Virtualization and Security

Virtualization and Security Steve Riley Senior Security Strategist Microsoft Trustworthy Computing steve.riley@microsoft.com http://blogs.technet.com/steriley 1

2 New!

Evolution Usage scenarios 1. One OS, one app, one human using hardware resources 2. One OS, multiple apps, one human sharing hardware resources 3. One OS, multiple apps, multiple humans sharing hardware resources 4. Multiple OSes, multiple apps, multiple humans sharing hardware resources Trust boundaries 1. None 2. Applications 3. Users 4. Operating systems 3

Enforcing trust boundaries Emulation Controlled access to a privileged state Single OS attacker can access hardware Multiple OSes must keep attacker away from hardware This is one function of the virtual machine monitor 4

5 Virtualization Review

Hosted virtualization Application Application Application Application Application Application Application Application Application Application Application Application Operating System Operating System Operating System Hardware 6

Virtual PC 2007/Server 2005 Host Guests Provided by: Virtual Server WebApp IIS Virtual Server Service Ring 3: User Mode Guest Applications Ring 1: Guest Kernel Mode Windows Virtualization ISV Provides resources VM Additions Windows (NT4, 2000, 2003) Windows Server 2003 or Windows XP Kernel Device Drivers Ring 0: Kernel Mode VMM Kernel Same privilege level Server Hardware 7

Hypervisor virtualization: hardware Application Application Application Application Application Application Application Application Application Application Application Application Operating System Operating System Operating System Hypervisor Hardware 8

Hypervisor virtualization: services Application Application Application Application Application Application Application Application Application Application Application Application Operating System System Services Operating System System Operating System Services Kernel Operating System Hypervisor Hardware 9

Hypervisor design options Monolithic Microkernelized VM 1 (Admin) Hypervisor VM 2 VM 3 VM 1 ( Parent ) Virtualization Stack Drivers Drivers VM 2 ( Child ) Drivers Drivers VM 3 ( Child ) Drivers Drivers Drivers Drivers Hypervisor Hardware Hardware Simpler Cheaper Use existing drivers 10

Windows Hyper-V virtualization Root Virtualization Stack WMI Provider VM Service Partition VM Worker Processes Child Partitions Ring 3: User ModeManages guest partitions Handles intercepts Guest Applications Emulates devices (Most traditional hypervisor functions) Provided by: Windows Virtualization ISV Server Core Windows Kernel Device Drivers Virtualization Service Providers (VSPs) Virtualization Service Clients Enforces partition as isolation boundary (VSCs) Most virtualization functions moved out Enlightenments No device drivers Well-defined interface for creating guest OSes VMBus Ring 0: Kernel Mode OS Kernel Ring -1 Windows hypervisor Server Hardware 11

12 Virtualization For Security

Things I hope you will do Sandboxing High availability and disaster recovery Forensic analysis of virtualized attackers Honeypotting 13

14

15

16

17?

18 0day

19

20

21!

22 Here's a thought

23 Here's a controversial thought

24 Virtualization Security

Common VM security myths I only have to patch my host OS or kernel. If I protect my host machine, it will protect my VMs..VHD files are secure by default. If I expose one virtual machine, I have to expose all virtual machines and the host. All virtual machines can see each other. 25

26 Before virtualization

27 After virtualization

Virtualization attacks Root Partition Virtualization Stack Ring 3: User Mode Guest Partitions Provided by: Windows WMI Provider VM Service VM Worker Processes Guest Applications Virtualization ISV Attackers Server Core Windows Kernel Device Drivers Virtualization Service Providers (VSPs) Virtualization Service Clients (VSCs) VMBus OS Kernel Enlightenments Ring 0: Kernel Mode Windows hypervisor Server Hardware 28

Security assumptions Root Trusted by guests Trusted by hypervisor All modes All rings All segments? Guests Don t trust each other Trust root All modes All rings All segments 1.04 Hypercalls Documented Available Attempted Hypervisor Trusts root 29

Security goals and fortifications Root Guest Guest Guest Hypervisor 30

Security non-goals Root Guest Guest Guest Hypervisor 31

Hypervisor security Stack canaries (/GX) NoExecute (NX) Code pages marked read-only Limited exception handling Digitally signed SDL Threat modeling Static analysis Fuzz testing Penetration testing 32

Hypervisor security Memory protection Mapping of physical memory to partition memory Can supersede R/W/X guest page table access rights I/O protection HV enforces parent policy for guest access to I/O v.1: guests have no access HV interface Parent sets policy for guess access to hypercalls, instructions v.1: guests have no access to privileged instructions 33

Hypervisor security Integrates with AzMan Department- and role-based administration Segregate who can manage groups of VMs Definable functions: Start, stop, create, add hardware, change image None require server or domain admin Shared resources are protected ISO disk images always read-only Write functions invoke copy (differencing disks) 34

Hyperjacking Get a Nigerian mortgage for your body part! Root Guest Guest Guest Hyper-jackor Hypervisor Hyper-jackor 35

Should you worry? Malware must start from host or root Is there malware on my system? 100% certain: no malware that I can detect >100% certain: there is no malware at all So nothing new here, move along 36

37 Deployment Considerations

38?

System Center Virtual Machine Manager Root Guest Guest Guest ManageNet Hypervisor 39

40

Patching a virtual machine Use snapshot or backup features to create working copy of operating system Start copy in an isolated test environment Test patches and updates Create snapshot of live system Apply patches and updates to live system Use snapshot for disaster recovery in case of failure Update backup image 41

Keep trust levels similar = 42

Thanks very much! Steve Riley Senior Security Strategist Microsoft Trustworthy Computing steve.riley@microsoft.com http://blogs.technet.com/steriley 43

44 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.