There has been intensive work on giving clients of cloud platforms freedom to deploy administrative services. However, while they allow clients to use a particular service (e.g., network middleboxes or memory introspection), they do not support all possible services clients might need. The demand of clients is various and therefore they should be given flexibility to enable any services they wish to have.

In this paper, we propose a new model for cloud platforms where we provide necessary primitive services that allow clients to deploy their administrative services. Those services are implemented within virtual machines (VMs) by third party developers and are distributed to app stores. Clients can download the VMs and then compose various policies to serve their needs. They can also compose VMs to form a bundled VM that provides richer services. We have implemented a prototype system by modifying the kvm hypervisor. We demonstrate its validation by building and evaluating several services such as network intrusion detection (NIDS), rootkit detection, etc.