CloudVisor: Retrofitting Protection of Virtual Machines in Multi-tenant Cloud with Nested Virtualization

[Veiasai]

https://ipads.se.sjtu.edu.cn/lib/exe/fetch.php?media=publications:cloudvisor-sosp2011.pdf

[Veiasai]

The trusted computing base (TCB) is everything in a computing system that provides a secure environment. This includes the operating system and its provided security mechanisms, hardware, physical locations, network hardware and software, and prescribed procedures. Typically, there are provisions for controlling access, providing authorization to specific resources, supporting user authentication, guarding against viruses and other forms of system infiltration, and backup of data. It is assumed that the trusted computing base has been or should be tested or verified.

[Veiasai]

Nested virtualization is the act of running a hypervisor inside a virtual machine – effectively nesting a hypervisor within a hypervisor.

Nested virtualization can be useful for running multiple hypervisors on the same host server. It is also an approach to learning about software products, experimenting with server setups or testing configurations. However, some hypervisor vendors do not support nested virtual machines in a production environment. And, not all hypervisors and operating system versions can nest successfully within all other hypervisors.

When talking about nested virtualization, the hypervisor running on physical hardware is known as the host hypervisor, while the VM running on that hypervisor is called the outer guest. The hypervisor running within the VM is known as the guest hypervisor, while the inner guest or nested guest is the VM running within the other VM.

[Veiasai]

EPT 处理器级别的内存虚拟化支持 扩展页表 影子页表 https://www.cnblogs.com/ck1020/p/6043054.html

[Veiasai]

VMCS 虚拟处理器上下文切换 https://blog.csdn.net/jemmy858585/article/details/46564735

[Veiasai]

CloudVisor 角度新奇，切入面小，给出的模型比较简单，估计也不会被AWS这样的云服务商采纳。 有点小插件的感觉。 类似于操作系统多进程的处理方法，在进程和物理硬件之间还有虚拟内存、上下文切换。 CloudVisor在VM和VMM之间截获消息，做转换。 优势主要是非侵入，代码量小，overhead小。

[Veiasai]

在应对来自VMM的攻击方面，安全领域基本空白，CloudVisor在这方面提出了解决方案。