Secure Server Project. Xen Project Developer Summit 2013 Adven9um Labs Jason Sonnek

Similar documents
SoK: A Study of Using Hardwareassisted. Environments for Security. Fengwei Zhang and Hongwei Zhang. Wayne State University Detroit, Michigan, USA

Virtualization. Introduction. Why we interested? 11/28/15. Virtualiza5on provide an abstract environment to run applica5ons.

CS 356 Operating System Security. Fall 2013

Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy

Background. IBM sold expensive mainframes to large organiza<ons. Monitor sits between one or more OSes and HW

DOUG GOLDSTEIN STAR LAB XEN SUMMIT AUG 2016 ATTACK SURFACE REDUCTION

CSE543 - Computer and Network Security Module: Virtualization

Autonomic Mul,- Agents Security System for mul,- layered distributed architectures. Chris,an Contreras

M 2 R: Enabling Stronger Privacy in MapReduce Computa;on

Background. IBM sold expensive mainframes to large organiza<ons. Monitor sits between one or more OSes and HW

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Transforming XenServer into a proper open-source project

Operating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)

Xen on ARM. Stefano Stabellini

Virtual Machine Security

Design Principles & Prac4ces

Verifiable Cloud Outsourcing for Network Func9ons (+ Verifiable Resource Accoun9ng for Cloud Services)

CSE Computer Security

Hypervisor security. Evgeny Yakovlev, DEFCON NN, 2017

Advanced Systems Security: Ordinary Operating Systems

In-Guest Mechanisms to Strengthen Guest Separation. XenSummit 2013 Philip Tricca

Breaking Up is Hard to Do: Security and Functionality in a Commodity Hypervisor

CSE543 - Computer and Network Security Module: Virtualization

Breaking Up is Hard to Do: Security and Functionality in a Commodity Hypervisor

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

Building a Resilient Security Posture for Effective Breach Prevention

Guarded Modules: Adap/vely Extending the VMM s Privileges Into the Guest

Confinement (Running Untrusted Programs)

TRESCCA Trustworthy Embedded Systems for Secure Cloud Computing

CSE543 - Computer and Network Security Module: Virtualization

CrashOS: Hypervisor testing tool

Operating System Security

Trust Eleva,on Architecture v03

Dynamic Datacenter Security Solidex, November 2009

Xen Community Update. Ian Pratt, Citrix Systems and Chairman of Xen.org

Ronny L. Bull & Dr. Jeanna Matthews. DerbyCon 4.0. Sept 27th, 2014

Advanced Systems Security: Principles

OpenXT Project in 2016

W11 Hyper-V security. Jesper Krogh.

RED HAT ENTERPRISE VIRTUALIZATION 3.0

Database Machine Administration v/s Database Administration: Similarities and Differences

Xen Project 4.4: Features and Futures. Russell Pavlicek Xen Project Evangelist Citrix Systems

Leviathan redux. John L. Manferdelli Intel Science and Technology Center for Secure Compu;ng UC, Berkeley

Advanced Systems Security: Virtual Machine Systems

HyTrust Heals Healthcare

Oracle VM Workshop Applica>on Driven Virtualiza>on

Operating system hardening

Improving client systems security with Qubes OS

Network Virtualiza/on Overlay Control Protocol Requirements

Scalable Architectural Support for Trusted Software

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Network Virtualization Business Case

Advanced Systems Security: Virtual Machine Systems

Logical Partitions on Many-core Processors

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Threat modeling. Tuomas Aura T Informa1on security technology. Aalto University, autumn 2012

Citrix XenServer 7.1 Feature Matrix

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Laying a Secure Foundation for Mobile Devices. Stephen Smalley Trusted Systems Research National Security Agency

The Business of Security in the Cloud

MulG-Vendor Key Management with KMIP

ARM Security Solutions and Numonyx Authenticated Flash

Originally prepared by Lehigh graduate Greg Bosch; last modified April 2016 by B. Davison

Xen Project Status Ian Pratt 12/3/07 1

SoftLayer Security and Compliance:

I/O virtualization. Jiang, Yunhong Yang, Xiaowei Software and Service Group 2009 虚拟化技术全国高校师资研讨班

WHITE PAPER MICRO-SEGMENTATION. illumio.com

Securing Cloud Computing

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Identity-Based Cyber Defense. March 2017

align security instill confidence

SentinelOne Technical Brief

AdDroid Privilege Separa,on for Applica,ons and Adver,sers in Android

Business Case Components

Securing Your Virtual World Harri Kaikkonen Channel Manager

AWS Integration Guide

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

Prac%cal Control Flow Integrity & Randomiza%on for Binary Executables

VM-SERIES FOR VMWARE VM VM

TUX : Trust Update on Linux Kernel

Virtualize More While Improving Your Risk Posture: The 4 Must Haves of VirtualizaJon Security

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

VANGUARD WHITE PAPER VANGUARD GOVERNMENT INDUSTRY WHITEPAPER

Application Virtualization and Desktop Security

Getting Started with AWS Security

Securing Your Amazon Web Services Virtual Networks

Justifying Integrity Using a Virtual Machine Verifier

Intel s s Security Vision for Xen

Enterprise & Cloud Security

Jim Reavis CEO and Founder Cloud Security Alliance December 2017

Security for the Xen Hypervisor Status Quo & Perspective 2006

IoT & SCADA Cyber Security Services

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Virtualization in the Cloud Lars Kurth Xen Community Manager

Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control

Monitoring IPv6 Content Accessibility and Reachability. Contact: R. Guerin University of Pennsylvania

HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity

Alterna(ve Architectures

Transcription:

Secure Server Project Xen Project Developer Summit 2013 Adven9um Labs Jason Sonnek 1

Outline I. Mo9va9on, Objec9ves II. Threat Landscape III. Design IV. Status V. Roadmap 2

Mo9va9on In a nutshell: Secure Server Mul9plexing In a cloud environment Mul9ple tenants Goals: Ensure data and processing are safe from co- tenants Ensure controls on informa9on separa9on and flow are sa9sfied Today: Xen hypervisor, hardware- assisted virtualiza9on provide tools necessary to isolate hardware Problem: many shared components in dom0, insufficient isola9on The easy way out: Dedicated hardware for each tenant Imprac9cal when there are a large number of tenants, rela9onships are evolving 3

Objec9ve Cloud Management Green Orange SecureServe SecureServe ideal Enables mul9ple tenants to share a single pla[orm securely High- assurance, isolated so]ware par99ons Enables controlled informa9on sharing between tenants Supports enterprise- ready management Low cost Xen 4

Current State Green Orange netback xapi XenStore dom0 Xen Weakest guest is the weakest link in the system Guest aaack vector: many shared components in dom0 Device emula9on, virtual devices, toolstack, XenStore Cross- VM side channel aaacks Cloud management provides an addi9onal aaack vector Users must be able to manage and configure their VMs. XAPI: Complex (130K LOC) Interfaces with many other components. 5

Current State Green Compliance Orange netback xapi XenStore dom0 Desire controlled informa9on sharing between tenants Inter- VM networking Can define separate networks in dom0 Separa9on in dom0 is weaker than separa9on provided by hypervisor Goal: enable high- assurance private networks Xen 6

Threat Landscape Recent (2012-13) Xen- tagged CVE vulnerabili9es (tag cloud below) 73 vulnerabili9es represented, some with mul9ple poten9al effects 65 "guest", e.g. "allows local guest administrators to" 8 TMEM (transcendental memory) 4 "overflow" 4 3 "drivers" (all in reference to backends) 2 xenstore 7

Threat Landscape Aaackers target toolstack, hypervisor, management so]ware, with varying goals: Denial of Service Escala9on of Privilege Acquisi9on of Informa9on Vulnerability types on the radar: API - - arguments not adequately sanity checked Aspects of Intel/AMD instruc9on set that emulator handles incorrectly Failure to completely and correctly check permissions Weakness in recovering from error condi9ons Exploitable PCI pass- through devices, especially bus mastering capable ones Logic errors that can be triggered by unusual condi9ons Memory leaks or similar unbounded resource sinks 8

Near- Term Project Objec9ves Improve security posture of dom0 Isolate the network stack Isolate the storage stack Isolate the device model () Adapt the toolstack as necessary to support this configura9on Apply well- known security principles Secure the weak links, separate privileges, do not share mechanisms (disaggrega9on) Grant (and enforce) least privilege (hypervisor MAC) Defense- in- depth (aaesta9on) Establish a baseline for future research and development 9

Requirements Defined a set of high- level requirements based on NIST 800.53 and CNSSI 1253: Categories: Confiden9ality, Integrity, Access Control, Accountability, Usability Examples: Informa7on in Shared Resources: The system must prevent unauthorized and unintended informa9on transfers via shared objects.. MAC Policies: The system must use mandatory access control policies to control the flow of informa9on among processing domains. SoAware, Firmware, and Hardware Integrity: The system should support integrity verifica9on tools to detect unauthorized changes to selected so]ware, firmware and hardware. 10

Dom0 Disaggrega9on Green Orange Network Storage Network Storage netbk netbk xapi XenStore dom0 Xen Secure weak links, separate mechanisms / privileges 11

Hypervisor Mandatory Access Controls Green Orange Network Storage Network Storage netbk netbk xapi XenStore dom0 XSM Xen Grant and enforce least privilege 12

Isn t that overkill? Green Orange xapi XenStore dom0 netback Xen Proposal: Encrypt orange and green traffic 13

Isn t that overkill? Green Orange xapi XenStore dom0 netback Xen Compromise of dom0 via malicious tenant provides unfepered access to memory! 14

Isola9ng the Weak(est) Links Green Orange Network Storage Network Storage netbk netbk xapi XenStore dom0 XSM Xen If one tenant on Secure Server is compromised... 15

Isola9ng the Weak(est) Links Green Orange Network Storage Network Storage netbk netbk xapi XenStore dom0 XSM Xen the apack is contained because the compromised tenant lacks privileges necessary to access co- tenant resources. 16

Isola9ng the Weak(est) Links Green Orange Network Storage Network Storage netbk netbk xapi XenStore dom0 XSM Xen Provides stronger data confiden7ality assurance as well 17

Dynamic Mandatory Access Controls Green Purple Orange netback xapi XenStore dom0 Xen Can easily define a sta9c policy for mul9- tenant environments Not good enough Tenants come and go Rela9onships evolve How can we support a dynamic XSM policy? 18

TCB: Trust, but verify Un9l now, assumed a trusted compu9ng base that includes Xen and the hardware Don t really intend to trust these things: Use measured launch to check integrity Use dynamic aaesta9on to verify run9me integrity Especially important on servers 19

SRTM, DRTM and Dynamic Aaesta9on Knowledge (trust) Knowledge (trust) Core Root Trust Core Root Trust Gap Dynamic Launch Entry Dynamically Launched Measured Environment (e.g., tboot) Sta9c Root of Trust Entropy leads to decay of Hardware? knowledge of system state: Firmware? Configura9on? Drivers? 9me Dynamic Root of Trust 9me AAer ini7al boot, knowledge of system state decays with 7me 10/16/13 Adven9um Labs 2013 20

Current Status Started with XenServer 6.2 appliance Built network driver domain (working) openvswitch or bridged networking Built storage driver domain (working) iscsi and SATA controller backend Developing stub domain Defined MAC policy for a specific use case; verified, validated Challenges Built tools for genera9ng sta9c policies based on high- level specifica9on Deducing rela9onship between XAPI and Xen constructs Adap9ng toolstack to support disaggregated opera9on 21

Roadmap Secure inter- VMcommua9on Survey: more than a dozen published mechanisms More fine- grained disaggrega9on XenAPI, XenStore, domain builder Informed by prior work: Windsor, Xoar, Murray et al., Qubes, Service VM model Reduce footprint, maintain generality Assess scalability Per tenant sharing Iden9fy future R&D challenges Migra9on Server longevity High availability configura9ons 22

Conclusion Secure Server Mul9plexing Ensure data and processing are safe from co- tenants Ensure controls on informa9on separa9on and flow are sa9sfied Building a baseline prototype By drawing on past dom0 disaggrega9on, MAC and aaesta9on R&D Targe9ng EOY 2013 release Prototype can be used as a founda9on for future R&D Phase 2: iden9fy outstanding challenges and long- term R&D roadmap Call for Par9cipa9on Collabora9ng via xs- devel mailing list Feedback welcome 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback