CSE Computer Security

Similar documents
CSE543 - Computer and Network Security Module: Virtualization

CSE543 - Computer and Network Security Module: Virtualization

CSE543 - Computer and Network Security Module: Virtualization

Virtual Machine Security

Advanced Systems Security: Virtual Machine Systems

Advanced Systems Security: Virtual Machine Systems

Topics in Systems and Program Security

Virtualization. Virtualization

Virtualization. Pradipta De

Dawn Song

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

Security for the Xen Hypervisor Status Quo & Perspective 2006

CSC 5930/9010 Cloud S & P: Virtualization

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

Advanced Systems Security: Integrity

BUILDING A FRAMEWORK FOR INFORMATION FLOW AWARE WEB APPLICATIONS

Learning Outcomes. Extended OS. Observations Operating systems provide well defined interfaces. Virtual Machines. Interface Levels

Advanced Systems Security: Securing Commercial Systems

CCM Lecture 12. Security Model 1: Bell-LaPadula Model

CSCI 8530 Advanced Operating Systems. Part 19 Virtualization

DAC vs. MAC. Most people familiar with discretionary access control (DAC)

Originally prepared by Lehigh graduate Greg Bosch; last modified April 2016 by B. Davison

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Xen and the Art of Virtualization. CSE-291 (Cloud Computing) Fall 2016

The Evolution of Secure Operating Systems

Virtualization. Michael Tsai 2018/4/16

Wrapup. CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger.

Advanced Systems Security: Ordinary Operating Systems

Background. IBM sold expensive mainframes to large organizations. Monitor sits between one or more OSes and HW

Module 1: Virtualization. Types of Interfaces

CHAPTER 16 - VIRTUAL MACHINES

Access control models and policies

Access control models and policies

Using a Certified Hypervisor to Secure V2X communication

The Challenges of X86 Hardware Virtualization. GCC- Virtualization: Rajeev Wankar 36

Operating System Security

CprE Virtualization. Dr. Yong Guan. Department of Electrical and Computer Engineering & Information Assurance Center Iowa State University

CIS433/533 - Introduction to Computer and Network Security. Access Control

IBM Research Report. Building a MAC-based Security Architecture for the Xen Opensource Hypervisor

Distributed Systems COMP 212. Lecture 18 Othon Michail

Advanced Systems Security: Security Goals

Lecture 5: February 3

ReVirt: Enabling Intrusion Analysis through Virtual Machine Logging and Replay

Access control models and policies. Tuomas Aura T Information security technology

Towards High Assurance Networks of Virtual Machines

Advanced Systems Security: Principles

The Evolution of Secure Operating Systems

Cloud Computing Virtualization

Module: Operating System Security. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

System design issues

Virtualization (II) SPD Course 17/03/2010 Massimo Coppola

CS 550 Operating Systems Spring Introduction to Virtual Machines

Lecture 3 MOBILE PLATFORM SECURITY

Xen and the Art of Virtualization

Advanced Systems Security: Principles

Advanced Systems Security: Integrity

What is a VM? Categories of Virtual Machines. Process Virtual Machine 11/17/2010

CSE 544 Advanced Systems Security

24-vm.txt Mon Nov 21 22:13: Notes on Virtual Machines , Fall 2011 Carnegie Mellon University Randal E. Bryant.

IBM Research Report. shype: Secure Hypervisor Approach to Trusted Virtualized Systems

NON SCHOLAE, SED VITAE

Advanced Systems Security: Integrity

Virtual Machines. Part 2: starting 19 years ago. Operating Systems In Depth IX 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.

Introduction to Computer Security

Operating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)

Using a Separation Kernel to Protect against the Remote Exploitation of Unaltered Passenger Vehicles

Introduction to Virtualization

CSE 120 Principles of Operating Systems

Operating Systems 4/27/2015

CHAPTER 16 - VIRTUAL MACHINES

Trusted OS Design CS461/ECE422

Advanced Systems Security: Multics

CSCE 410/611: Virtualization!

Introduction to Cloud Computing and Virtualization. Mayank Mishra Sujesha Sudevalayam PhD Students CSE, IIT Bombay

I/O and virtualization

CS 350 Winter 2011 Current Topics: Virtual Machines + Solid State Drives

OPERATING SYSTEMS Chapter 13 Virtual Machines. CS3502 Spring 2017

CSE Computer Security

COS 318: Operating Systems. Virtual Machine Monitors

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Hypervisor security. Evgeny Yakovlev, DEFCON NN, 2017

Virtualization and Security

OS Security IV: Virtualization and Trusted Computing

A Survey on Virtualization Technologies

, Inc

Virtualization. Dr. Yingwu Zhu

Security Architecture

Protection Goals of Protection Principles of Protection principle of least privilege Domain Structure need to know principle

Virtualization. Operating Systems, 2016, Meni Adler, Danny Hendler & Amnon Meisels

Operating system hardening

Virtual Machines Disco and Xen (Lecture 10, cs262a) Ion Stoica & Ali Ghodsi UC Berkeley February 26, 2018

Today: Protection. Protection

Virtual machine architecture and KVM analysis D 陳彥霖 B 郭宗倫

LIA. Large Installation Administration. Virtualization

CIS 5373 Systems Security

The Remote Exploitation of Unaltered Passenger Vehicles Revisited. 20 th October 2016 Mark Pitchford, Technical Manager, EMEA

Lecture 7. Xen and the Art of Virtualization. Paul Braham, Boris Dragovic, Keir Fraser et al. 16 November, Advanced Operating Systems

Inevitable Failure: The Flawed Trust Assumption in the Cloud

CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:

Transcription:

CSE 543 - Computer Security Lecture 25 - Virtual machine security December 6, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ 1

Implementation and Results Experimental Platform Exact specification of platform Design may have more than implementation -- what did you implement? How are key design features/mechanisms implemented? Results Summarize -- what do the results mean? Specific experiments We did X, saw Y What do the experiments prove What other experiments would you want to do based on these results? 2

Operating System Quandary Recall Saltzer-Schroeder Q: What is the primary goal of system security? OS enables multiple users/programs to share resources on a physical device Access control policies of OS become complex E.g., SELinux What are we to do? 3

Virtual Machines Instead of using system software to enable sharing, use system software to enable isolation Virtualization a technique for hiding the physical characteristics of computing resources from the way in which others systems, applications, and end users interact with those resources Virtual Machines Single physical resource can appear as multiple logical resources 4

Virtual Machine Architectures Full system simulation CPU can be simulated Paravirtualization (Xen) VM has a special API Requires OS changes Native virtualization (VMWare) Simulate enough HW to run OS OS is for same CPU Application virtualization (JVM) Application API 5

Virtual Machine Types Type I Lowest layer of software is VMM E.g., Xen, VAX VMM, etc. Type II Runs on a host operating system E.g., VMWare, JVM, etc. Q: What are the trust model issues with Type II compared to Type I? 6

VM Security Isolation of VM computing Like a separate machine Partitioned Resources VM Guest OS VM Guest OS Device Requests Virtual Machine Monitor Physical Device Controls 7

VAX VMM Security Kernel A1 assured virtual machine system Virtualization Protect sensitive state Need to hide virtualization I/O Processing Need to share access to devices correctly Sensitive instructions must be virtualized (i.e., require privilege) Access to sensitive data must be virtualized (ditto) Systems cannot see that they are being virtualized Special driver interface (all in VMM security kernel) Self-virtualization: Run VMM as VM 8

VM Security Do VMs need to communicate or share resources? How do they do it? 9

VAX VMM Access Control Subjects and objects Coarse-grained access control possible VMs are subjects Disk partitions are objects Lattice policies for secrecy and integrity Bell-LaPadula for secrecy Biba for integrity Privileges for special operations E.g., administrative operations Discretionary access controls 10

Aside Simple security property Read-down only S can read O if and only if S s access class dominates (or equal) O *(star)-security property Write-up only S can write to O if and only if O s access class dominates (or equal) S Basic Security Theorem Every protection state satisfies simple and *-security properties Bell-LaPadula meets this trivially 11

VAX VMM Challenges Q: Why was the project cancelled? Drivers? In VMM... New model... Development languages/performance? Pascal?! Usability? Where s X? Lack of customers? Hardware changes? Covert channel defenses? Fuzzy time... Insanity? 12

NetTop Isolated networks of VMs Alternative to air gap security VM: Secret VM: Public VM: Secret VM: Public Guest OS Guest OS Guest OS Guest OS VMWare MLS SELinux Host OS VMWare MLS SELinux Host OS 13

Xen Paravirtualized Hypervisor Privileged VM VM: DomU Guest OS Partitioned Resources VM Services Dom 0 Host OS Drivers VM: DomU Guest OS Device Requests Xen Hypervisor 14

Xen shype Controlled information flows among VMs VM: DomU VM: DomU Guest OS Partitioned Resources VM Services Dom 0 Host OS Drivers Guest OS Device Requests Xen Hypervisor Ref Mon 15

Xen shype Policies Type Enforcement Mandatory, access matrix policy associating subject labels with object labels and operations A VM with a subject label L can perform an operation op on an object (e.g., VM, memory, file system) with object label M if the TE policy access matrix includes an entry for this Chinese Wall Conflict of interest restrictions A subject L can access an object labeled M in conflict set C If subject L has previously accessed an object labeled M If subject L has not previously accessed an object of any label in conflict set C Why are Type Enforcement and Chinese Wall used? 16

Java Virtual Machine Interpret Java bytecodes Machine specification defined by bytecode On all architectures, run same bytecodes Write once, run anywhere Can run multiple programs w/i JVM simultaneously Different classloaders can result in different protection domains How do we enforce access control? 17

Java Security Architecture Java 1.0: Applets and Applications CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page 18

Java Security Architecture Java 1.1: Signed code (trusted remote -- think Authenticode) Java 1.2: Flexible access control, included in Java 2 CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page 19

Stack Inspection Authorize based on protection domains on the stack Union of all sources All must have permission CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page 20

Do Privileged doprivileged terminates backtrace Like setuid, with similar risks CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page 21

Virtual Machine Threats How does the insertion of a virtual machine layer change the threats against the system? CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page 22

Virtual Machine Rootkit Rootkit Malicious software installed by an attacker on a system Enable it to run on each boot OS Rootkits Kernel module, signal handler,... When the kernel is booted, the module is installed and intercepts user process requests, interrupts, etc. E.g., keylogger VM Rootkit Research project from Michigan and Microsoft If security service runs in VM, then a rootkit in VMM can evade security E.g., Can continue to run even if the system appears to be off CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page 23

Take Away VM systems focus on isolation Enable reuse, but limited by security requirements Enable limited communication The policies are not trivial 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback