VeriCount: Verifiable Resource Accounting Using Hardware and Software Isolation

In cloud computing, where clients are billed based on the consumed resources for outsourced tasks, both the cloud providers and the clients have the incentive to manipulate claims about resource usage. Both desire an accurate and verifiable resource accounting system, which is neutral and can be trusted to refute any disputes. In this work, we present VeriCount—a verifiable resource accounting system coupled with refutable billing support for Linux container-based applications. To protect VeriCount logic, we propose a novel approach called self-accounting that combines hardware-based isolation guarantees from trusted computing mechanisms and software fault isolation techniques. The self-accounting engine in VeriCount leverages security features present in trusted computing solutions, such as Intel SGX, to measure user CPU time, memory, I/O bytes and network bandwidth while simultaneously detecting resource usage inflation attacks. We claim three main results. First, VeriCount incurs an average performance overhead of 3.62% and 16.03% over non-accounting but SGX-compatible applications in hardware and simulation mode respectively. Next, it contributes only an additional 542 lines of code to the trusted computing base. Lastly, it generates highly accurate, fine-grained resource accounting, with no discernible difference to the resource measuring tool available with the OS.

[1]  Alexander Shraer,et al.  Verifying cloud services: present and future , 2013, OPSR.

[2]  Galen C. Hunt,et al.  Shielding Applications from an Untrusted Cloud with Haven , 2014, OSDI.

[3]  Srdjan Capkun,et al.  ROTE: Rollback Protection for Trusted Execution , 2017, USENIX Security Symposium.

[4]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[5]  Shweta Shinde,et al.  Preventing Page Faults from Telling Your Secrets , 2016, AsiaCCS.

[6]  Dan Tsafrir,et al.  Secretly Monopolizing the CPU Without Superuser Privileges , 2007, USENIX Security Symposium.

[7]  Andrew W. Appel,et al.  Portable Software Fault Isolation , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[8]  David M. Eyers,et al.  SCONE: Secure Linux Containers with Intel SGX , 2016, OSDI.

[9]  Xuhua Ding,et al.  On Trustworthiness of CPU Usage Metering and Accounting , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems Workshops.

[10]  Marcus Peinado,et al.  T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs , 2017, NDSS.

[11]  Mário M. Freire,et al.  Security issues in cloud environments: a survey , 2014, International Journal of Information Security.

[12]  James Newsome,et al.  MiniBox: A Two-Way Sandbox for x86 Native Code , 2014, USENIX Annual Technical Conference.

[13]  Pablo Acuña Amazon EC2 Container Service , 2016 .

[14]  Emmett Witchel,et al.  Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data , 2016, OSDI.

[15]  Hongwei Zhang,et al.  SoK: A Study of Using Hardware-assisted Isolated Execution Environments for Security , 2016, HASP 2016.

[16]  Benjamin Farley,et al.  Resource-freeing attacks: improve your cloud performance (at your neighbor's expense) , 2012, CCS.

[17]  Santosh K. Shrivastava,et al.  A Case for Consumer–centric Resource Accounting Models , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[18]  Vyas Sekar,et al.  Towards verifiable resource accounting for outsourced computation , 2013, VEE '13.

[19]  Shweta Shinde,et al.  Panoply: Low-TCB Linux Applications With SGX Enclaves , 2017, NDSS.

[20]  Zhifeng Xiao,et al.  Security and Privacy in Cloud Computing , 2013, IEEE Communications Surveys & Tutorials.

[21]  Peter Desnoyers,et al.  Scheduler vulnerabilities and coordinated attacks in cloud computing , 2013, J. Comput. Secur..

[22]  Neha Narula,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, IEEE Symposium on Security and Privacy.

[23]  Andreas Haeberlen,et al.  Accountable Virtual Machines , 2010, OSDI.

[24]  Marcus Peinado,et al.  Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing , 2016, USENIX Security Symposium.

[25]  Carlos V. Rozas,et al.  Intel® Software Guard Extensions (Intel® SGX) Support for Dynamic Memory Management Inside an Enclave , 2016, HASP 2016.

[26]  Stephen McCamant,et al.  Evaluating SFI for a CISC Architecture , 2006, USENIX Security Symposium.

[27]  Dan Tsafrir,et al.  Backfilling Using System-Generated Predictions Rather than User Runtime Estimates , 2007, IEEE Transactions on Parallel and Distributed Systems.

[28]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[29]  Vyas Sekar,et al.  Verifiable resource accounting for cloud computing services , 2011, CCSW '11.

[30]  Michael M. Swift,et al.  A Day Late and a Dollar Short: The Case for Research on Cloud Billing Systems , 2014, HotCloud.

[31]  Marcus Peinado,et al.  Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems , 2015, 2015 IEEE Symposium on Security and Privacy.