Cited By
View all- Kornaros GLeivadaros S(2017)Securing Dynamic Firmware Updates of Mixed-Critical Applications2017 3rd IEEE International Conference on Cybernetics (CYBCONF)10.1109/CYBConf.2017.7985807(1-7)Online publication date: Jun-2017
Logical Partitions on Many-Core Platforms
Authors: 
Ramya Jayaram Masti, Claudio Marforio, Kari Kostiainen, Claudio Soriente, Srdjan CapkunAuthors Info & Claims
Ramya Jayaram Masti, Claudio Marforio, Kari Kostiainen, Claudio Soriente, Srdjan CapkunAuthors Info & ClaimsPages 451 - 460
Abstract
Cloud platforms that use logical partitions to allocate dedicated resources to VMs can benefit from small and therefore secure hypervisors. Many-core platforms, with their abundant resources, are an attractive basis to create and deploy logical partitions on a large scale. However, many-core platforms are designed for efficient cross-core data sharing rather than isolation, which is a key requirement for logical partitions. Typically, logical partitions leverage hardware virtualization extensions that require complex CPU core enhancements. These extensions are not optimal for many-core platforms, where it is preferable to keep the cores as simple as possible.
In this paper, we show that a simple address-space isolation mechanism, that can be implemented in the Network-on-Chip of the many-core processor, is sufficient to enable logical partitions. We implement the proposed change for the Intel Single-Chip Cloud Computer (SCC). We also design a cloud architecture that relies on a small and disengaged hypervisor for the security-enhanced Intel SCC. Our prototype hypervisor is 3.4K LOC which is comparable to the smallest hypervisors available today. Furthermore, virtual machines execute bare-metal avoiding runtime interaction with the hypervisor and virtualization overhead.
References
[1]
Hitachi Embedded Virtualization Technology. http://www.hitachi-america.us/supportingdocs/forbus/ssg/pdfs/Hitachi_Datasheet_Virtage_3D_10-30-08.pdf.
[2]
INTEGRITY Multivisor. http://www.ghs.com/products/rtos/integrity_virtualization.html.
[3]
Linux Kernel Vulnerability Statistics. http://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33.
[4]
LPARBOX. http://lparbox.com/.
[5]
Microsoft Windows 8 Vulnerability Statistics. http://www.cvedetails.com/product/22318/Microsoft-Windows-8.html?vendor_id=26.
[6]
SSL Library PolarSSL. https://polarssl.org.
[7]
Adapteva. Ephiphany Multicore IP. www.adapteva.com/products/epiphany-ip/epiphany-architecture-ip/.
[8]
T. W. Arnold and L. P. Van Doorn. The IBM PCIXCC: A new cryptographic coprocessor for the IBM eServer. IBM Journal of Research and Development, 2004.
[9]
Ballesteros, F. J., Evans, N., Forsyth, C., Guardiola, G., McKie, J., Minnich, R. and Soriano-Salvador, E. NIX: A Case for a Manycore System for Cloud Computing. Technical report, Bell Labs Tech. J., 2012.
[10]
A. Baumann, P. Barham, P.-E. Dagand, T. Harris, R. Isaacs, S. Peter, T. Roscoe, A. Schüpbach, and A. Singhania. The Multikernel: A New OS Architecture for Scalable Multicore Systems. In Symposium on Operating Systems Principles, SOSP'09, 2009.
[11]
S. Boyd-Wickizer, H. Chen, R. Chen, Y. Mao, F. Kaashoek, R. Morris, A. Pesterev, L. Stein, M. Wu, Y. Dai, Y. Zhang, and Z. Zhang. Corey: An Operating System for Many Cores. In Operating Systems Design and Implementation, OSDI'08, 2008.
[12]
S. Boyd-Wickizer, A. T. Clements, Y. Mao, A. Pesterev, M. F. Kaashoek, R. Morris, and N. Zeldovich. An Analysis of Linux Scalability to Many Cores. In Operating Systems Design and Implementation, OSDI'10, 2010.
[13]
R. Buerki and A.-K. Rueegsegger. Muen-an x86/64 separation kernel for high assurance. http://muen.codelabs.ch/muen-report.pdf, 2013.
[14]
M. Chapman and G. Heiser. vNUMA: A Virtual Shared-memory Multiprocessor. In USENIX Annual Technical Conference, USENIX'09, 2009.
[15]
Y. Dai, Y. Qi, J. Ren, Y. Shi, X. Wang, and X. Yu. A Lightweight VMM on Many Core for High Performance Computing. SIGPLAN Not., 2013.
[16]
Y. Dong, X. Yang, X. Li, J. Li, K. Tian, and H. Guan. High performance network virtualization with sr-iov. In High Performance Computer Architecture, HPCA '10, 2010.
[17]
L. Fiorin, G. Palermo, S. Lukovic, V. Catalano, and C. Silvano. Secure Memory Accesses on Networks-on-Chip. IEEE Transactions on Computers, 2008.
[18]
A. Gavrilovska, S. Kumar, H. Raj, K. Schwan, V. Gupta, R. Nathuji, R. Niranjan, A. Ranadive, and P. Saraiya. High-performance Hypervisor Architectures: Virtualization in HPC Systems. In System-level Virtualization for High Performance Computing, 2007.
[19]
N. Harris, D. Barrick, I. Cai, P. G. Croes, A. Johndro, B. Klingelhoets, S. Mann, N. Perera, and R. Taylor. LPAR Configuration and Management Working with IBM eServer iSeries Logical Partitions. IBM Redbooks, 2002.
[20]
Intel Corporation. Getting Xen working for Intel(R) Xeon Phi(tm) Coprocessor. https://software.intel.com/en-us/videos/knights-landing-the-next-manycore-architecture.
[21]
Intel Corporation. Intel Xeon Phi 7100 Series Specification. http://ark.intel.com/products/75800/Intel-Xeon-Phi-Coprocessor-7120X-16GB-1_238-GHz-61-core.
[22]
Intel Corporation. SCC External Architecture Specification. https://communities.intel.com/docs/DOC-5044/version.
[23]
Intel Corporation. PCI-SIG SR-IOV Primer. http://www.intel.com/content/dam/doc/application-note/pci-sig-sr-iov-primer-sr-iov-technology-paper.pdf, 2011.
[24]
Intel Corporation. Intel Virtualization Technology for Directed I/O. http://www.intel.com/content/www/us/en/embedded/technology/virtualization/vt-directed-io-spec.html, 2014.
[25]
G. Irazoqui, M. Inci, T. Eisenbarth, and B. Sunar. Wait a Minute! A Fast, Cross-VM Attack on AES. In Research in Attacks, Intrusions and Defenses (RAID), 2014.
[26]
G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal Verification of an OS Kernel. In Symposium on Operating Systems Principles, SOSP '09, 2009.
[27]
P. Li, D. Gao, and M. Reiter. Mitigating Access-driven Timing Channels in Clouds Using StopWatch. In Dependable Systems and Networks (DSN), June 2013.
[28]
M. M. K. Martin, M. D. Hill, and D. J. Sorin. Why On-chip Cache Coherence is Here to Stay. Commun. ACM, 2012.
[29]
T. G. Mattson, M. Riepen, T. Lehnig, P. Brett, W. Haas, P. Kennedy, J. Howard, S. Vangal, N. Borkar, G. Ruhl, and S. Dighe. The 48-core SCC Processor: The Programmer's View. In International Conference for High Performance Computing, Networking, Storage and Analysis, SC '10, 2010.
[30]
F. McKeen, I. Alexandrovich, A. Berenzon, C. V. Rozas, H. Shafi, V. Shanbhogue, and U. R. Savagaonkar. Innovative Instructions and Software Model for Isolated Execution. In Hardware and Architectural Support for Security and Privacy, HASP'13, 2013.
[31]
A. Milenkoski, B. Payne, N. Antunes, M. Vieira, and S. Kounev. Experience Report: An Analysis of Hypercall Handler Vulnerabilities. In Software Reliability Engineering (ISSRE), 2014.
[32]
E. B. Nightingale, O. Hodson, R. McIlroy, C. Hawblitzel, and G. Hunt. Helios: Heterogeneous Multiprocessing with Satellite Kernels. In Symposium on Operating Systems Principles, SOSP '09, 2009.
[33]
Partheymuller, Markus and Stecklina, Julian and Döbel, Björn. Fiasco.OC on the SCC. http://os.inf.tu-dresden.de/papers_ps/intelmarc2011-fiascoonscc.pdf, 2011.
[34]
J. Porquet, A. Greiner, and C. Schwarz. NoC-MPU: A Secure Architecture for Flexible Co-hosting on Shared Memory MPSoCs. In Design, Automation Test in Europe Conference Exhibition, DATE'11, 2011.
[35]
T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, You, Get off of My Cloud: Exploring Information Leakage in Third-party Compute Clouds. In Computer and Communications Security, CCS'09, 2009.
[36]
W. Shi, J. Lee, T. Suh, D. H. Woo, and X. Zhang. Architectural Support of Multiple Hypervisors over Single Platform for Enhancing Cloud Computing Security. In Computing Frontiers, CF '12, 2012.
[37]
X. Song, H. Chen, R. Chen, Y. Wang, and B. Zang. A Case for Scaling Applications to Many-core with OS Clustering. In European Conference on Computer Systems, EuroSys '11, 2011.
[38]
U. Steinberg and B. Kauer. NOVA: A Microhypervisor-based Secure Virtualization Architecture. In European Conference on Computer systems, EuroSys '10, 2010.
[39]
J. Szefer, E. Keller, R. B. Lee, and J. Rexford. Eliminating the Hypervisor Attack Surface for a More Secure Cloud. In Computer and Communications Security, CCS'11, 2011.
[40]
J. Szefer and R. B. Lee. Architectural support for hypervisor-secure virtualization. SIGARCH Comput. Archit. News, 2012.
[41]
Tilera Corporation. TILE-GX Family. http://www.tilera.com/products/?ezchip=585&spage=618.
[42]
TU Dresden. L4linux. http://os.inf.tu-dresden.de/L4/LinuxOnL4/.
[43]
D. Wentzlaff and A. Agarwal. Factored Operating Systems (Fos): The Case for a Scalable Operating System for Multicores. SIGOPS Oper. Syst. Rev., 2009.
[44]
Y. Yarom and K. Falkner. FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack. In USENIX Security Symposium, Aug. 2014.
[45]
Y. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart. Cross-VM Side Channels and Their Use to Extract Private Keys. In Computer and Communications Security, CCS'12, 2012.
[46]
Y. Zhang, W. Pan, Q. Wang, K. Bai, and M. Yu. HypeBIOS: Enforcing VM Isolation with Minimized and Decomposed Cloud TCB. http://www.people.vcu.edu/~myu/s-lab/my-publications.html, 2012.
[47]
Y. Zhang and M. K. Reiter. Duppel: Retrofitting Commodity Operating Systems to Mitigate Cache Side Channels in the Cloud. In Computer and Communications Security, CCS'13, 2013.
[48]
M. Ziwisky and D. Brylow. BareMichael: A Minimalistic Bare-metal Framework for the Intel SCC. In Many-core Applications Research Community Symposium, MARC'12, 2012.
- Logical Partitions on Many-Core Platforms
Recommendations
GPU Acceleration for Simulating Massively Parallel Many-Core Platforms
Emerging massively parallel architectures such as a general-purpose processor plus many-core programmable accelerators are creating an increasing demand for novel methods to perform their architectural simulation. Most state-of-the-art simulation ...
Vectorizing Unstructured Mesh Computations for Many-core Architectures
PMAM'14: Proceedings of Programming Models and Applications on Multicores and ManycoresAchieving optimal performance on the latest multi-core and many-core architectures depends more and more on making efficient use of the hardware's vector processing capabilities. While auto-vectorizing compilers do not require the use of vector ...
Comments
Information & Contributors
Information
Published In
December 2015
489 pages
ISBN:9781450336826
DOI:10.1145/2818000
Copyright © 2015 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
In-Cooperation
- ACSA: Applied Computing Security Assoc
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 07 December 2015
Check for updates
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ACSAC 2015
ACSAC 2015: 2015 Annual Computer Security Applications Conference
December 7 - 11, 2015
CA, Los Angeles, USA
Acceptance Rates
Overall Acceptance Rate 104 of 497 submissions, 21%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 173Total Downloads
- Downloads (Last 12 months)21
- Downloads (Last 6 weeks)0
Reflects downloads up to 01 Jan 2025
Other Metrics
Citations
Cited By
View all- Kornaros GLeivadaros S(2017)Securing Dynamic Firmware Updates of Mixed-Critical Applications2017 3rd IEEE International Conference on Cybernetics (CYBCONF)10.1109/CYBConf.2017.7985807(1-7)Online publication date: Jun-2017
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in