SlideShare ist ein Scribd-Unternehmen logo

EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on Memory Deduplication" by K.Suzaki

Kuniyasu Suzaki
Kuniyasu Suzaki

This is Slide for EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on Memory Deduplication" by K.Suzaki.

TechnologieBildung
1 von 25
Downloaden Sie, um offline zu lesen
Effects of Memory Randomization, Sanitization and Page Cache on Memory Deduplication Kuniyasu Suzaki, Kengo Iijima, Suzaki Iijima Toshiki Yagi, Cyrille Artho Research Institute for Secure Systems EuroSec 2012 at Bern, April 10
Background 1/2 • Infrastructure as a Service(IaaS) type cloud computing offers OS hosting service and runs many virtual machines. – Examples: Amazon EC2, Rackspace, ... – Physical resources are very important. Many techniques are developed to save resources. resources • We concentrate on memory. • Memory Deduplication is utilized to share same contents and reduces consumption of physical memory. • Venders want to use this function, but …
Background 2/2 • Some attacks are appeared on IaaS, and users want to increase security of Guest OS. – For example, Cross VM Side channel attack [CSS2009] • Guest OSes have some choices of security function. – Some of them change the behavior of memory and will work to i increase or decrease performance of memory deduplication. d f f d d li i • Our paper measures the affects of security functions on real memory deduplication (KSM with KVM).
Contents 1) Background 2) Memory deduplication 3) OS security functions – Address Space Layout randomization, Memory Sanitization, randomization Sanitization Page Cache flashing 4) Experimental results – On Linux’s KSM (Kernel Samepage Merging) with KVM virtual machine monitor 5) Discussion and Conclusion
Memory Deduplication 1/2 • Memory deduplication is a technique to share same contents page. – Mainly used for virtual machines. – Very effective when same guest OS runs on many virtual machines. • Many virtual machine monitors include deduplication with different implementations. Guest Pseudo Memory VM1 VM2 VM(n) Real Physical Memory
Memory Deduplication 2/2 • Content-aware deduplication – Check contents when data is loaded from disk to memory. • Transparent Page Sharing on Disco [OSDI97] • Satori on Xen[USENIX09] • Periodical memory-scan deduplication – Scan memory pages and merge when pages are same. It can treat dynamically created contents pages. • Content-Based Page Sharing on VMWare ESX [SOSP02] • Differential Engine on Xen[OSDI08] • KSM (Kernel Samepage Merging) [LinuxSymp09] – General-purpose memory deduplication for Linux. – Used mainly for KVM. • Our paper uses KSM with KVM virtual machine.
KSM: Kernel Samepage Merging • KSM has 3 states for pages. – Volatile : contents change frequently (not to be candidate) – Unshared: candidate pages for deduplication (unique at present) – Shared: deduplicated pages with same contents. • Pages are scanned (default: 20msec) – All pages are not scanned at a trial. t d t ti l – The maximum is 25% of the available memory. – The time to be deduplicated depends on the situation.
Contents 1) Background 2) Memory deduplication 3) OS security functions – Address Space Layout randomization, Memory Sanitization, randomization Sanitization Page Cache flashing 4) Experimental results – On Linux’s KSM (Kernel Samepage Merging) with KVM virtual machine monitor 5) Discussion and Conclusion
OS Security functions • Modern OSes have security functions that modify memory contents dynamically. 1. Address Space Layout Randomization (ASLR) with Position Independent Executable (PIE) 2. Memory Sanitization 3. Page Cache flashing
Address Space Layout Randomization(ASLR) • Normal binary has fixed Memory layout, and has vulnerability for overflow attack. • ASLR gives randomized offset (aligned page) to code, library, and stack. • Early ASLR for Linux is implemented on PaX and Exec Shield Linux. • Linux 2.6.12 (June 2005), Windows VISTA. • Binaries have to be Position Independent Executable (PIE). – GCC has options to compile a code for PIE-ELF binary. (“-fPIE” for compiler p p y ( p and “–pie” for linker) • Disadvantage: PIE binaries become fat, because the all addressing are relocatable. • ASLR and PIE binaries will affect memory deduplication. Normal ELF PIE-ELF on ASLR Stack 0x???????? Stack 0xBFFFF000 Library 0x???????? Library 0x40000000 Position Independent PIE code 0x???????? The address is Code 0x08048000 changed for each process on ASLR
Memory sanitization • Technique for zero-clearing pages after use. – Sensitive data remain for long periods after use, and Chow proposed Secure deallocation [USENIX Security 04, 05] . It prevents information leak. • Linux has unconditional page sanitization patch. – Increased zero-cleared pages will be deduplicated. As a result, it will reduces consumption of physical memory. memory – Disadvantage: • Linux’s sanitization requires zero-clearing all physical pages at boot time. • Do not treat page cache, because cashed pages are not released from a kernel. Physical Memory 0xXXXX0000 000000 0000000 00000000 Zero-cleared 0x00000000
Page Cache flushing • Page Cache flushing reduces possibility of information leak. • Page Cache reduces I/O overhead when pages are accessed repeatedly. However, the page cache may include sensitive data. • Linux kernel has DropCache for page cache flushing. – DropCache released all cached pages from the kernel. • “cron” is used to flush page cache at certain intervals (1 sec). – Th fl h d memory region i reused f other processes. A a result, it will The flushed i is d for th As lt ill reduce consumption of physical memory. – DropCache does not zero-clear the released pages. We need to enable sanitization to zero-clear the pages. – Disadvantage: • Re-loaded data from disk when the same contents are accessed again.
Contents 1) Background 2) Memory deduplication 3) OS security functions – Address Space Layout randomization, Memory Sanitization, randomization Sanitization Page Cache flashing 4) Experimental results – On Linux’s KSM (Kernel Samepage Merging) with KVM virtual machine monitor 5) Discussion and Conclusion
Experiments • Measure the effects of 3 security functions (ALSR, memory sanitization, DropCache: page cache flushing) on memory deduplication (KSM with KVM). • Test environment – Intel Core2Quad (Q9650) 3.0GHz processor – Host OS: Ubuntu 9.10 (kernel: vanilla-2.6.32.1) with memory deduplication KSM and virtual machine monitor KVM – 2 type of Guest OSes • Normal Gentoo Linux (1.12.13, kernel 2.6.31) on a 32GB virtual disk (31GB ext3, 1GB swap) • Gentoo Linux which is built as PIE binaries – It utilize ALSR
Effects of Position Independent Executable (PIE) • Gentoo Linux has 1,469 ELF binary files in /bin, /sbin, /usr/bin, and /usr/sbin. – On Normal Gentoo the total is 88.4MB – On PIE Gentoo the total is 94.6MB (7% more). • The biggest change: “pampop9” 5 396B -> 9,440B (75% more) pampop9 5,396B > 9 440B more). • The smallest change: “wall” from 9,624B to 9,392B (2% less). • From after PIE Gentoo is mainly used.
With and without ASLR, DropCache and Sanitization on 4VMs Security function Stable State ①Peak Mem ⑤Guest OS (MB) ③ Sharing ④ Unshared+ Boot Time ASLR DropCache Sanitize Virtual/Physical ② Physical Mem (MB) (MB (%)) Volatile (sec) (MB (%)) ○ 574/458 234.9 106.4(45.3) 128.5(54.7) 62 ○ ○ 431/332 206.9 70.7(34.1) 136.3(65.9) 83 ○ ○ 2063/1661 204.6 82.1(40.1) 122.5(59.9) 61 ○ ○ ○ 2063/1616 186.5 39.4(21.1) 147.1(78.9) 83 574/455 199.0 120.1(60.4) 78.9(39.6) 62 ○ 429/316 169.5 83.1(49.0) 86.5(51.0) 82 ○ 2063/1661 171.2 94.0(54.9) 77.2(45.1) 62 ○ ○ 2063/1161 129.9 50.4(38.8) 79.5(61.2) 85
With and without ASLR, DropCache and Sanitization on 4VMs DropCache delayed Security function Stable State ①Peak Mem the boot time. ⑤Guest OS (MB) ③ Sharing ④ Unshared+ Boot Time ASLR DropCache Sanitize Virtual/Physical ② Physical Mem (MB) (MB (%)) Volatile (sec) (MB (%)) ○ 574/458 +18% 234.9 106.4(45.3) 128.5(54.7) 62 ○ ○ 431/332 206.9 70.7(34.1) 136.3(65.9) 83 -12% ○ ○ 2063/1661 204.6 82.1(40.1) 122.5(59.9) 61 -13% 13% ○ ○ ○ 2063/1616 +43% -21% 186.5 39.4(21.1) 147.1(78.9) 83 Decrease Increase 574/455 199.0 120.1(60.4) 78.9(39.6) 62 ○ 429/316 169.5 83.1(49.0) 86.5(51.0) 82 -15% ○ 2063/1661 171.2 94.0(54.9) 77.2(45.1) 62 -14% ○ ○ 2063/1161 129.9 50.4(38.8) 79.5(61.2) 85 -35% Sanitization uses all virtual ASLR decreases deduplication and memory, but consumption increases unique pages. It means ASLR increases physical memory consumption of physical memory is ASLR reduces opportunities for Others (DropCache, Sanitization, and Both) reduced by deduplication. memory deduplication. decrease.
Virtual and Physical memory consumption Sanitization use MB 2500 all memory Virtual Max 1VM, 2VMs, 4VMs Physical Max 2000 1500 1000 Smallest Smallest 500 0 • Sanitization uses all virtual memory. KSM depress the consumption of physical memory but it is still large. • DropCache, (2) and (6), shows the smallest consumptions, because the flushed pages are reused. – They shows enabling DropCahe is the best from the view of memory, but DropCache affects the time performance of GuestOS.
DropCache: Page Flushing • DropCache was issued every second. It takes 10 - 20 microseconds (1% or 2%), thus it does not affect performance severely. • However, the boot time with DropCache increases by about 20 seconds (30% more). b d ) • The other boot procedures read 65MB of data from disk. DropCache increases this to 99MB (52% more). PIE Gentoo Disk Read (MB) (seconds) Normal 65 No DropCache 61―62 DropCache 99 DropCache 82―85 Sanitize 65
Memory Usage in KSM: PIE Gentoo at a stable state after booting 1, 2, and 4 VMs MB 250 Shared 1VM,2VMs,4VMs Unshare 200 Volatile 150 100 50 0 • Total memory(volatile+unshared+sharing) with ASLR are larger than without ASLR. • Volatile and Sharing pages are almost the same. ASLR increases the number of unshared pages. It means that ASLR increases pages with different contents. • However, it is strange because ASLR dons not change the contests. The reason is not well analyzed.
Trace of Memory usage on KSM with 4VMs • Sanitization sets memory contents to zero on all memory pages at boot time. KSM could not catch up. • However, the performance of Guest OS is not effected, because KSM limits the number of pages at a trial, and postpone deduplication. – After booting, KSM deduplicates memory pages. MB 2000 MB 2000 sharing 1500 shared 1500 sharing unshared shared 1000 volatile 1000 unshared volatile 500 500 0 sec 0 0 100 200 300 sec 0 100 200 300 Without Sanitization(PIE Gentoo on ASLR) With Sanitization
Contents 1) Background 2) Memory deduplication 3) OS security functions – Address Space Layout randomization, Memory Sanitization, randomization Sanitization Page Cache flashing 4) Experimental results – On Linux’s KSM (Kernel Samepage Merging) with KVM virtual machine monitor 5) Discussion and Conclusion
Discussions • Co-Design of GuestOS and VMM – Some VMMs offers zero-cleared pseudo memory to a VM. If memory sanitization recognizes it, the zero-clearing process may be removed. – If VMM control page flushing (balance page cache and I/O), it can achieve global optimization among many VMs. hi l b l ti i ti VM • It will be a counter part of ballon memory of VMM. • Consider Scalability on IaaS – DropCache reduces the consumption of memory, but it also reduce time performance. If a server (IaaS) hosts OSes which don’t care time performance, DropCache is effective.
Related Works • Memory deduplication has potential to change structure of OS. – Memory deduplication is used to increase security • SLINKY[USENIX ATC 2005] encourages static-linking, because memory deduplication reduces the increase memory. • Instead of static-linking, Self-contained ELF binaries (binaries which include shared libraries) is used for generalization [HotSec 2010] – Attack on memory deduplication • Memory disclosure attack for Copy-On-Write [EuroSec 2011] • OS Fingerprint [IPCCC2011] • Memory deduplication is improved. • KSM++ [RESoLVE 2012] • HICAMP [APSOLS 2012] Hardware memory deduplication. The size is very small (16-256 Byte).
Conclusions • Our paper measures the affects of security functions (ASLR, sanitization, page cache flushing) on real memory deduplication (KSM with KVM). – ASLR increases consumption of physical memory, which is more than anticipated. – Memory sanitization has to initialize all memory, but the CPU overhead for GuestOS is low, because memory merging is postponed at heavy load. low load – Page cache flushing (DropCache) reduces consumption of physical memory by reusing released pages. However, the overhead is large, which is caused by re-loading data from a disk. • We should consider co-design of VMM and security function of guestOS and increase the scalability of IaaS.

Empfohlen

Openstorage with OpenStack, by Bradley
Openstorage with OpenStack, by BradleyOpenstorage with OpenStack, by Bradley
Openstorage with OpenStack, by BradleyHui Cheng
 
Openstorage Openstack
Openstorage OpenstackOpenstorage Openstack
Openstorage OpenstackOpenCity Community
 
Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)MongoDB
 
OS Slide Ch12 13
OS Slide Ch12 13OS Slide Ch12 13
OS Slide Ch12 13庭緯 陳
 
Chap4
Chap4 Chap4
Chap4 Premmraj
 
Deployment
DeploymentDeployment
Deploymentrogerbodamer
 
Storage
StorageStorage
Storagesanjeev agarwal
 
"The Open Source effect in the Storage world" by George Mitropoulos @ eLibera...
"The Open Source effect in the Storage world" by George Mitropoulos @ eLibera..."The Open Source effect in the Storage world" by George Mitropoulos @ eLibera...
"The Open Source effect in the Storage world" by George Mitropoulos @ eLibera...eLiberatica
 

Empfohlen

Openstorage with OpenStack, by Bradley
Openstorage with OpenStack, by BradleyOpenstorage with OpenStack, by Bradley
Openstorage with OpenStack, by BradleyHui Cheng
 
Openstorage Openstack
Openstorage OpenstackOpenstorage Openstack
Openstorage OpenstackOpenCity Community
 
Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)MongoDB
 
OS Slide Ch12 13
OS Slide Ch12 13OS Slide Ch12 13
OS Slide Ch12 13庭緯 陳
 
Chap4
Chap4 Chap4
Chap4 Premmraj
 
Deployment
DeploymentDeployment
Deploymentrogerbodamer
 
Storage
StorageStorage
Storagesanjeev agarwal
 
"The Open Source effect in the Storage world" by George Mitropoulos @ eLibera...
"The Open Source effect in the Storage world" by George Mitropoulos @ eLibera..."The Open Source effect in the Storage world" by George Mitropoulos @ eLibera...
"The Open Source effect in the Storage world" by George Mitropoulos @ eLibera...eLiberatica
 
An IBM Storage Solution for Small and Mid-size Businesses -- The IBM Storwize...
An IBM Storage Solution for Small and Mid-size Businesses -- The IBM Storwize...An IBM Storage Solution for Small and Mid-size Businesses -- The IBM Storwize...
An IBM Storage Solution for Small and Mid-size Businesses -- The IBM Storwize...Tony Pearson
 
2018 Infortrend EonStor GSe Pro Family Introduction
2018 Infortrend EonStor GSe Pro Family Introduction2018 Infortrend EonStor GSe Pro Family Introduction
2018 Infortrend EonStor GSe Pro Family Introductioninfortrendgroup
 
2018 Infortrend All Flash Arrays Introduction (GS3025A)
2018 Infortrend All Flash Arrays Introduction (GS3025A)2018 Infortrend All Flash Arrays Introduction (GS3025A)
2018 Infortrend All Flash Arrays Introduction (GS3025A)infortrendgroup
 
SSD based storage tuning for databases
SSD based storage tuning for databasesSSD based storage tuning for databases
SSD based storage tuning for databasesAngelo Rajadurai
 
Raid designs in Qsan Storage
Raid designs in Qsan StorageRaid designs in Qsan Storage
Raid designs in Qsan Storageqsantechnology
 
ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "
ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "
ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "Kuniyasu Suzaki
 
JetStor 712U ZFS Based Storage
JetStor 712U ZFS Based StorageJetStor 712U ZFS Based Storage
JetStor 712U ZFS Based StorageGene Leyzarovich
 
Hadoop on a personal supercomputer
Hadoop on a personal supercomputerHadoop on a personal supercomputer
Hadoop on a personal supercomputerPaul Dingman
 
Plextor mSATA M5M sales kits
Plextor mSATA M5M sales kitsPlextor mSATA M5M sales kits
Plextor mSATA M5M sales kitsMaarten Souren
 
(Free and Net) BSD Xen Roadmap
(Free and Net) BSD Xen Roadmap(Free and Net) BSD Xen Roadmap
(Free and Net) BSD Xen RoadmapThe Linux Foundation
 
More mastering the art of indexing
More mastering the art of indexingMore mastering the art of indexing
More mastering the art of indexingYoshinori Matsunobu
 
Eonstor GSc family introduction
Eonstor GSc family introductionEonstor GSc family introduction
Eonstor GSc family introductioninfortrendgroup
 
Power of Storage FREE Webinar
Power of Storage FREE WebinarPower of Storage FREE Webinar
Power of Storage FREE WebinarLidia Gasparotto
 
Introduction to TrioNAS LX U300
Introduction to TrioNAS LX U300Introduction to TrioNAS LX U300
Introduction to TrioNAS LX U300qsantechnology
 
IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...
IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...
IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...npinto
 
Nexenta Powered by Apache CloudStack from Iliyas Shirol
Nexenta Powered by Apache CloudStack from Iliyas ShirolNexenta Powered by Apache CloudStack from Iliyas Shirol
Nexenta Powered by Apache CloudStack from Iliyas ShirolRadhika Puthiyetath
 
Linux Integrity Mechanisms - Protecting Container Runtime as an example
Linux Integrity Mechanisms - Protecting Container Runtime as an exampleLinux Integrity Mechanisms - Protecting Container Runtime as an example
Linux Integrity Mechanisms - Protecting Container Runtime as an exampleClay (Chih-Hao) Chang
 
JetStor 8 series 16G FC 12G SAS units
JetStor 8 series 16G FC 12G SAS unitsJetStor 8 series 16G FC 12G SAS units
JetStor 8 series 16G FC 12G SAS unitsGene Leyzarovich
 
PC = Personal Cloud (or how to use your development machine with Vagrant and ...
PC = Personal Cloud (or how to use your development machine with Vagrant and ...PC = Personal Cloud (or how to use your development machine with Vagrant and ...
PC = Personal Cloud (or how to use your development machine with Vagrant and ...Codemotion
 
LinuxCon Japan 2010 suzaki
LinuxCon Japan 2010 suzakiLinuxCon Japan 2010 suzaki
LinuxCon Japan 2010 suzakiKuniyasu Suzaki
 
Bitvisorをベースとした既存Windowsのドライバメモリ保護
Bitvisorをベースとした既存Windowsのドライバメモリ保護Bitvisorをベースとした既存Windowsのドライバメモリ保護
Bitvisorをベースとした既存Windowsのドライバメモリ保護Kuniyasu Suzaki
 
Technology Used in Virtual Machine (Jan 2008)
Technology Used in Virtual Machine (Jan 2008)Technology Used in Virtual Machine (Jan 2008)
Technology Used in Virtual Machine (Jan 2008)Kuniyasu Suzaki
 

Weitere ähnliche Inhalte

Was ist angesagt?

