CSE543 - Computer and Network Security Module: Virtualization

Similar documents
CSE543 - Computer and Network Security Module: Virtualization

CSE543 - Computer and Network Security Module: Virtualization

CSE Computer Security

Virtual Machine Security

Advanced Systems Security: Virtual Machine Systems

Advanced Systems Security: Virtual Machine Systems

Topics in Systems and Program Security

CprE Virtualization. Dr. Yong Guan. Department of Electrical and Computer Engineering & Information Assurance Center Iowa State University

The Challenges of X86 Hardware Virtualization. GCC- Virtualization: Rajeev Wankar 36

Virtualization. Pradipta De

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

Advanced Systems Security: Securing Commercial Systems

CSE 120 Principles of Operating Systems

Operating System Security

Virtualization. Virtualization

CHAPTER 16 - VIRTUAL MACHINES

Xen and the Art of Virtualization. CSE-291 (Cloud Computing) Fall 2016

Security for the Xen Hypervisor Status Quo & Perspective 2006

Virtual Machines. Part 2: starting 19 years ago. Operating Systems In Depth IX 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.

Lecture 5: February 3

The Architecture of Virtual Machines Lecture for the Embedded Systems Course CSD, University of Crete (April 29, 2014)

Module: Operating System Security. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Advanced Systems Security: Ordinary Operating Systems

Dawn Song

CSCI 8530 Advanced Operating Systems. Part 19 Virtualization

ReVirt: Enabling Intrusion Analysis through Virtual Machine Logging and Replay

The Evolution of Secure Operating Systems


Virtualization. Michael Tsai 2018/4/16

CSE 544 Advanced Systems Security

W11 Hyper-V security. Jesper Krogh.

CS 550 Operating Systems Spring Introduction to Virtual Machines

Module 1: Virtualization. Types of Interfaces

Advanced Systems Security: Multics

Advanced Systems Security: Principles

Background. IBM sold expensive mainframes to large organizations. Monitor sits between one or more OSes and HW

Virtual Machines. To do. q VM over time q Implementation methods q Hardware features supporting VM q Next time: Midterm?

NON SCHOLAE, SED VITAE

Introduction to Cloud Computing and Virtualization. Mayank Mishra Sujesha Sudevalayam PhD Students CSE, IIT Bombay

Virtual Machine Monitors (VMMs) are a hot topic in

Distributed Systems COMP 212. Lecture 18 Othon Michail

CSC 5930/9010 Cloud S & P: Virtualization

Operating Systems 4/27/2015

Spring 2017 :: CSE 506. Introduction to. Virtual Machines. Nima Honarmand

Learning Outcomes. Extended OS. Observations Operating systems provide well defined interfaces. Virtual Machines. Interface Levels

Virtualization. Operating Systems, 2016, Meni Adler, Danny Hendler & Amnon Meisels

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Xen and the Art of Virtualization. Nikola Gvozdiev Georgian Mihaila

Virtualization. Application Application Application. MCSN - N. Tonellotto - Distributed Enabling Platforms OPERATING SYSTEM OPERATING SYSTEM

Nested Virtualization and Server Consolidation

24-vm.txt Mon Nov 21 22:13: Notes on Virtual Machines , Fall 2011 Carnegie Mellon University Randal E. Bryant.

Securing your Virtualized Datacenter. Charu Chaubal Senior Architect, Technical Marketing 6 November, 2008

Virtual machine architecture and KVM analysis D 陳彥霖 B 郭宗倫

COMPUTER ARCHITECTURE. Virtualization and Memory Hierarchy

references Virtualization services Topics Virtualization

Virtual Machine Monitors!

Chapter 5 C. Virtual machines

Topics in Systems and Program Security

Virtualization. Starting Point: A Physical Machine. What is a Virtual Machine? Virtualization Properties. Types of Virtualization

The Evolution of Secure Operating Systems

Virtualization. ! Physical Hardware Processors, memory, chipset, I/O devices, etc. Resources often grossly underutilized

Chapter 2: Operating-System Structures

Virtualization (II) SPD Course 17/03/2010 Massimo Coppola

Cloud Computing Virtualization

Virtual Machines Disco and Xen (Lecture 10, cs262a) Ion Stoica & Ali Ghodsi UC Berkeley February 26, 2018

OS Security IV: Virtualization and Trusted Computing

Originally prepared by Lehigh graduate Greg Bosch; last modified April 2016 by B. Davison

Virtualization. ...or how adding another layer of abstraction is changing the world. CIS 399: Unix Skills University of Pennsylvania.

Virtualization. Dr. Yingwu Zhu

Hypervisor security. Evgeny Yakovlev, DEFCON NN, 2017

Virtual Machines. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Knut Omang Ifi/Oracle 6 Nov, 2017

Architectural Support for A More Secure Operating System

1 Virtualization Recap

SERVE. -Priyal Lokhandwala

Virtualization and memory hierarchy

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

CHAPTER 16 - VIRTUAL MACHINES

The DNS system is organized in a structure.

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

IBM Research Report. shype: Secure Hypervisor Approach to Trusted Virtualized Systems

CS 5600 Computer Systems. Lecture 11: Virtual Machine Monitors


Xen Project Overview and Update. Ian Pratt, Chairman of Xen.org, and Chief Scientist, Citrix Systems Inc.

Back To The Future: A Radical Insecure Design of KVM on ARM

Towards High Assurance Networks of Virtual Machines

Virtualization and Virtual Machines. CS522 Principles of Computer Systems Dr. Edouard Bugnion

Lecture 7. Xen and the Art of Virtualization. Paul Braham, Boris Dragovic, Keir Fraser et al. 16 November, Advanced Operating Systems

Virtualization with XEN. Trusted Computing CS599 Spring 2007 Arun Viswanathan University of Southern California

CS 350 Winter 2011 Current Topics: Virtual Machines + Solid State Drives

An overview of virtual machine architecture

IBM Research Report. Building a MAC-based Security Architecture for the Xen Opensource Hypervisor

Overview of System Virtualization: The most powerful platform for program analysis and system security. Zhiqiang Lin

A Survey on Virtualization Technologies

CIS 5373 Systems Security

HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity

Operating Systems. Operating System Structure. Lecture 2 Michael O Boyle

I/O and virtualization

OS Virtualization. Why Virtualize? Introduction. Virtualization Basics 12/10/2012. Motivation. Types of Virtualization.

Lecture 3 MOBILE PLATFORM SECURITY

Transcription:

CSE543 - Computer and Network Security Module: Virtualization Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1

Operating System Quandary Q: What is the primary goal of system security? OS enables multiple users/programs to share resources on a physical device OS s now have millions of lines of code Access control policies of OS become complex E.g., SELinux What can we say about security? 2

Virtual Machines Instead of using system software to control sharing, use system software to enable isolation Virtualization a technique for hiding the physical characteristics of computing resources from the way in which others systems, applications, and end users interact with those resources Virtual Machines Single physical resource can appear as multiple logical resources 3

Virtual Machine Full system simulation CPU can be simulated Paravirtualization (Xen) VM has a special API Requires OS changes Native virtualization (VMWare) Simulate enough HW to run OS OS is for same CPU Application virtualization (JVM) Application API 4

Virtual Machine Types Virtual Machine Monitor Approaches Type I Lowest layer of software is VMM Type 2 VMM! E.g., Xen, VAX VMM, etc. App! Type II Guest OS 1! Guest OS 2! App! Runs on a host operating system E.g., VMWare, JVM, etc. VMM! App! Hybrid VMM! App! Guest OS 1! Guest OS 2! Type 1 VMM! App! App! Guest OS 1! Guest OS 2! Host OS! Host OS! VMM! VMM! Q: What are the trust model issues with Type II Hardware! Hardware! compared to Type I? JVM! CLR! VMware Workstation! MS Virtual Server! KVM! Hardware! VMware ESX! Xen! MS Hyper-V! Penn CSE543 State - Computer Systems and Internet Network Infrastructure Security Security Lab 5

