Post on 25-Feb-2016
description
Secure Virtual Machine Execution Under an Untrusted
Management OSChunxiao Li
Anand RaghunathanNiraj K. Jha
Outline Background: Security & Virtualization Security challenges in virtualization-based
architecture A secure virtual machine execution
environment Implementation & results Security analysis Conclusion
1
The goal of computer security Computer security: a branch of information
security applied to computers Three objectives of
information security: Confidentiality Integrity Availability
Integrity:Data validation,One-way Hash,Digital signature
Availability: Defending DoS, Back up / restore, Load balancing
Confidentiality:Authentication,Authorization,Access control,Encryption/Decryption
2
against DoS,
What is virtualization? Virtualization: Technology for creating a software-controlled
environment to allow program execution in it [1]
[1] http://www.ok-labs.com/virtualization-and-security/what-is-virtualization
[2] Barham et al., “Xen and the art of virtualization,” SOSP 20033
Relationship between virtualization and security
On the one hand, virtualization can be utilized to enhance security Secure logging (Chen et al., 2001) Terra architecture (Garfinkel et al., 2003)
On the other hand, virtualization also gives rise to several security concerns Scaling, transience, software lifecycle,
diversity, mobility, identity and data lifetime [1]
Virtual machine-based rootkits (VMBR) [2][1] Garfinkel et al., “When virtual is harder than real,” HTOS 2005[2] King et al., “Subvirt: Implementing malware with virtual machines,” IEEE S&P 2006 4
Outline Background: Security & Virtualization Security challenges in virtualization-based
architecture A secure virtual machine execution
environment Implementation & results Security analysis Conclusion
5
Security challenges in virtualization-based architecture
6
Our work tries to solve one of the fundamental security concerns in virtualization The trusted computing base of a VM is too
large
A Security challenge of virtualization-based architecture Trusted computing base (TCB): a small amount of
software and hardware that security depends on and that we distinguish from a much larger amount that can misbehave without affecting security [1]
Smaller TCB more security
A
TCB
[1] Lampson et al., “Authentication in distributed systems: Theory and practice,” ACM TCS 1992 7
B
C
A Security challenge of virtualization-based architecture (Contd.)
Security challenge : TCB for a VM is too large
Smaller TCB
Actual TCB8
Xen architecture and the threat model
Management VM – Dom0 Guest VM – DomU Dom0 may be malicious
Vulnerabilities Device drivers Careless/malicious
administration Dom0 is in the TCB of DomU because it can
access the memory of DomU, which may cause information leakage/modification
9
Outline Background: Security & Virtualization Security challenges in virtualization-based
architecture A secure virtual machine execution
environment Implementation & results Security analysis Conclusion
10
Towards a secure execution environment for DomU
Scenario: A client uses the service of a cloud computing company to build a remote VM A secure network interface A secure secondary storage A secure run-time environment
Build, save, restore, destroy
11
Towards a secure execution environment for DomU
(Contd.) A secure run-time environment is the most
fundamental
The first two already have solutions: Network interface: Transport layer security (TLS) Secondary storage: Network file system (NFS)
The security mechanism in the first two rely on a secure run-time environment
All the cryptographic algorithms and security protocols reside in the run-time environment
12
Domain building Building process
13
Domain save/restore
14
Page3
Domain save/restore (Contd.)
Dom0
Page1Page2Page3Page4Page5
DomU memory
Storage
Page1Page2
Page3
S
Xen Layer
15
Page3
Domain save/restore (Contd.)
Dom0
Page1Page2Page3Page4Page5
DomU memory
Storage
Page1Page2 Xen
Layer
Page1Hash
Page3Page33egap
Hash
WS Page4$
16
Outline Background: Security & Virtualization Security challenges in virtualization-based
architecture A secure virtual machine execution
environment Implementation & results Security analysis Conclusion
17
Implementation & results Modification of Xen system only affects domain build,
save and restore Normal work in DomU has little performance
degradation
18
Outline Background: Security & Virtualization Security challenges in virtualization-based
architecture A secure virtual machine execution
environment Implementation & results Security analysis Conclusion
19
Security analysis Malicious Dom0 in original Xen system
may: Access any memory page of DomU and
read its content Access any memory page of DomU and
change its content Randomly start and shut down the
domain, and thus control the availability of all VMs
We successfully solved the first two security concerns, with a small execution time overhead
20
Outline Background: Security & Virtualization Security challenges in virtualization-based
architecture A secure virtual machine execution
environment Implementation & results Security analysis Conclusion
21
Conclusion Virtualization technology can both benefit and
undermine computer security in different ways One of the fundamental security concerns of
virtualization-based architecture is that the TCB of a VM is too large
A protection mechanism in Xen virtualization system proposed, which successfully excludes the management domain out of the TCB with small execution time overhead
22
Thank you!