peter Druschel.
LADIS workshop (Oct 11, 2009) A Case for the Accountable Cloud Andreas Haeberlen MPI-SWS.
Building and Programming the Cloud, Mysore, Jan Accountable distributed systems and the accountable cloud Peter Druschel joint work with Andreas.
SRG PeerReview: Practical Accountability for Distributed Systems Andreas Heaberlen, Petr Kouznetsov, and Peter Druschel SOSP’07.
1 The Case for Byzantine Fault Detection. 2 Challenge: Byzantine faults Distributed systems are subject to a variety of failures and attacks Hacker break-in.
A. Haeberlen Fault Tolerance and the Five-Second Rule 1 HotOS XV (May 18, 2015) Ang Chen Hanjun Xiao Andreas Haeberlen Linh Thi Xuan Phan Department of.
Reliable Client Accounting for P2P-Infrastructure Hybrids Paarijaat Aditya †, Ming-Chen Zhao ‡, Yin Lin *, Andreas Haeberlen ‡, Peter Druschel †, Bruce.
Hands-On Virtual Computing Chapter 2 Working with VMware Workstation.
PeerReview: Practical Accountability for Distributed Systems SOSP 07.
Configuring Debugging as Search: Finding the Needle in the Haystack Andrew Whitaker, Richard S. Cox and Steven D. Gribble. University of Washington Presented.
Execution Replay for Multiprocessor Virtual Machines George W. Dunlap Dominic Lucchetti Michael A. Fetterman Peter M. Chen.
P. Kouznetsov, 2006 Abstracting out Byzantine Behavior Peter Druschel Andreas Haeberlen Petr Kouznetsov Max Planck Institute for Software Systems.
Chapter 14 Chapter 14: Server Monitoring and Optimization.
CACI Proprietary Information | Date 1 PD² v4.2 Increment 2 SR13 and FPDS Engine v3.5 Database Upgrade Name: Semarria Rosemond Title: Systems Analyst, Lead.
2.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 2: Installing Windows Server.
Virtual Machines Module 2. Objectives Define virtual machine Define common terminology Identify advantages and disadvantages Determine what software is.
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Run the on your PC to start the firmware configuration process Run IP Config Tool.
1 Chapter Overview Configuring and Troubleshooting the Display Configuring Power Management Configuring Operating System Settings Configuring and Troubleshooting.
IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It.
1 Copyright © 2015 Pexus LLC Patriot PS Personal Server Importing Virtual Appliance Image.
SIGCOMM 2012 (August 16, 2012) Private and Verifiable Interdomain Routing Decisions Mingchen Zhao * Wenchao Zhou * Alexander Gurney * Andreas Haeberlen.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
Trustworthy and Personalized Computing Christopher Strasburg Department of Computer Science Iowa State University November 12, 2008.
Trusted Passages: Managing Trust Properties of Open Distributed Overlays Faculty: Mustaque Ahamad, Greg Eisenhauer, Wenke Lee and Karsten Schwan PhD Students:
1 Attested Append-Only Memory: Making Adversaries Stick to their Word Byung-Gon Chun (ICSI) October 15, 2007 Joint work with Petros Maniatis (Intel Research,
Introduction to HP LoadRunner Getting Familiar with LoadRunner >>>>>>>>>>>>>>>>>>>>>> <<<<<<<<<<<<<<<<<<<<<<
UNIX System Programming Installing OpenSolaris. 2/86 Contents How to setup a virtual machine guest How to install OpenSolaris as a guest How to update.
Intrusion Detection Systems and Practices Chapter 13.
11 MONITORING MICROSOFT WINDOWS SERVER 2003 Chapter 3.
Hosted Virtualization Lab Last Update Copyright Kenneth M. Chipps Ph.D.
NSDI (April 24, 2009) © 2009 Andreas Haeberlen, MPI-SWS 1 NetReview: Detecting when interdomain routing goes wrong Andreas Haeberlen MPI-SWS / Rice Ioannis.
Virtualization for Cloud Computing Dr. Sanjay P. Ahuja, Ph.D FIS Distinguished Professor of Computer Science School of Computing, UNF.
Jeny Carrasco and Jai Nayar English 393 Process Manual Assignment 12/08/04 McAfee 7.1 Process Manual.
BFTW 3 workshop (Sep 22, 2009)© 2009 Andreas Haeberlen 1 The Fault Detection Problem Andreas Haeberlen MPI-SWS Petr Kuznetsov TU Berlin / Deutsche Telekom.
CSC190 Introduction to Computing Operating Systems and Utility Programs.
VMWare Workstation Installation. Starting Vmware Workstation Go to the start menu and start the VMware Workstation program. *Note: The following instructions.
MCSA Windows Server 2012 Pass Upgrading Your Skills to MCSA Windows Server 2012 Exam By The Help Of Exams4Sure Get Complete File From
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
Battle of Botcraft: Fighting Bots in Online Games withHuman Observational Proofs Steven Gianvecchio, Zhenyu Wu, Mengjun Xie, and Haining Wang The College.
Virtual Machines Measure Up John Staton Karsten Steinhaeuser University of Notre Dame December 15, 2005 Graduate Operating Systems, Fall 2005 Final Project.
Max Planck Institute for Software Systems Towards trusted cloud computing Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues MPI-SWS.
Hands-On Microsoft Windows Server 2008 Chapter 3 Configuring the Windows Server 2008 Environment.
Lecture 5: Using Computers: Important Ideas Tonga Institute of Higher Education IT 141: Information Systems.
© 2017 SlidePlayer.com Inc. All rights reserved.