Bart Miller – October 22 nd, 2012. TCB & Threat Model Xen Platform Xoar Architecture Overview ...
-
Upload
gerald-johns -
Category
Documents
-
view
218 -
download
0
Transcript of Bart Miller – October 22 nd, 2012. TCB & Threat Model Xen Platform Xoar Architecture Overview ...
XoarBart Miller – October 22nd, 2012
Outline
TCB & Threat Model Xen Platform Xoar Architecture Overview Xoar Components Design Goals Results
Security Vulnerability Mitigation Performance
TCB
Trusted Computing Base is defined as “the totality of protection mechanisms within a computer system – including hardware, firmware, and software – the combination of which is responsible for enforcing a security policy.”
Xen, by virtue of privilege, is part of the TCB
TCB
In Xen, all components operate under a monolithic trust domain
Compromise of any component yields two benefits: Gain privilege level of component Access its interfaces to other
components
TCB
Threat Model
Assumption #1: Administrators are not a concern Business imperative
Assumption #2: Malicious guest VM Violate data integrity or confidentiality Exploiting code
Assumption #3: The control VM will contain bugs
Xen Platform – A brief revisit
Device drivers Virtualized, passed-through, or emulated
XenStore Hierarchical key-value store System-wide registry Most critical component▪ Vulnerable to DoS attacks▪ Perform most administrative operations
Xen Platform
Toolstack Administrative functions Create, destroy, managing resources
and privilege for guest VMs System Boot
Starts DomO process, initialize hardware
Xoar Architecture Overview
Xoar Components
Design Goals
Reduce privilege Each component should only have the
privileges essential to its purpose Each component should only expose
interfaces when necessary
Design Goals
Reduce sharing Sharing components should be avoided
wherever it is reasonable Any sharing of components must be
explicit Allows for logging and auditing in the
event of a compromise
Design Goals
Design Goals
Design Goals
Reduce staleness A component should only run for as long
as it needs to perform its task. It should be restored to a known, good
state as frequently as practicable.
Results - Security
Reduced TCB Bootstrapper, PCIBack, and Builder are
most privileged components Bootstrapper and PCIBack destroyed
once initialized TCB reduced▪ Linux: 7.6M LoC▪ Builder: 13,5k LoC (Builder)
Results – Vulnerability Mitigation
Solved through isolation Device Emulation Virtualized Drivers
XenStore, re-written Hypervisor vulnerabilities remain
Results - Performance
Test system Ca. 2011 server Quad-core Xeon, 4Gb RAM All virtualization features enabled
Memory overhead 512Mb – 896Mb in Xoar vs. 750Mb in XenServer
Theoretical Benchmarks
“Real-world” Benchmarks
Questions
Any questions?