Furnace: Self-service tenant VMI for the cloud

Abstract

Although Virtual Machine Introspection (VMI) tools are increasingly capable, modern multi-tenant cloud providers are hesitant to expose the sensitive hypervisor APIs necessary for tenants to use them. Outside the cloud, VMI and virtualization-based security’s adoption rates are rising and increasingly considered necessary to counter sophisticated threats. This paper introduces Furnace, an open source VMI framework that outperforms prior frameworks by satisfying both a cloud provider’s expectation of security and a tenant’s desire to run their own custom VMI tools underneath their cloud VMs. Furnace’s flexibility and ease of use is demonstrated by porting four existing security and monitoring tools as Furnace VMI apps; these apps are shown to be resource efficient while executing up to 300x faster than those in previous VMI frameworks. Furnace’s security properties are shown to protect against the actions of malicious tenant apps.