How Can VMs Improve Security? Isolation Separate two applications to run in two VMs Specialize Run a hardened, specialized kernel for some applications Isolate groups of VMs Like a VLAN Better IDS from outside the VM VM Introspection Control data release to VMs TCB can decide whether to release data to a new VM And more... 6

VAX VMM Security Kernel A1 assured system that enforces MLS Based on an assured virtual machine monitor (VMM) AKA hypervisor Applications (Top Secret) Applications (Secret) Applications (Unclassified) Ultrix OS VMS OS VMS OS VMM Security Kernel Memory Device Disk Device Print Device Display Device... 7

VAX VMM Goals Provide isolation boundaries between VMs On real (at the time) hardware Keep OS and apps working without modification (much...) Enforce MLS access control among VMs Enable practical management of security at coarse granularity E.g., VMs, not processes Full formal assurance! A general-purpose foundation for security! 8

Provide Isolation Why would this be difficult? Real hardware (at that time) was designed for a single OS DEC Hardware, VAX/VMS OS UNIX-ish system Fundamental problem Some HW instructions are sensitive, but not privileged Sensitive: May impact security - lots on VAX Privileged: Must run in ring 0 What property should a solution meet? 9

VAX VMM Access Control Want to enforce MLS What kind of protection system do we need? 10

VAX VMM Access Control Subjects and objects Coarse-grained access control possible VMs are subjects (as are users) Disk partitions (volumes) are objects Also devices, security kernel files, virtualized resources Lattice policies for secrecy and integrity Bell-LaPadula for secrecy Biba for integrity Privileges for special operations E.g., administrative operations Discretionary access controls Have them, but limited within MAC 11

Keep OS/Apps Running Why would this be difficult? OS thinks it has control of... 12

Keep OS/Apps Running Why would this be difficult? OS thinks it has control of I/O processing But, now the VMM manages hardware resources What happens when OS performs device I/O? Sensitive instruction trapped? Then, no problem But if these are just memory accesses... This depends a lot on the hardware design IBM VM/370 used sensitive instructions for I/O VAX and Intel x86 used separate I/O memory What can be done? 13

Paravirtualization Modify OS to be aware of virtualization for I/O Mentioned this at start Also done for Xen/x86 and VMware initially 14

VAX VMM Security Kernel A1 assured virtual machine system Virtualization Provide isolation Sensitive instructions must be virtualized (i.e., require privilege) Access to sensitive data must be virtualized (ditto) MLS Mandatory protection of VMs, volumes I/O Processing Paravirtualization Special driver interface (all in VMM security kernel) 15

VAX VMM Challenges Q: Why was the project cancelled? Manual formal assurance has impacts New Drivers? In VMM... Need to assure again Limited functionality No Ethernet 48K LOC (bigger than Multics) 11K of assembly Does modern virtualization support in hardware solve these problems? Modern hardware Modern hypervisors Modern assurance 16

MAC IOMMU for Modern Role In VMMs System Xen, VMware, etc. provide Isolation and I/O: sensitive instructions are made privileged What about enforcing flexible MAC policies? Application! This is something that VAXVMM did... Application! Application! MMU! RAM! IOMMU! Peripheral! Peripheral! System! Software! Peripheral! control Penn CSE543 State - Computer Systems and Internet Network Infrastructure Security Security Lab 17

Future Virtualization Modern Hardware Native Virtualization Support IOMMU Modern Hypervisors Xen is 300K+ LOC MAC enforcement is becoming complex Xen Security Modules Modern Assurance Some advances, but small (sel4) 10K LOC is max that has been assured 18