An IBM Storage Solution for Small and Mid-size Businesses -- The IBM Storwize...
An IBM Storage Solution for Small and Mid-size Businesses -- The IBM Storwize...An IBM Storage Solution for Small and Mid-size Businesses -- The IBM Storwize...
An IBM Storage Solution for Small and Mid-size Businesses -- The IBM Storwize...Tony Pearson
 
2018 Infortrend EonStor GSe Pro Family Introduction
2018 Infortrend EonStor GSe Pro Family Introduction2018 Infortrend EonStor GSe Pro Family Introduction
2018 Infortrend EonStor GSe Pro Family Introductioninfortrendgroup
 
2018 Infortrend All Flash Arrays Introduction (GS3025A)
2018 Infortrend All Flash Arrays Introduction (GS3025A)2018 Infortrend All Flash Arrays Introduction (GS3025A)
2018 Infortrend All Flash Arrays Introduction (GS3025A)infortrendgroup
 
SSD based storage tuning for databases
SSD based storage tuning for databasesSSD based storage tuning for databases
SSD based storage tuning for databasesAngelo Rajadurai
 
Raid designs in Qsan Storage
Raid designs in Qsan StorageRaid designs in Qsan Storage
Raid designs in Qsan Storageqsantechnology
 
ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "
ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "
ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "Kuniyasu Suzaki
 
JetStor 712U ZFS Based Storage
JetStor 712U ZFS Based StorageJetStor 712U ZFS Based Storage
JetStor 712U ZFS Based StorageGene Leyzarovich
 
Hadoop on a personal supercomputer
Hadoop on a personal supercomputerHadoop on a personal supercomputer
Hadoop on a personal supercomputerPaul Dingman
 
Plextor mSATA M5M sales kits
Plextor mSATA M5M sales kitsPlextor mSATA M5M sales kits
Plextor mSATA M5M sales kitsMaarten Souren
 
More mastering the art of indexing
More mastering the art of indexingMore mastering the art of indexing
More mastering the art of indexingYoshinori Matsunobu
 
Eonstor GSc family introduction
Eonstor GSc family introductionEonstor GSc family introduction
Eonstor GSc family introductioninfortrendgroup
 
Power of Storage FREE Webinar
Power of Storage FREE WebinarPower of Storage FREE Webinar
Power of Storage FREE WebinarLidia Gasparotto
 
Introduction to TrioNAS LX U300
Introduction to TrioNAS LX U300Introduction to TrioNAS LX U300
Introduction to TrioNAS LX U300qsantechnology
 
IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...
IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...
IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...npinto
 
Nexenta Powered by Apache CloudStack from Iliyas Shirol
Nexenta Powered by Apache CloudStack from Iliyas ShirolNexenta Powered by Apache CloudStack from Iliyas Shirol
Nexenta Powered by Apache CloudStack from Iliyas ShirolRadhika Puthiyetath
 
Linux Integrity Mechanisms - Protecting Container Runtime as an example
Linux Integrity Mechanisms - Protecting Container Runtime as an exampleLinux Integrity Mechanisms - Protecting Container Runtime as an example
Linux Integrity Mechanisms - Protecting Container Runtime as an exampleClay (Chih-Hao) Chang
 
JetStor 8 series 16G FC 12G SAS units
JetStor 8 series 16G FC 12G SAS unitsJetStor 8 series 16G FC 12G SAS units
JetStor 8 series 16G FC 12G SAS unitsGene Leyzarovich
 
PC = Personal Cloud (or how to use your development machine with Vagrant and ...
PC = Personal Cloud (or how to use your development machine with Vagrant and ...PC = Personal Cloud (or how to use your development machine with Vagrant and ...
PC = Personal Cloud (or how to use your development machine with Vagrant and ...Codemotion
 

Was ist angesagt? (19)

An IBM Storage Solution for Small and Mid-size Businesses -- The IBM Storwize...
An IBM Storage Solution for Small and Mid-size Businesses -- The IBM Storwize...An IBM Storage Solution for Small and Mid-size Businesses -- The IBM Storwize...
An IBM Storage Solution for Small and Mid-size Businesses -- The IBM Storwize...
 
2018 Infortrend EonStor GSe Pro Family Introduction
2018 Infortrend EonStor GSe Pro Family Introduction2018 Infortrend EonStor GSe Pro Family Introduction
2018 Infortrend EonStor GSe Pro Family Introduction
 
2018 Infortrend All Flash Arrays Introduction (GS3025A)
2018 Infortrend All Flash Arrays Introduction (GS3025A)2018 Infortrend All Flash Arrays Introduction (GS3025A)
2018 Infortrend All Flash Arrays Introduction (GS3025A)
 
SSD based storage tuning for databases
SSD based storage tuning for databasesSSD based storage tuning for databases
SSD based storage tuning for databases
 
Raid designs in Qsan Storage
Raid designs in Qsan StorageRaid designs in Qsan Storage
Raid designs in Qsan Storage
 
ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "
ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "
ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "
 
JetStor 712U ZFS Based Storage
JetStor 712U ZFS Based StorageJetStor 712U ZFS Based Storage
JetStor 712U ZFS Based Storage
 
Hadoop on a personal supercomputer
Hadoop on a personal supercomputerHadoop on a personal supercomputer
Hadoop on a personal supercomputer
 
Plextor mSATA M5M sales kits
Plextor mSATA M5M sales kitsPlextor mSATA M5M sales kits
Plextor mSATA M5M sales kits
 
(Free and Net) BSD Xen Roadmap
(Free and Net) BSD Xen Roadmap(Free and Net) BSD Xen Roadmap
(Free and Net) BSD Xen Roadmap
 
More mastering the art of indexing
More mastering the art of indexingMore mastering the art of indexing
More mastering the art of indexing
 
Eonstor GSc family introduction
Eonstor GSc family introductionEonstor GSc family introduction
Eonstor GSc family introduction
 
Power of Storage FREE Webinar
Power of Storage FREE WebinarPower of Storage FREE Webinar
Power of Storage FREE Webinar
 
Introduction to TrioNAS LX U300
Introduction to TrioNAS LX U300Introduction to TrioNAS LX U300
Introduction to TrioNAS LX U300
 
IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...
IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...
IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...
 
Nexenta Powered by Apache CloudStack from Iliyas Shirol
Nexenta Powered by Apache CloudStack from Iliyas ShirolNexenta Powered by Apache CloudStack from Iliyas Shirol
Nexenta Powered by Apache CloudStack from Iliyas Shirol
 
Linux Integrity Mechanisms - Protecting Container Runtime as an example
Linux Integrity Mechanisms - Protecting Container Runtime as an exampleLinux Integrity Mechanisms - Protecting Container Runtime as an example
Linux Integrity Mechanisms - Protecting Container Runtime as an example
 
JetStor 8 series 16G FC 12G SAS units
JetStor 8 series 16G FC 12G SAS unitsJetStor 8 series 16G FC 12G SAS units
JetStor 8 series 16G FC 12G SAS units
 
PC = Personal Cloud (or how to use your development machine with Vagrant and ...
PC = Personal Cloud (or how to use your development machine with Vagrant and ...PC = Personal Cloud (or how to use your development machine with Vagrant and ...
PC = Personal Cloud (or how to use your development machine with Vagrant and ...
 

Andere mochten auch

LinuxCon Japan 2010 suzaki
LinuxCon Japan 2010 suzakiLinuxCon Japan 2010 suzaki
LinuxCon Japan 2010 suzakiKuniyasu Suzaki
 
Bitvisorをベースとした既存Windowsのドライバメモリ保護
Bitvisorをベースとした既存Windowsのドライバメモリ保護Bitvisorをベースとした既存Windowsのドライバメモリ保護
Bitvisorをベースとした既存Windowsのドライバメモリ保護Kuniyasu Suzaki
 
Technology Used in Virtual Machine (Jan 2008)
Technology Used in Virtual Machine (Jan 2008)Technology Used in Virtual Machine (Jan 2008)
Technology Used in Virtual Machine (Jan 2008)Kuniyasu Suzaki
 
ACM SOSP11 & SOCC11 & PLOS11 Report
ACM SOSP11 & SOCC11 & PLOS11 ReportACM SOSP11 & SOCC11 & PLOS11 Report
ACM SOSP11 & SOCC11 & PLOS11 ReportKuniyasu Suzaki
 
Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)
Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)
Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)Kuniyasu Suzaki
 
EPT と TLB でしくじった話
EPT と TLB でしくじった話EPT と TLB でしくじった話
EPT と TLB でしくじった話Takaaki Fukai
 

Andere mochten auch (7)

LinuxCon Japan 2010 suzaki
LinuxCon Japan 2010 suzakiLinuxCon Japan 2010 suzaki
LinuxCon Japan 2010 suzaki
 
Bitvisorをベースとした既存Windowsのドライバメモリ保護
Bitvisorをベースとした既存Windowsのドライバメモリ保護Bitvisorをベースとした既存Windowsのドライバメモリ保護
Bitvisorをベースとした既存Windowsのドライバメモリ保護
 
Technology Used in Virtual Machine (Jan 2008)
Technology Used in Virtual Machine (Jan 2008)Technology Used in Virtual Machine (Jan 2008)
Technology Used in Virtual Machine (Jan 2008)
 
Hot sec10 slide-suzaki
Hot sec10 slide-suzakiHot sec10 slide-suzaki
Hot sec10 slide-suzaki
 
ACM SOSP11 & SOCC11 & PLOS11 Report
ACM SOSP11 & SOCC11 & PLOS11 ReportACM SOSP11 & SOCC11 & PLOS11 Report
ACM SOSP11 & SOCC11 & PLOS11 Report
 
Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)
Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)
Cloud ComputingにおけるVMのセキュリティ(14/Jan/2010)
 
EPT と TLB でしくじった話
EPT と TLB でしくじった話EPT と TLB でしくじった話
EPT と TLB でしくじった話
 

Ähnlich wie EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on Memory Deduplication" by K.Suzaki

Vmwareperformancetroubleshooting 100224104321-phpapp02 (1)
Vmwareperformancetroubleshooting 100224104321-phpapp02 (1)Vmwareperformancetroubleshooting 100224104321-phpapp02 (1)
Vmwareperformancetroubleshooting 100224104321-phpapp02 (1)Suresh Kumar
 
Vmwareperformancetroubleshooting 100224104321-phpapp02
Vmwareperformancetroubleshooting 100224104321-phpapp02Vmwareperformancetroubleshooting 100224104321-phpapp02
Vmwareperformancetroubleshooting 100224104321-phpapp02Suresh Kumar
 
Things I wish I knew about GemStone
Things I wish I knew about GemStoneThings I wish I knew about GemStone
Things I wish I knew about GemStoneESUG
 
Windows memory manager internals
Windows memory manager internalsWindows memory manager internals
Windows memory manager internalsSisimon Soman
 
ABS 2014 - Android Kit Kat Internals
ABS 2014 - Android Kit Kat InternalsABS 2014 - Android Kit Kat Internals
ABS 2014 - Android Kit Kat InternalsBenjamin Zores
 
Driver development – memory management
Driver development – memory managementDriver development – memory management
Driver development – memory managementVandana Salve
 
Deployment Strategies
Deployment StrategiesDeployment Strategies
Deployment StrategiesMongoDB
 
Inter connect2016 yss1841-cloud-storage-options-v4
Inter connect2016 yss1841-cloud-storage-options-v4Inter connect2016 yss1841-cloud-storage-options-v4
Inter connect2016 yss1841-cloud-storage-options-v4Tony Pearson
 
Deployment Strategy
Deployment StrategyDeployment Strategy
Deployment StrategyMongoDB
 
The effect of page size modification on jvm
The effect of page size modification on jvmThe effect of page size modification on jvm
The effect of page size modification on jvmParameswaran Selvam
 
VDI storage and storage virtualization
VDI storage and storage virtualizationVDI storage and storage virtualization
VDI storage and storage virtualizationSisimon Soman
 
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2Hsien-Hsin Sean Lee, Ph.D.
 
VMworld 2013: Just Because You Could, Doesn't Mean You Should: Lessons Learne...
VMworld 2013: Just Because You Could, Doesn't Mean You Should: Lessons Learne...VMworld 2013: Just Because You Could, Doesn't Mean You Should: Lessons Learne...
VMworld 2013: Just Because You Could, Doesn't Mean You Should: Lessons Learne...VMworld
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesScott K. Larson
 
Colvin exadata mistakes_ioug_2014
Colvin exadata mistakes_ioug_2014Colvin exadata mistakes_ioug_2014
Colvin exadata mistakes_ioug_2014marvin herrera
 
[Harvard CS264] 08a - Cloud Computing, Amazon EC2, MIT StarCluster (Justin Ri...
[Harvard CS264] 08a - Cloud Computing, Amazon EC2, MIT StarCluster (Justin Ri...[Harvard CS264] 08a - Cloud Computing, Amazon EC2, MIT StarCluster (Justin Ri...
[Harvard CS264] 08a - Cloud Computing, Amazon EC2, MIT StarCluster (Justin Ri...npinto
 

Ähnlich wie EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on Memory Deduplication" by K.Suzaki (20)

Vmwareperformancetroubleshooting 100224104321-phpapp02 (1)
Vmwareperformancetroubleshooting 100224104321-phpapp02 (1)Vmwareperformancetroubleshooting 100224104321-phpapp02 (1)
Vmwareperformancetroubleshooting 100224104321-phpapp02 (1)
 
Vmwareperformancetroubleshooting 100224104321-phpapp02
Vmwareperformancetroubleshooting 100224104321-phpapp02Vmwareperformancetroubleshooting 100224104321-phpapp02
Vmwareperformancetroubleshooting 100224104321-phpapp02
 
Things I wish I knew about GemStone
Things I wish I knew about GemStoneThings I wish I knew about GemStone
Things I wish I knew about GemStone
 
macospptok.pptx
macospptok.pptxmacospptok.pptx
macospptok.pptx
 
Windows memory manager internals
Windows memory manager internalsWindows memory manager internals
Windows memory manager internals
 
CLFS 2010
CLFS 2010CLFS 2010
CLFS 2010
 
ABS 2014 - Android Kit Kat Internals
ABS 2014 - Android Kit Kat InternalsABS 2014 - Android Kit Kat Internals
ABS 2014 - Android Kit Kat Internals
 
Driver development – memory management
Driver development – memory managementDriver development – memory management
Driver development – memory management
 
os
osos
os
 
Deployment Strategies
Deployment StrategiesDeployment Strategies
Deployment Strategies
 
Inter connect2016 yss1841-cloud-storage-options-v4
Inter connect2016 yss1841-cloud-storage-options-v4Inter connect2016 yss1841-cloud-storage-options-v4
Inter connect2016 yss1841-cloud-storage-options-v4
 
Deployment Strategy
Deployment StrategyDeployment Strategy
Deployment Strategy
 
Ceph on arm64 upload
Ceph on arm64 uploadCeph on arm64 upload
Ceph on arm64 upload
 
The effect of page size modification on jvm
The effect of page size modification on jvmThe effect of page size modification on jvm
The effect of page size modification on jvm
 
VDI storage and storage virtualization
VDI storage and storage virtualizationVDI storage and storage virtualization
VDI storage and storage virtualization
 
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
 
VMworld 2013: Just Because You Could, Doesn't Mean You Should: Lessons Learne...
VMworld 2013: Just Because You Could, Doesn't Mean You Should: Lessons Learne...VMworld 2013: Just Because You Could, Doesn't Mean You Should: Lessons Learne...
VMworld 2013: Just Because You Could, Doesn't Mean You Should: Lessons Learne...
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
Colvin exadata mistakes_ioug_2014
Colvin exadata mistakes_ioug_2014Colvin exadata mistakes_ioug_2014
Colvin exadata mistakes_ioug_2014
 
[Harvard CS264] 08a - Cloud Computing, Amazon EC2, MIT StarCluster (Justin Ri...
[Harvard CS264] 08a - Cloud Computing, Amazon EC2, MIT StarCluster (Justin Ri...[Harvard CS264] 08a - Cloud Computing, Amazon EC2, MIT StarCluster (Justin Ri...
[Harvard CS264] 08a - Cloud Computing, Amazon EC2, MIT StarCluster (Justin Ri...
 

Mehr von Kuniyasu Suzaki

RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)Kuniyasu Suzaki
 
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)Kuniyasu Suzaki
 
IETF111 RATS: Remote Attestation ProcedureS 報告
IETF111 RATS: Remote Attestation ProcedureS 報告IETF111 RATS: Remote Attestation ProcedureS 報告
IETF111 RATS: Remote Attestation ProcedureS 報告Kuniyasu Suzaki
 
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)Kuniyasu Suzaki
 
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiKuniyasu Suzaki
 
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?Kuniyasu Suzaki
 
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)Kuniyasu Suzaki
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Kuniyasu Suzaki
 
RISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzakiRISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzakiKuniyasu Suzaki
 
BMC: Bare Metal Container @Open Source Summit Japan 2017
BMC: Bare Metal Container @Open Source Summit Japan 2017BMC: Bare Metal Container @Open Source Summit Japan 2017
BMC: Bare Metal Container @Open Source Summit Japan 2017Kuniyasu Suzaki
 
USENIX NSDI17 Memory Disaggregation
USENIX NSDI17 Memory DisaggregationUSENIX NSDI17 Memory Disaggregation
USENIX NSDI17 Memory DisaggregationKuniyasu Suzaki
 
Io t security-suzki-20170224
Io t security-suzki-20170224Io t security-suzki-20170224
Io t security-suzki-20170224Kuniyasu Suzaki
 
”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016Kuniyasu Suzaki
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
Report for S4x14 (SCADA Security Scientific Symposium 2014)
Report for S4x14 (SCADA Security Scientific Symposium 2014)Report for S4x14 (SCADA Security Scientific Symposium 2014)
Report for S4x14 (SCADA Security Scientific Symposium 2014)Kuniyasu Suzaki
 
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiSlide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiKuniyasu Suzaki
 
OSセキュリティチュートリアル
OSセキュリティチュートリアルOSセキュリティチュートリアル
OSセキュリティチュートリアルKuniyasu Suzaki
 
Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies Kuniyasu Suzaki
 
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Kuniyasu Suzaki
 
仮想化技術によるマルウェア対策とその問題点
仮想化技術によるマルウェア対策とその問題点仮想化技術によるマルウェア対策とその問題点
仮想化技術によるマルウェア対策とその問題点Kuniyasu Suzaki
 

Mehr von Kuniyasu Suzaki (20)

RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
 
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
 
IETF111 RATS: Remote Attestation ProcedureS 報告
IETF111 RATS: Remote Attestation ProcedureS 報告IETF111 RATS: Remote Attestation ProcedureS 報告
IETF111 RATS: Remote Attestation ProcedureS 報告
 
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)
 
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
 
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
 
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
 
RISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzakiRISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzaki
 
BMC: Bare Metal Container @Open Source Summit Japan 2017
BMC: Bare Metal Container @Open Source Summit Japan 2017BMC: Bare Metal Container @Open Source Summit Japan 2017
BMC: Bare Metal Container @Open Source Summit Japan 2017
 
USENIX NSDI17 Memory Disaggregation
USENIX NSDI17 Memory DisaggregationUSENIX NSDI17 Memory Disaggregation
USENIX NSDI17 Memory Disaggregation
 
Io t security-suzki-20170224
Io t security-suzki-20170224Io t security-suzki-20170224
Io t security-suzki-20170224
 
”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
 
Report for S4x14 (SCADA Security Scientific Symposium 2014)
Report for S4x14 (SCADA Security Scientific Symposium 2014)Report for S4x14 (SCADA Security Scientific Symposium 2014)
Report for S4x14 (SCADA Security Scientific Symposium 2014)
 
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiSlide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by Suzaki
 
OSセキュリティチュートリアル
OSセキュリティチュートリアルOSセキュリティチュートリアル
OSセキュリティチュートリアル
 
Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies
 
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
 
仮想化技術によるマルウェア対策とその問題点
仮想化技術によるマルウェア対策とその問題点仮想化技術によるマルウェア対策とその問題点
仮想化技術によるマルウェア対策とその問題点
 

