OS Security IV: Virtualization and Trusted Computing

Size: px

Start display at page:

Download "OS Security IV: Virtualization and Trusted Computing"

Kathleen Bailey
5 years ago
Views:

1 1 OS Security IV: Virtualization and Trusted Computing Chengyu Song Slides modified from Dawn Song

2 2 Administrivia Lab2 More questions?

3 3 Virtual machine monitor Process Virtual Memory File System Operating System Virtual Machine Monitor Processor Memory Disk

4 4 What is a VMM? A VMM virtualizes an entire physical machine Interface supported is the hardware VMM offers illusion that OS has full control over the hardware VMM "applications" (OS) run in virtual machines

5 5 Motivations (1) Resource utilization Machines today are powerful, want to multiplex their hardware e.g., Cloud service can divvy up a physical machine to customers Can migrate VMs from one machine to another without shutdown

6 6 Motivations (2) Software use and development Can run multiple OS simultaneously No need to dual boot Can do system (e.g., OS) development at user-level Xv6/Qemu!

7 7 Motivations (3) Security OS can be buggy too, want stronger isolation Why VM is good for isolation? Fast recovery

8 8 VMM-based IDS Idea: run IDS as part of VMM (protected from malware)

9 9 Detecting kernel rootkit Rootkit: hides the existence of malware Creates processes that are invisible to ps Opens sockets that are invisible to netstat Detecting lies VMM requests Guest OS to list processes VMM list processes running in Guest OS How? If the two lists differ, then there must be a rootkit

10 10 Virtual machine introspection Tal Garfinkel, A Virtual Machine Introspection Based Architecture for Intrusion Detection, NDSS 2003 Reconstruct OS-level semantics from raw hardware data How? Memory forensics Signature-based Traversal-based

11 11 Detecting compromise via periodical scans Code integrity checks VMM computes hash of OS and application code Compare to a whitelist of hashes Data integrity checks Checks the content of critical OS data structures E.g., syscall dispatch table, interrupt dispatch table, etc. Malware Scans memory for known malware signatures

12 12 VMM-based reference monitor Problem of periodical scans Cannot/hard to detect temporary attacks Solution: VMM-based RM 1. Identify critical kernel data structures 2. Protect them (e.g., via VMM-enforced read-only protection) 3. Mediate all modifications via VMM Example: Samsung Knox

13 13 VMM-based malware Hide malware with a malicious VMM Invisible to anti-virus software running inside the VM

14 14 Arm-race Higher privileged code can attack and hide from lower privileged code Ring 3: user mode Ring 0: kernel mode Ring -1: VMM Ring -2: system manage mode (SMM) Ring -3: management engine (ME)

15 15 Review OS security: how to confine malicious/vulnerable programs Principles Compartmentation: isolation + least privilege Defense in depth Keep thing simple Mechanisms Reference monitors

16 16 Trusted computing From another perspective: what if I want to run my code on a platform where I don't fully trust the owner? Public cloud PC: digital right management (DRM) Mobile: bring-your-own-device (BYOD) Trusted computing: establish certain degrees of trust

17 17 Root of trust A piece of hardware/software that is Privileged enough for performing measurement Capable of protecting itself E.g., a standalone chip Cryptographical provable identity E.g., embedded private keys

18 18 Measurement A proof for the integrity of system state A chain of hashes Example: measured boot Record the hash of the BIOS Record the hash of the bootloader Record the hash of the hypervisor/os kernel How to record? new_hash = hash(old_hash new measurement)

19 19 Attestation A signed proof for the integrity measurement Measurement results A nonce to mitigate replay attack Additional information from the software Signed by a private key of the root of trust

20 20 Other operations Secure key generation and storage Seal: bind key to a measurement E.g., only decrypt the disk image if the measurement of the OS is expected

21 21 Problems of integrity measurement Hidden assumption1: one must verify and trust the code Hidden assumption2: trust the binary Load-time integrity!= run-time integrity Why? Vulnerabilities!!

22 22 Applications Many!

23 23 For next class... Crypto I: Symmetric Key

Dawn Song

1 Virtual Machines & Security Dawn Song dawnsong@cs.berkeley.edu Virtual Machines VM: Execution environment that gives the illusion of a real machine VMM/Hypervisor: host software which provides this capability