Description
Date depot: 16 mars 2022
Titre: Isolation Mechanisms within vSwitch of Cloud Computing Platform
Directeur de thèse:
Serge FDIDA (LIP6)
Encadrant :
Gaogang XIE (ICT)
Domaine scientifique: Sciences et technologies de l'information et de la communication
Thématique CNRS : Systèmes et réseaux
Resumé: Isolation Mechanisms within vSwitch of Cloud Computing Platform
As an important component of the cloud platform, virtual switch (vSwitch) is responsible for realizing the network connectivity between the virtual machines (VMs) and the external devices. In order to make great use of limited resources to provide high-performance packet forwarding, existing vSwitches have been widely adopted with sharing designs. For example, sharing hardware resources, data structure and processing procedures among VMs. However, these sharing designs destroy the isolation among VMs. In vSwitch, different VMs compete for shared resources and access memory without restriction, which makes them cannot be guaranteed with stable network Quality of Service (QoS) and also face the risk of data plane attacks along with illegal memory access.
In order to solve these performance, failure and security issues caused by the lack of isolation, this thesis explores the isolation mechanisms from three aspects of hardware resources, software data structure and I/O operations in vSwitch. In this way, the cloud service providers can really provide tenants with isolated, secure and stable virtual network environment. The main works and contributions of this thesis are as follows:
1) CPU-cycle isolation based network QoS method. To solve the problem that VMs compete for limited CPU resources in vSwitch to interfere with each other's network performance, this thesis proposes a novel network QoS method based on CPU-cycle isolation (C2QoS). C2QoS establishes the corresponding relationship between vSwitch forwarding capability and CPU consumption through measurement driven modeling method. Based on this model, C2QoS designs a CPU-cycle based token bucket mechanism, which provides bandwidth guarantee for VMs through isolating and restricting the I/O-dedicated CPU resources. Besides the token bucket mechanism, a hierarchical batch processing task scheduling mechanism is designed to provide differentiated latency according to priority. Through the realization of the proposed C2QoS method on the open source OVS-DPDK platform, this thesis has carried out a sufficient experimental evaluation on it. The results show that, compared with the traditional packet/flow-based QoS method, the C2QoS method achieves VM network bandwidth guarantee by isolating the competition of CPU resources, and at the same time reduce the additional VM network latency caused by competition by 80%.
2) Flow table isolation based data plane attack defense mechanism. Aiming at the problem of Denial of Service (DoS) attacks initiated by malicious tenants during the lookup process of the shared flow table, this thesis proposes a data plane attack defense mechanism based on flow table structure isolation (D-TSE). D-TSE uses VM as the unit to separate the flow table structure to achieve independent packet classification performance and failure isolation. In order to redirect packets to its dedicated flow table, D-TSE designs a lightweight pre-classification module to determine the attribution of each packet before the classification operation. To ensure the forwarding efficiency in the separated flow table structure, D-TSE designs a batch re-aggregation mechanism. Through the realization of the proposed D-TSE mechanism on the OVS-DPDK platform, this thesis has carried out sufficient experimental verification on it. The results show that D-TSE isolates the data structure and processing procedures belonging to different VMs in vSwitch at the cost of up to 5% performance degradation, thereby achieving the isolation of network failure and efficiently solving the risk of data plane DoS attacks.
3) Memory access isolation based virtualized network I/O (VNIO) mechanism. To solve the risk of illegal memory access caused by shared memory in existing VNIO mechanisms, this thesis proposes a VNIO mechanism based on memory access isolation (S2H). By analyzing the existing memory sharing models adopted in the VNIO mechanisms and their security risks, a secure memory sharing model is designed. Based on this model, S2H mechanism based on virtio standard is designed and implemented. In order to reduce the CPU usage and ensure scalability in the S2H mechanism, this thesis designs a “batch-grained” thread scheduling method. Through the realization of the S2H prototype system on the OVS-DPDK and QEMU/KVM platforms, this thesis has carried out a large number of experiments to verify its validation. The results show that S2H mechanism achieves the highest memory isolation and security in the software based VNIO mechanisms at the cost of 2-9% increase in latency, while maintaining the comparable performance and scalability as the widely adopted vHost-User solution.
Doctorant.e: Yang Ye