Xen Paravirtualized Hypervisor Privileged VM VM: DomU Guest OS Partitioned Resources VM Services Dom 0 Host OS Drivers VM: DomU Guest OS Device Requests Xen Hypervisor 19

MAC for Modern VMMs Xen, VMware, etc. provide Isolation and I/O: sensitive instructions are made privileged What about enforcing flexible MAC policies? This is something that VAXVMM did... 20

NetTop Isolated networks of VMs Alternative to air gap security VM: Secret VM: Public VM: Secret VM: Public Guest OS Guest OS Guest OS Guest OS VMWare MLS SELinux Host OS VMWare MLS SELinux Host OS 21

Intrusion Detection w/ VMs Can virtualization help in detecting an intrusion? Network intrusion detection Can only track packets to and from host Cannot see what is running on the host Host intrusion detection Can see processes on host But adversary can see HIDS too! Stuxnet took advantage of that 22

Intrusion Detection w/ VMs Garfinkel and Rosenblum paper (NDSS 2003) Premise: Use VMM to enable introspection of one VM from another For antivirus or host intrusion detection Leverages 3 properties of VMM Isolation: protect from target Inspection: can see target s memory Interposition: can intercept privileged instructions Can then checkpoint target VM What is the checkpoint algorithm in terms of above 3? 23

Intrusion Detection w/ VMs IDS Policy Engine Policy Modules Monitored Host Config File Policy Framework Command Guest Apps Guest OS Metadata Query Response Guest OS OS Interface Library Virtual Machine Hardware State callback or Response Virtual Machine Monitor Figure 1. A High-Level View of our VMI-Based IDS Architecture: On the right is the virtual machine (VM) that runs the host being monitored. On the left is the VMI-based IDS with its major components: the OS interface library that provides an OS-level view of the VM by interpreting the hardware state exported by the VMM, the policy engine consisting of a common framework for building policies, and policy modules that implement specific intrusion detection policies. The virtual machine monitor provides a substrate that isolates the IDS from the monitored VM and allows the IDS to inspect the state of the VM. The VMM also allows the IDS to interpose on interactions between the guest OS/guest applications and the virtual hardware. 24

Introspection Challenges Can you find what you are looking for? OS s are complex and have important dynamic data Lots of function pointers (data, but not really dynamic) Semantic gap gets larger when you want to inspect apps Can you monitor everything you need to? Need to create at critical times Use privileged commands, hardware watchpoints, debuggers, or voluntary hooks (like paravirtualization) Too many interrupts impedes performance Can you protect yourself from adversary? Adversary could try to compromise IDS from VM Adversary could try to compromise VMM from VM or IDS 25

Virtual Machine Threats How does the insertion of a virtual machine layer change the threats against the system? 26

Virtual Machine Rootkit Rootkit Malicious software installed by an attacker on a system Enable it to run on each boot OS Rootkits Kernel module, signal handler,... When the kernel is booted, the module is installed and intercepts user process requests, interrupts, etc. E.g., keylogger VM Rootkit Research project from Michigan and Microsoft If security service runs in VM, then a rootkit in VMM can evade security 27

Java Virtual Machine Interpret Java bytecodes Machine specification defined by bytecode On all architectures, run same bytecodes Write once, run anywhere Can run multiple programs w/i JVM simultaneously Different classloaders can result in different protection domains How do we enforce access control? 28

Java Security Architecture Java 1.0: Applets and Applications Java 1.1: Signed code (trusted remote -- think Authenticode) 29

Java Security Architecture Java 1.2: Flexible access control, included in Java 2 30

Stack Inspection Authorize based on protection domains on the stack Union of all sources All must have permission 31

Do Privileged doprivileged terminates backtrace Like setuid, with similar risks 32

Take Away VM systems focus on isolation between VMs Useful for coarse-grained security VM systems sometimes provide MAC to allow controlled interaction Same kind of policies as for OS, coarse-grained objects (VMs) Can use for VM introspection Watch out for VMM rootkits... 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback