IBM Cloud Patching System Highlights Virtualization Research
IBM's research division is working on several virtualization projects that could boost security of cloud computing networks, reduce data center power costs, and improve the ability to run multiple hypervisors and operating systems, including Linux and Windows.
IBM and North Carolina State University this week announced a new "cloud computing patch tool" that updates virtual machines even when they are offline, boosting the efficiency of applying security updates to cloud networks. The tool is four times faster than current patch application systems, the organizations said.
"Current patching systems are designed for computers that are online and they don't work for dormant computers or virtual machines," Peng Ning, professor of computer science at N.C. State, said in a press release. "The tool we developed automatically analyzes the 'script' that dictates how a security patch is installed, and then automatically re-writes the script to make it compatible with an offline system."
Ning and colleagues from N.C. State and IBM describe the research in a report that is titled "Always Up-to-date– Scalable Offline Patching of VM Images in a Compute Cloud," and which will be presented at next week's Annual Computer Security Applications Conference in Austin, Texas.
The paper was first published in March, and IBM and N.C. State have tested the system on IBM's Research Compute Cloud, which provides services to IBM researchers.
Because many of the virtual machines in cloud networks are used infrequently, patches are not always applied in a timely manner, IBM said. "This leaves the VMs vulnerable to cyber-attacks when they are brought back online. The VMs are particularly vulnerable if they have been left dormant for months, and missed significant patches," IBM said.
The cloud patching system is just one of several virtualization research projects underway at IBM, which first started using virtualizaton on its own mainframe systems decades ago.
An IBM research paper published last month titled "VMFlow: Leveraging VM Mobility to Reduce Network Power Costs in Data Centers," describes a framework for placing and moving virtual machines "that takes into account both the network topology as well as network traffic demands," in a bid to reduce power use.
"Our simulation uses real data center traces and the results demonstrate that, by applying an intelligent VM placement heuristic, VMFlow can achieve 15% to 20% additional savings in network power while satisfying 50% to 60% more network demands as compared to recently proposed techniques for saving network power," IBM researchers wrote.
In still another research project, dubbed "Turtles," IBM has proposed a nested virtualization system for Intel-based x86 systems.
The Turtles project puts nested virtualization into the KVM hypervisor, which is part of Linux, allowing flexibility to run multiple hypervisors and operating systems.
"The Turtles project … runs multiple unmodified hypervisors (e.g., KVM and VMware) and operating systems (e.g., Linux and Windows)," IBM researchers state. "Despite the lack of architectural support for nested virtualization in the x86 architecture, it can achieve performance that is within 6% to 8% of single-level (non-nested) virtualization for common workloads."
Follow Jon Brodkin on Twitter: www.twitter.com/jbrodkin
Read more about data center in Network World's Data Center section.