Summarize: Accountable Virtual Machines

[bhaskarkumar1]

summarize:https://www.usenix.org/legacy/events/osdi10/tech/full_papers/Haeberlen.pdf

[duttabhishek0]

@duttabhishek0

[duttabhishek0]

This paper introduces the concept of Accountable Virtual Machines (AVMs), which provide users with the ability to audit the execution of software systems. AVMs are particularly useful in scenarios where users rely on software and services that run on machines owned or operated by third parties, such as in online games, peer-to-peer systems, or cloud computing environments. The AVM monitors the execution of the system and maintains a log of the information, which allows users to detect faults, identify the faulty node, and produce evidence of who was responsible for the problem. This capability is achieved without requiring the audited machine to run trusted hardware or software components. The authors present the design of an AVM monitor and demonstrate its practicality in detecting cheating in multiplayer games. A prototype AVM monitor was built on VMware Workstation and was used to detect real cheats in the popular game Counterstrike.

The author summarized prior work on the development of a prototype AVMM (Autonomous Virtual Machine Monitor), which is based on the ability to replay the execution of a virtual machine. It notes that although replay techniques have been studied for a long time, they are not sufficient to detect faults on a remote machine because the machine may record incorrect information. The author also discuss accountability in distributed systems and how AVMs offer accountability without the limitations of other systems. It highlights that AVMs are generic and can be used to detect faults in unmodified games, unlike other systems that require source code modifications or trusted hardware.

The paper focuses on enabling Alice to verify the behavior of software S running on a machine M controlled by Bob, without having to trust Bob, M or any software running on M. The goal is to provide the properties of detection (if M is faulty, Alice can detect it) and evidence (Alice can obtain proof of M's fault that would convince a third party without their trust in Alice or Bob). To achieve this, the paper proposes the use of tamper-evident logs and virtual machines. Bob uses a virtual machine monitor (VMM) to run the software S inside an accountable virtual machine (AVM), which maintains a tamper-evident log of network messages and any nondeterministic events. Alice periodically audits M by asking for its log, verifying it against the authenticators collected, and using deterministic replay to check for faults.

The authors also describe the design of a specific AVMM (autonomous virtual machine monitor)so as to demonstrate that AVMs are practical. The design is based on several assumptions, including all parties having access to a secure hash function, each party having a certified keypair, and the ability to audit the log of a machine. The design consists of three building blocks:

1. a VMM,
2. a tamper-evident log, and
3. an auditing mechanism.

The tamper-evident log is structured as a hash chain, with each log entry consisting of a sequence number, type, data, and hash value. The VMM used is a virtualization of a standard commodity PC, while auditing is done through a tool that authenticates the log, checks it for tampering, and uses deterministic replay to determine correct execution. The log is used to detect incoming message forgeries, outgoing message tampering, and dropped messages. The author note about two limitations, they were:

1. AVVM cannot detect bugs or vulnerabilities in the software as the expected behavior of mobile market)is defined by MR (Mobile-Reference). This means if the software has a bug, it will still pass an audit.
2. Secondly, any behavior that can be achieved by providing inputs to MR is considered correct, even if the inputs come from sources other than the network and cannot be verified during an audit. This means Bob may be able to exploit the system by recording local inputs to elicit the desired behavior in MR.

The authors evaluate the use of AVMs (Application Virtual Machines) in cheat detection in online games. They compare AVMs to current anti-cheat systems like PunkBuster, Warden, and Valve Anti-Cheat (VAC). These systems scan the user's machine for known cheats, but this leads to an arms race between cheaters and game maintainers. AVMs work by having players agree on a VM image to use and recording a log of the game. If players suspect cheating, they can request logs and replay them using a trusted copy of the VM image. AVMs are effective against cheats that need to be installed with the game or that make the cheater's machine's network-visible behavior inconsistent with any correct execution. These types of cheats cause replay to fail during an audit, either due to differences in the VM images or the cheater's network-visible behavior.

The article describes a prototype implementation of an Anti-cheat Virtual Machine Monitor (AVMM) to detect cheating in Counterstrike, a popular multi-player game. The AVMM is based on VMware Workstation and the authors have extended it to record extra information about incoming and outgoing network packets, and added support for tamper-evident logging. The authors evaluate the AVMM using three Dell Precision T1500 workstations running Linux with AVMM binaries based on VMware Workstation. They compare five different configurations in terms of the costs of various aspects of AVMs, including bare hardware, VMware without logging, VMware with logging, AVMM without signatures, and AVMM with signatures. The authors report that the AVMM with signatures outperformed the other configurations in detecting cheating in Counterstrike.

The author also describes other applications as well. AVMs (Accountable Virtual Machines) are application-independent and can be used in various systems for accountability purposes.

1. In distributed systems, AVMs can be used to monitor the behavior of each node.
2. In network traffic accountability, AVMs combined with a traffic monitor can capture the network-observable behavior of a machine to detect malware.
3. In cloud computing, AVMs can be used to verify that software executes as expected in the cloud but face challenges such as auditing the entire execution, interacting with non-accountable clients, and signing every single packet.

AVMs are capable of verifying the integrity of remote nodes without relying on trusted components. However, adding trusted components such as secure input devices and trusted AVMM can provide additional guarantees. The AVM logs reveal information about the execution of the software inside the AVM but only to approved auditors and not about executions outside of it. Alice and Bob's privacy may be affected when evidence is used to demonstrate a fault to a third party, and the hash tree can be used to limit the information released. The current AVMM is limited to single CPU core assignments but more efficient techniques for deterministic replay are being developed. AVMs detect deviations from the behavior of a reference implementation but cannot detect bugs in the reference implementation itself.

[KavitaMeena23]

+1

[duttabhishek0]

@tapaswenipathak