CUDACS: Securing the Cloud with CUDA-Enabled Secure Virtualization

  • Flavio Lombardi
  • Roberto Di Pietro
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6476)


While on the one hand unresolved security issues pose a barrier to the widespread adoption of cloud computing technologies, on the other hand the computing capabilities of even commodity HW are boosting, in particular thanks to the adoption of *-core technologies. For instance, the Nvidia Compute Unified Device Architecture (CUDA) technology is increasingly available on a large part of commodity hardware. In this paper, we show that it is possible to effectively use such a technology to guarantee an increased level of security to cloud hosts, services, and finally to the user. Secure virtualization is the key enabling factor. It can protect such resources from attacks. In particular, secure virtualization can provide a framework enabling effective management of the security of possibly large, heterogeneous, CUDA-enabled computing infrastructures (e.g. clusters, server farms, and clouds). The contributions of this paper are twofold: first, to investigate the characteristics and security requirements of CUDA-enabled cloud computing nodes; and, second, to provide an architecture for leveraging CUDA hardware resources in a secure virtualization environment, to improve cloud security without sacrificing CPU performance. A prototype implementation of our proposal and related results support the viability of our proposal.


Cloud computing security CUDA virtualization trusted platforms and trustworthy systems 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bakkum, P., Skadron, K.: Accelerating SQL database operations on a GPU with CUDA. In: Proceedings of the 3rd Workshop on General-Purpose Computation on Graphics Processing Units, GPGPU 2010, pp. 94–103. ACM, New York (2010)Google Scholar
  2. 2.
    Catteddu, D., Hogben, G.: Cloud computing: Benefits, risks and recommendations for information security (2009),
  3. 3.
    Nvidia Corporation. Nvidia’s next generation CUDA compute architecture: Fermi (2009),
  4. 4.
    Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The Ponder policy specification language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–38. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  5. 5.
    Dowty, M., Sugerman, J.: GPU virtualization on VMware’s hosted I/O architecture. SIGOPS Oper. Syst. Rev. 43(3), 73–82 (2009)CrossRefGoogle Scholar
  6. 6.
    Gupta, V., Gavrilovska, A., Schwan, K., Kharche, H., Tolia, N., Talwar, V., Ranganathan, P.: GViM: Gpu-accelerated virtual machines. In: Proceedings of the 3rd ACM Workshop on System-level Virtualization for High Performance Computing, HPCVirt 2009, pp. 17–24. ACM, New York (2009)Google Scholar
  7. 7.
    Hay, B., Nance, K.: Forensics examination of volatile system data using virtual introspection. SIGOPS Oper. Syst. Rev. 42(3), 74–82 (2008)CrossRefGoogle Scholar
  8. 8.
    Hohmuth, M., Peter, M., Härtig, H., Shapiro, J.S.: Reducing TCB size by using untrusted components: small kernels versus virtual-machine monitors. In: Proceedings of the 11th Workshop on ACM SIGOPS European Workshop, EW11, p. 22. ACM, New York (2004)CrossRefGoogle Scholar
  9. 9.
    Hu, G., Ma, J., Huang, B.: Password recovery for RAR files using CUDA. In: Proceedings of the 2009 Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing, DASC 2009, Washington, DC, USA, pp. 486–490. IEEE Computer Society, Los Alamitos (2009)CrossRefGoogle Scholar
  10. 10.
    Andres Lagar-Cavilla, H., Tolia, N., Satyanarayanan, M., de Lara, E.: Vmm-independent graphics acceleration. In: Proceedings of the 3rd International Conference on Virtual Execution Environments, VEE 2007, pp. 33–43. ACM, New York (2007)Google Scholar
  11. 11.
    Lin, S., Hao, C., Jianhua, S.: vCUDA: GPU accelerated high performance computing in virtual machines. In: Proceedings of the 2009 IEEE International Symposium on Parallel & Distributed Processing, IPDPS 2009, Washington, DC, USA, pp. 1–11. IEEE Computer Society, Los Alamitos (2009)Google Scholar
  12. 12.
    Lombardi, F., Di Pietro, R.: Kvmsec: a security extension for linux kernel virtual machines. In: Proceedings of the 2009 ACM Symposium on Applied Computing, SAC 2009, pp. 2029–2034. ACM, New York (2009)Google Scholar
  13. 13.
    Lombardi, F., Di Pietro, R.: Secure virtualization for cloud computing. Journal of Network and Computer Applications (2010) (in Press) (accepted manuscript), doi: 10.1016/j.jnca.2010.06.008Google Scholar
  14. 14.
    Lombardi, F., Di Pietro, R.: A security management architecture for the protection of kernel virtual machines. In: Proceedings of the Third IEEE International Symposium on Trust, Security and Privacy for Emerging Applications, TSP 2010, Washington, DC, USA, pp. 948–953. IEEE Computer Society, Los Alamitos (June 2010)Google Scholar
  15. 15.
    Luebke, D., Harris, M., Krüger, J., Purcell, T., Govindaraju, N., Buck, I., Woolley, C., Lefohn, A.: GPGPU: general purpose computation on graphics hardware. In: ACM SIGGRAPH 2004 Course Notes, SIGGRAPH 2004, p. 33. ACM, New York (2004)Google Scholar
  16. 16.
    Nottingham, A., Irwin, B.: GPU packet classification using OpenCL: a consideration of viable classification methods. In: Proceedings of the 2009 Annual Research Conference of the South African Institute of Computer Scientists and Information Technologists, SAICSIT 2009, pp. 160–169. ACM, New York (2009)Google Scholar
  17. 17.
    Nurmi, D., Wolski, R., Grzegorczyk, C., Obertelli, G., Soman, S., Youseff, L., Zagorodnov, D.: The Eucalyptus open-source cloud-computing system. In: Proceedings of the 2009 9th IEEE/ACM International Symposium on Cluster Computing and the Grid, CCGRID 2009, Washington, DC, USA, pp. 124–131. IEEE Computer Society, Los Alamitos (2009)Google Scholar
  18. 18.
    Phoronix. Phoronix test suite (2009),
  19. 19.
    Ranadive, A., Gavrilovska, A., Schwan, K.: IBMon: monitoring vmm-bypass capable infiniband devices using memory introspection. In: Proceedings of the 3rd ACM Workshop on System-level Virtualization for High Performance Computing, HPCVirt 2009, pp. 25–32. ACM, New York (2009)Google Scholar
  20. 20.
    Ristenpart, T., Tromert, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2009, pp. 103–115. ACM, New York (2009)Google Scholar
  21. 21.
    Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles, SOSP 2007, pp. 335–350. ACM, New York (2007)CrossRefGoogle Scholar
  22. 22.
    Tumeo, A., Villa, O., Sciuto, D.: Efficient pattern matching on GPUs for intrusion detection systems. In: Proceedings of the 7th ACM International Conference on Computing Frontiers, CF 2010, pp. 87–88. ACM, New York (2010)Google Scholar
  23. 23.
    Zanin, G., Mancini, L.V.: Towards a formal model for security policies specification and validation in the SElinux system. In: Proceedings of the Ninth ACM Symposium on Access Control Models and Technologies, SACMAT 2004, pp. 136–145. ACM, New York (2004)Google Scholar
  24. 24.
    Zimmer, C., Bhat, B., Mueller, F., Mohan, S.: Time-based intrusion detection in cyber-physical systems. In: Proceedings of the 1st ACM/IEEE International Conference on Cyber-Physical Systems, ICCPS 2010, pp. 109–118. ACM, New York (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Flavio Lombardi
    • 1
  • Roberto Di Pietro
    • 2
    • 3
  1. 1.Consiglio Nazionale delle RicercheDCSPI Sistemi InformativiRomaItaly
  2. 2.Dipartimento di MatematicaUniversità di Roma TreRomaItaly
  3. 3.Consiglio Nazionale delle RicercheIITPisaItaly

Personalised recommendations