Kürzlich hochgeladen

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Kürzlich hochgeladen (20)

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on Memory Deduplication" by K.Suzaki

  • 1. Effects of Memory Randomization, Sanitization and Page Cache on Memory Deduplication Kuniyasu Suzaki, Kengo Iijima, Suzaki Iijima Toshiki Yagi, Cyrille Artho Research Institute for Secure Systems EuroSec 2012 at Bern, April 10
  • 2. Background 1/2 • Infrastructure as a Service(IaaS) type cloud computing offers OS hosting service and runs many virtual machines. – Examples: Amazon EC2, Rackspace, ... – Physical resources are very important. Many techniques are developed to save resources. resources • We concentrate on memory. • Memory Deduplication is utilized to share same contents and reduces consumption of physical memory. • Venders want to use this function, but …
  • 3. Background 2/2 • Some attacks are appeared on IaaS, and users want to increase security of Guest OS. – For example, Cross VM Side channel attack [CSS2009] • Guest OSes have some choices of security function. – Some of them change the behavior of memory and will work to i increase or decrease performance of memory deduplication. d f f d d li i • Our paper measures the affects of security functions on real memory deduplication (KSM with KVM).
  • 4. Contents 1) Background 2) Memory deduplication 3) OS security functions – Address Space Layout randomization, Memory Sanitization, randomization Sanitization Page Cache flashing 4) Experimental results – On Linux’s KSM (Kernel Samepage Merging) with KVM virtual machine monitor 5) Discussion and Conclusion
  • 5. Memory Deduplication 1/2 • Memory deduplication is a technique to share same contents page. – Mainly used for virtual machines. – Very effective when same guest OS runs on many virtual machines. • Many virtual machine monitors include deduplication with different implementations. Guest Pseudo Memory VM1 VM2 VM(n) Real Physical Memory
  • 6. Memory Deduplication 2/2 • Content-aware deduplication – Check contents when data is loaded from disk to memory. • Transparent Page Sharing on Disco [OSDI97] • Satori on Xen[USENIX09] • Periodical memory-scan deduplication – Scan memory pages and merge when pages are same. It can treat dynamically created contents pages. • Content-Based Page Sharing on VMWare ESX [SOSP02] • Differential Engine on Xen[OSDI08] • KSM (Kernel Samepage Merging) [LinuxSymp09] – General-purpose memory deduplication for Linux. – Used mainly for KVM. • Our paper uses KSM with KVM virtual machine.
  • 7. KSM: Kernel Samepage Merging • KSM has 3 states for pages. – Volatile : contents change frequently (not to be candidate) – Unshared: candidate pages for deduplication (unique at present) – Shared: deduplicated pages with same contents. • Pages are scanned (default: 20msec) – All pages are not scanned at a trial. t d t ti l – The maximum is 25% of the available memory. – The time to be deduplicated depends on the situation.
  • 8. Contents 1) Background 2) Memory deduplication 3) OS security functions – Address Space Layout randomization, Memory Sanitization, randomization Sanitization Page Cache flashing 4) Experimental results – On Linux’s KSM (Kernel Samepage Merging) with KVM virtual machine monitor 5) Discussion and Conclusion
  • 9. OS Security functions • Modern OSes have security functions that modify memory contents dynamically. 1. Address Space Layout Randomization (ASLR) with Position Independent Executable (PIE) 2. Memory Sanitization 3. Page Cache flashing
  • 10. Address Space Layout Randomization(ASLR) • Normal binary has fixed Memory layout, and has vulnerability for overflow attack. • ASLR gives randomized offset (aligned page) to code, library, and stack. • Early ASLR for Linux is implemented on PaX and Exec Shield Linux. • Linux 2.6.12 (June 2005), Windows VISTA. • Binaries have to be Position Independent Executable (PIE). – GCC has options to compile a code for PIE-ELF binary. (“-fPIE” for compiler p p y ( p and “–pie” for linker) • Disadvantage: PIE binaries become fat, because the all addressing are relocatable. • ASLR and PIE binaries will affect memory deduplication. Normal ELF PIE-ELF on ASLR Stack 0x???????? Stack 0xBFFFF000 Library 0x???????? Library 0x40000000 Position Independent PIE code 0x???????? The address is Code 0x08048000 changed for each process on ASLR
  • 11. Memory sanitization • Technique for zero-clearing pages after use. – Sensitive data remain for long periods after use, and Chow proposed Secure deallocation [USENIX Security 04, 05] . It prevents information leak. • Linux has unconditional page sanitization patch. – Increased zero-cleared pages will be deduplicated. As a result, it will reduces consumption of physical memory. memory – Disadvantage: • Linux’s sanitization requires zero-clearing all physical pages at boot time. • Do not treat page cache, because cashed pages are not released from a kernel. Physical Memory 0xXXXX0000 000000 0000000 00000000 Zero-cleared 0x00000000
  • 12. Page Cache flushing • Page Cache flushing reduces possibility of information leak. • Page Cache reduces I/O overhead when pages are accessed repeatedly. However, the page cache may include sensitive data. • Linux kernel has DropCache for page cache flushing. – DropCache released all cached pages from the kernel. • “cron” is used to flush page cache at certain intervals (1 sec). – Th fl h d memory region i reused f other processes. A a result, it will The flushed i is d for th As lt ill reduce consumption of physical memory. – DropCache does not zero-clear the released pages. We need to enable sanitization to zero-clear the pages. – Disadvantage: • Re-loaded data from disk when the same contents are accessed again.
  • 13. Contents 1) Background 2) Memory deduplication 3) OS security functions – Address Space Layout randomization, Memory Sanitization, randomization Sanitization Page Cache flashing 4) Experimental results – On Linux’s KSM (Kernel Samepage Merging) with KVM virtual machine monitor 5) Discussion and Conclusion
  • 14. Experiments • Measure the effects of 3 security functions (ALSR, memory sanitization, DropCache: page cache flushing) on memory deduplication (KSM with KVM). • Test environment – Intel Core2Quad (Q9650) 3.0GHz processor – Host OS: Ubuntu 9.10 (kernel: vanilla-2.6.32.1) with memory deduplication KSM and virtual machine monitor KVM – 2 type of Guest OSes • Normal Gentoo Linux (1.12.13, kernel 2.6.31) on a 32GB virtual disk (31GB ext3, 1GB swap) • Gentoo Linux which is built as PIE binaries – It utilize ALSR
  • 15. Effects of Position Independent Executable (PIE) • Gentoo Linux has 1,469 ELF binary files in /bin, /sbin, /usr/bin, and /usr/sbin. – On Normal Gentoo the total is 88.4MB – On PIE Gentoo the total is 94.6MB (7% more). • The biggest change: “pampop9” 5 396B -> 9,440B (75% more) pampop9 5,396B > 9 440B more). • The smallest change: “wall” from 9,624B to 9,392B (2% less). • From after PIE Gentoo is mainly used.
  • 16. With and without ASLR, DropCache and Sanitization on 4VMs Security function Stable State ①Peak Mem ⑤Guest OS (MB) ③ Sharing ④ Unshared+ Boot Time ASLR DropCache Sanitize Virtual/Physical ② Physical Mem (MB) (MB (%)) Volatile (sec) (MB (%)) ○ 574/458 234.9 106.4(45.3) 128.5(54.7) 62 ○ ○ 431/332 206.9 70.7(34.1) 136.3(65.9) 83 ○ ○ 2063/1661 204.6 82.1(40.1) 122.5(59.9) 61 ○ ○ ○ 2063/1616 186.5 39.4(21.1) 147.1(78.9) 83 574/455 199.0 120.1(60.4) 78.9(39.6) 62 ○ 429/316 169.5 83.1(49.0) 86.5(51.0) 82 ○ 2063/1661 171.2 94.0(54.9) 77.2(45.1) 62 ○ ○ 2063/1161 129.9 50.4(38.8) 79.5(61.2) 85
  • 17. With and without ASLR, DropCache and Sanitization on 4VMs DropCache delayed Security function Stable State ①Peak Mem the boot time. ⑤Guest OS (MB) ③ Sharing ④ Unshared+ Boot Time ASLR DropCache Sanitize Virtual/Physical ② Physical Mem (MB) (MB (%)) Volatile (sec) (MB (%)) ○ 574/458 +18% 234.9 106.4(45.3) 128.5(54.7) 62 ○ ○ 431/332 206.9 70.7(34.1) 136.3(65.9) 83 -12% ○ ○ 2063/1661 204.6 82.1(40.1) 122.5(59.9) 61 -13% 13% ○ ○ ○ 2063/1616 +43% -21% 186.5 39.4(21.1) 147.1(78.9) 83 Decrease Increase 574/455 199.0 120.1(60.4) 78.9(39.6) 62 ○ 429/316 169.5 83.1(49.0) 86.5(51.0) 82 -15% ○ 2063/1661 171.2 94.0(54.9) 77.2(45.1) 62 -14% ○ ○ 2063/1161 129.9 50.4(38.8) 79.5(61.2) 85 -35% Sanitization uses all virtual ASLR decreases deduplication and memory, but consumption increases unique pages. It means ASLR increases physical memory consumption of physical memory is ASLR reduces opportunities for Others (DropCache, Sanitization, and Both) reduced by deduplication. memory deduplication. decrease.
  • 18. Virtual and Physical memory consumption Sanitization use MB 2500 all memory Virtual Max 1VM, 2VMs, 4VMs Physical Max 2000 1500 1000 Smallest Smallest 500 0 • Sanitization uses all virtual memory. KSM depress the consumption of physical memory but it is still large. • DropCache, (2) and (6), shows the smallest consumptions, because the flushed pages are reused. – They shows enabling DropCahe is the best from the view of memory, but DropCache affects the time performance of GuestOS.
  • 19. DropCache: Page Flushing • DropCache was issued every second. It takes 10 - 20 microseconds (1% or 2%), thus it does not affect performance severely. • However, the boot time with DropCache increases by about 20 seconds (30% more). b d ) • The other boot procedures read 65MB of data from disk. DropCache increases this to 99MB (52% more). PIE Gentoo Disk Read (MB) (seconds) Normal 65 No DropCache 61―62 DropCache 99 DropCache 82―85 Sanitize 65
  • 20. Memory Usage in KSM: PIE Gentoo at a stable state after booting 1, 2, and 4 VMs MB 250 Shared 1VM,2VMs,4VMs Unshare 200 Volatile 150 100 50 0 • Total memory(volatile+unshared+sharing) with ASLR are larger than without ASLR. • Volatile and Sharing pages are almost the same. ASLR increases the number of unshared pages. It means that ASLR increases pages with different contents. • However, it is strange because ASLR dons not change the contests. The reason is not well analyzed.
  • 21. Trace of Memory usage on KSM with 4VMs • Sanitization sets memory contents to zero on all memory pages at boot time. KSM could not catch up. • However, the performance of Guest OS is not effected, because KSM limits the number of pages at a trial, and postpone deduplication. – After booting, KSM deduplicates memory pages. MB 2000 MB 2000 sharing 1500 shared 1500 sharing unshared shared 1000 volatile 1000 unshared volatile 500 500 0 sec 0 0 100 200 300 sec 0 100 200 300 Without Sanitization(PIE Gentoo on ASLR) With Sanitization
  • 22. Contents 1) Background 2) Memory deduplication 3) OS security functions – Address Space Layout randomization, Memory Sanitization, randomization Sanitization Page Cache flashing 4) Experimental results – On Linux’s KSM (Kernel Samepage Merging) with KVM virtual machine monitor 5) Discussion and Conclusion
  • 23. Discussions • Co-Design of GuestOS and VMM – Some VMMs offers zero-cleared pseudo memory to a VM. If memory sanitization recognizes it, the zero-clearing process may be removed. – If VMM control page flushing (balance page cache and I/O), it can achieve global optimization among many VMs. hi l b l ti i ti VM • It will be a counter part of ballon memory of VMM. • Consider Scalability on IaaS – DropCache reduces the consumption of memory, but it also reduce time performance. If a server (IaaS) hosts OSes which don’t care time performance, DropCache is effective.
  • 24. Related Works • Memory deduplication has potential to change structure of OS. – Memory deduplication is used to increase security • SLINKY[USENIX ATC 2005] encourages static-linking, because memory deduplication reduces the increase memory. • Instead of static-linking, Self-contained ELF binaries (binaries which include shared libraries) is used for generalization [HotSec 2010] – Attack on memory deduplication • Memory disclosure attack for Copy-On-Write [EuroSec 2011] • OS Fingerprint [IPCCC2011] • Memory deduplication is improved. • KSM++ [RESoLVE 2012] • HICAMP [APSOLS 2012] Hardware memory deduplication. The size is very small (16-256 Byte).
  • 25. Conclusions • Our paper measures the affects of security functions (ASLR, sanitization, page cache flushing) on real memory deduplication (KSM with KVM). – ASLR increases consumption of physical memory, which is more than anticipated. – Memory sanitization has to initialize all memory, but the CPU overhead for GuestOS is low, because memory merging is postponed at heavy load. low load – Page cache flushing (DropCache) reduces consumption of physical memory by reusing released pages. However, the overhead is large, which is caused by re-loading data from a disk. • We should consider co-design of VMM and security function of guestOS and increase the scalability of IaaS.