`Cloud Computing:
`Data Security, Transfer, and
`Management
`
`YushiShen
`Microsoft Corporation, USA
`
`Yale Li
`Microsoft Corporation, USA
`
`Ling Wu
`EMC2 Corporation, USA
`
`Shaofeng Liu
`Microsoft Corporation, USA
`
`Qian Wen
`Endronic Corp, USA
`
`A volume in the Advances in Systems
`Analysis, Software Engineering, and High
`Performance Computing (ASASEHPC)
`Book Series
`
`An Imprint ot IGI Global
`
`
`
`Petitioner Mercedes Ex-1028, 0001
`
`
`
`Man.aging Oireclor:
`Ediluriul Director:
`Production lvtannger:
`Publishing. Systeou Analy-st
`l)cvclo pmcat Editor:
`Acquisitions &Utor:
`Typcscller:
`co .. ·cr Dcsigo:
`
`Lindsay Johnston
`rvtylu Merkel
`Jennifer Yoder
`Adrienne Freeland
`,A.u-.tin OcMarco
`Kayla Wo lfe
`Lisumlm Gon1:.t1cz
`foS<.>n Mull
`
`Published in the Uni1ed States or Amerka by
`Information Science Reference (an imprint o f IGI Globnl)
`701 E . Chocol:ue Avenue
`Hershey PA 17033
`Tel: 717-533-8845
`Fax: 717-533-8661
`E-nKtil: c ust@igi-SIObJ.l.c.om
`W'cb sile: hUp:J/www.igi-global.com
`
`Co1>yrighl Q 2014 by IGI G lobal. A LI righu reserved. No pal'l of this public.-ition may be re1>rod uced. stored or dis1ributed in
`ony fom1 or by a ny means. electronic or mt.-chunicol. indur.Jing pholll(.-01,ying. without w riucn 1,cn nissinn from the publisher.
`Produc t or compa ny names used in this sci m-e for idcn1ifica1ion purposc.s only. Inclusion o f !he names of lhe pmd ucL,; or
`compMies does not indicate a claim of ownership by Yushi Shen. Y~le Li. Ling Wu. S haofeng L iu. Qian Wen. a nd IG I
`Global of the trademark o r rcgi.,;tert.'U trudcmart.
`
`Ubra1·y of Congress Cataloging-in-Publi~atio n Data.
`
`Sheo. Yushi. 1978-
`Enabling lhe new ern o f cloud compuling : d:1tn secur-i1y. trnni-fer, a nd monogcment / by Vushi S he n, Yale Li. Ling Wu,
`S hsofeng Liu. ond Qian Wen.
`pages cm
`Jn,::lude~ hibliographic.i l n:fcrem.:es and index.
`Summary: ••''nlis book disc usses cloud computing as an e merging lechnology and its critic.:i.l ro le in lhe tr industcy upgrade
`ond economic de\'elOpme nt in lhe future" - Pro\'ided by publi~her.
`ISBN 978-1-4666-4801 •2 (hor<ico,•cr) •• ISBN 978-J.M!i6-4802-9 (cl:>ook) •• ISBN 978- 1-4666-4803-6 (print & perpe tual
`access) 1. Cloud computing. I. Title.
`
`QA 76.585.$5420 14
`004.67'82--<lc23
`
`20JJ 027879
`
`This book is published in the lGI G lobal book series Advances in Systems Analysis. Software Engineering. and liigh Perfor(cid:173)
`ma~cc Computing (ASASEHPC) (ISSN: 2327-3453; cTSSN: 2327-346 1)
`
`Bcitish Cataloguing in Publication Data
`A Cata loguing in Publication record for this book is availa ble fn'>m the Briti~h Library.
`
`All work contributed to this book ii new. pn:.\tiOusly-unpubli:":>hed mutcriul. The views e~pn:s:-.ed in lh i~ book ure those o f the
`:iuthors, bul not oeces.s~rily of' the publisher.
`
`f o r e lei:tronic acce.,s to this publicu1iun. IJlease c (mt::ii:t: eresuun.:e~@igi-ilubul..:om.
`
`
`
`
`
`Petitioner Mercedes Ex-1028, 0002
`
`
`
`Cloud Jnfrasfructure
`
`machine, that even if the physical machine that runs
`multiple virtual machines has failed all t0gether,
`the vir111al machines can be failed over to other
`physic-a] machines immediately. ( EMC1Cotpora(cid:173)
`tion, Cloud computing fJundations)
`
`Hypervi sor
`
`The hypervisor is a software lhat does server vir(cid:173)
`tualization. It enables multiple operating systems
`tO run concurrently on a physical hos1 computer,
`and to interact directly with the physical resources
`of tbe host computer. Hypervisor provides the at(cid:173)
`Lributcs forthe physical server that lies underneath
`the virtualizctl machjncs,running cliflcrcnt opcrat ..
`ing systems. Hypcrvisor js the primary component
`of vinunlizatioo that enables computer system to
`partition hardware resources, such as CPU and
`memory, iJllo virlualizcd resources.
`Hypervisor has two components: the kernel
`and the ,rirtual machir~ manager. "f'hc kernel
`works as 1hc operating system, handli ng such
`tasks as process creation. file system management.
`
`resources scheduling. TO stack etc. The virtual
`machine monitor(VMM). which resides below the
`operating system layer. is responsible for handling
`and sending lhe vinual machines' requests, aJso
`executing commands. \.Vhen a virtual machine is
`created. resources such CPU, memory and 1/0
`devices are assigned to the virtual machine. To
`cxccu1c. proce!!iSCS, these resources need to be man ..
`aged according to a time schedule on the physical
`machine. The VMM handles these requests and
`communi<:alion~ from the virtual level down to
`the physical level. The VMM's job also includes
`allocating and managing the system proeessor,
`memory, lO devices and other hardware resources
`1 hatcorrc-spond to each individual virtual machine.
`\Vbcn a virtual machine starts running. lhecoutrols
`are u·ansfencd to the VMM.
`There arc chiefly two kinds ur H ypcrvisor: the
`bare-metal hypcrvisor and the hosted hypervisor.
`
`•
`
`Fo,· the bare-Metal hypervisor, the hyper(cid:173)
`visor runs directly on the hardware. The
`Hypervisor itself functions as an operat-
`
`Figure J. Bare-Metal Hypervisor
`(£MCl Corpom1im1 . Virwal:zed dala center a,rd doud /11/rtwrut·ture)
`
`CPU
`
`NICCard
`
`M emory
`
`Hard Disk
`
`
`
`54
`
`
`
`
`
`
`Petitioner Mercedes Ex-1028, 0003
`
`
`
`Cloud Infrastructure
`
`ing system, resides on ring0 processor, and
`executes commands against the hardware.
`This 1ype of hypervisor requires ceni fied
`hardware, so 1ha1 appropriate d1·i vers aJ'e
`avaHable to communicate w ith the hard(cid:173)
`ware. Since the- bare meta.l hypervisor is
`directly installed on the X86 based hard(cid:173)
`ware, iL could accc~s the hardware resourc(cid:173)
`es more efficienlly, and is scalable. When
`databases or ERP applica1ions are being
`cleployc<l in a production environment, the
`bare-metal hypcrvisor is most likely to be
`used, because ii has much less overhead,
`and more hardware J'C$Ourccs can be deli(cid:173)
`cate to the applica1 ion that runs o n the vir(cid:173)
`tual machine. T he bare-me1al bypervisor
`is the most predominant hypervisor, being
`used i n the •,inualizcd d ata centers. It is also
`I he d in:cl ion of the cloud virtuaJ.iz.atjon.
`The hosted hypervisor is a hypervisor 1ha1
`l'uns inside the operating system. h is in(cid:173)
`stalled and run as an application on top of
`an operating system. Since it is running on
`top of an operating system. it supports a
`broader rarge of hardware configurations.
`One may have the Windows OS or Linux
`installed on1he hos1 machine, 1hen YMwaJ'e
`woJ'ks1n1ion or Microsoti Hyper-V can be
`installed and run as an application within
`the operating system environment. Instead
`of the hypervisor being al 1he operating
`system level, it is another application, and
`other applications can be running within
`1he hypervisor application.
`
`•
`
`The hosted hypervisor focuses on thedevelop(cid:173)
`men1 process. For a developer using a windows OS
`machine, but needs to have the Linux environment
`to develop an applicatio n, Linux can he installed
`in 1he virtual ma:hine and development done on
`the same laptop, while o ther appl icaiions continue
`10 run i n the \Vindows enviro nment.
`
`Types of Computer Virtualization
`
`The X86 CPU architecture offers four levels of
`privilege known as ri ng0, 1, 2 and 3. In the tradi(cid:173)
`tional X86 architecture, operating system kernels
`expect direct CPU access running. in Ring 0, which
`is the most privileged level. With virlualization,
`the virtual machjnc monilor can sil on Ring O.
`and 1he guest operating systems sit on lop of the
`YMM.so tha11he YMMcan interact wi1hphysical
`rc:sourccs a.n<l the g uest opcnui ng sy~tcms.
`In Brict virtualization acts as an operatfog
`system. The operating system sits on 1he hig hest
`CPU level, which is ring0. Applications typic.ally
`do not inlcracl w ilh harclwarcclircctly; they usually
`interact with the operating system for recourse
`and command excculions. The user applications
`typically run in ring 3 with less privilege. So the
`challenge for vinualizalion is lhal the hypervisor
`needs to control the lower levels of privilege. The
`virtualization technique enables the hypcrvisor to
`sit o n the lowest level of the processor, in o rder
`to interact with the physical hardware. and mask
`the operating system from having to sec itsel f.
`In full virtuali zation, the VMM sits below the
`operating system in Ring 0, emulates 1he under(cid:173)
`lying physical resources, and presents 1hem to
`the guest operating system. The guest operating
`system is expected 10 sil in ring 0, the virtualiza-
`1ion 1echn.ique makes it l)elieYe 1ha1 ii is actually
`sining in 1he hig her ring wilh less privileges to
`the processor architecture. The guest operati ng
`system on the virtual machine is unmvare that it
`is being vim,alized. The host 01x,rating system
`might th ink that it is s itting on the lowest. Ring 0
`level of the processor architecture. but in reality
`i1 is actually sitling on the 1op of the hypervisor.
`The hypervisor can complctcl y decouple !he guest
`operating system from the underlying hardware.
`All lhecommands are executed a1 1he hypervi(cid:173)
`sor level. The kernel is doing the inLeraction with
`the physical haJ'd warc, wh ile 1he VMM is passing
`
`
`
`
`55
`
`
`
`Petitioner Mercedes Ex-1028, 0004
`
`
`
`Cloud Infrastructure
`
`Fisure 2. Hos1ed Hypervisor
`(£MC1 Curpo,vai<m • Virwulit,e,I duta ce111<:r will doull infrt1s1roct.tre)
`
`APP
`
`CPU
`
`NICCard
`
`Memory
`
`Hard Disk
`
`the guest operating syslcm, doing the bi nary trans(cid:173)
`lation of the commands 1hrough hypcrvisordow n
`co the physical hardware that Lies underneath. All
`the commands. such as hand)j ng, time.- controls,
`I Os, arc cxccu1cd ai the hypcrvisor level. and the
`virtual machine is communicating through the
`vinual machine manager.
`Inf ull virtualizmion, if the console is opened up
`before powering up the virtualmach.ine, the virtual
`nrncbine BIOS setting is to come up. VMware
`ESX. ESXJ and M.icrosort Hyper-V that runs in
`the server core e nvironme nt arc ~om e cx.aJ11 plc$.
`Please be aware that the M.icrosoft Hyper-V can
`be run as an application withi n the windows
`environment. In a special \Vindows Server Core
`installation. which installs the m os1 basic com(cid:173)
`ponents, the Hyper-V server role can be installed,
`which distinguishes 1he operating system to be a
`
`nd layers 1hc hypervisor
`viriual machine itsel f, a
`underneath it. This installation makes \Vindows
`llyper-V similar to the infrastruc1ure layer as ESX
`in VMware. VMware and Microsoft are market
`leaders in lhc full vinualization technologies.
`Para-virtualization is also called the OS as(cid:173)
`~isted virtualization. In Para-virtualization, the
`operating system is aware of i1sclf being vinual(cid:173)
`izcd. The guest operating system sits in Ring 0
`with the Hypervisor beneat h it. Rather than the
`bypervisor sitling on 1hat level and doing all 1he
`lra n.:ila tion fo r the virtua l m achine m o njtor, the
`Para-virtualization guest operating system s its
`tl1ere and internet directly with the hypervisor.
`Para-virtual izatio n p rod uct examples arc the open
`~ource Xen hypervisor and VMware Linux.
`Hardware assisted virtuaJiwrjon introduces
`.-inualiz.ation in the X86 processor architcclurc,
`
`56
`
`
`
`Petitioner Mercedes Ex-1028, 0005
`
`
`
`Cloud Infrastructure
`
`and uses hypervisor-aware CPU LO provide as(cid:173)
`sistance to the hypervisor. With hardware as(cid:173)
`sisted virtualization, the operating system could
`directly access the physical resources. It allows
`a fully virtual operating system to run in Ring 0,
`which gives the operating system direct access
`to the system resources without the control from
`Lhc Virtual Machine Monitor. Ln 2006, Inte l and
`AMO have released the first generation hardware
`assisted features. and have announced future de(cid:173)
`velopment roadmaps, which include, hardware
`support for memory virtualization, as well as for
`1/0 devices. The Intel Virtualization Technology
`(VT) and A MD virtualization (AMO V) both target
`privileged instruction:,; wilh a new CPU cxccu~
`lion mode foatrure, allowing the Virtual Machine
`Monitol' to run in a new root mode below ring
`O. They arc building the chip set that increases
`CPU overhead, and allows the virtualization of
`the X86 instruction sets, while decreasing the
`hypcrvisorovc rhcad. (EMC' Corporation -Cloud
`infrastruclurc and services.)
`The graph below describes the Ring level for
`all three types of vinualizations:
`
`Virtual Machine
`
`Virtual Machine Files
`
`A virtual machine is made of a set of files thm
`reside in the u,nderlying hypervisor file syste m.
`A virtual machine could he looked at from two
`differenl perspectives. From the user's perspecti ve,
`a virtual machUne is a generic set of hardware that
`runs an operating system and user applications.
`Like a physical machine, it has the same component
`as the physical machine, such as the CPU, memory,
`hard disk, network interface cards and other 10
`devices . From a hypervisor r,erspective. which
`manages and rruns a virtual machine, a virtual
`machine is a set of files Lhal include con Figuration
`fi les, virtual di sk fi le.,, virtual BIOS files, virtual
`machine swap fi le and a log file.
`
`The virtual machine conligurmion lilc stores
`the details of virtual machine configuration
`informalion. such as the virtual machine name,
`guest operating system, the numl>er and types of
`virtual disks, the number of CPUs and the size
`of memory. the type of network adaptors and the
`associated MAC addresses, SCSI controller types
`and disk types.
`The virtual disk file stores the contents in the
`disk drive l>elongiug the virtual machine, and
`siLs on 1hc hypcrvisor file ~ystcm . To the virtual
`machine, the virtual disk file appears and works
`as a physical disk drive. A virtual machine could
`have multiple virtual disk Jilcs,cad-1 representi ng
`a single dh;k.
`Virtual BIOS files store the virtual machine's
`BIOS information. The virtual ma,,hine swap file
`is the pagi ng file for the virtual machine, which
`backs up the virtual machine's RAM contents.
`T his file is present only when the virtual machine
`is running. lf we have allocated certain amount
`of memory and reserved the memory, the swap
`file is to show tltis difference.
`The log fiJe recot'ds virtual machine activities,
`such as Lhc time the virtual machine got sLartcd,
`i1s activities and etc. It helps in troubleshooling,
`when there is an application fai lure o r some server
`problems.
`
`File Systems in the Virtual Environment
`
`The hypervisor ha."- a file system. The virtual ma•
`chi ne file system (VMFS)isaclustered file syste m
`that stores virtual machine fi les. Clus ler SANS,
`internal direct attached storage, and external
`storage are presented to the hyperv isor as vinual
`disks. formatted and attached to the server. The
`virtual disks arc stored as files on a V M FS. VM FS
`allows multiple virtual machi nes to cc)ncurrently
`read and write data from the same storage device.
`T he virtual machine file system is deployed on
`the FC and iSCS I storage, apart fro m loc al stor(cid:173)
`ages. Because we have the underlining cluster
`
`57
`
`
`
`Petitioner Mercedes Ex-1028, 0006
`
`