Secure Virtual Machine Execution Under an Untrusted Management OS
description
Transcript of Secure Virtual Machine Execution Under an Untrusted Management OS
![Page 1: Secure Virtual Machine Execution Under an Untrusted Management OS](https://reader030.fdocuments.in/reader030/viewer/2022020418/56816928550346895de0650c/html5/thumbnails/1.jpg)
Secure Virtual Machine Execution Under an Untrusted
Management OSChunxiao Li
Anand RaghunathanNiraj K. Jha
![Page 2: Secure Virtual Machine Execution Under an Untrusted Management OS](https://reader030.fdocuments.in/reader030/viewer/2022020418/56816928550346895de0650c/html5/thumbnails/2.jpg)
Outline Background: Security & Virtualization Security challenges in virtualization-based
architecture A secure virtual machine execution
environment Implementation & results Security analysis Conclusion
1
![Page 3: Secure Virtual Machine Execution Under an Untrusted Management OS](https://reader030.fdocuments.in/reader030/viewer/2022020418/56816928550346895de0650c/html5/thumbnails/3.jpg)
The goal of computer security Computer security: a branch of information
security applied to computers Three objectives of
information security: Confidentiality Integrity Availability
Integrity:Data validation,One-way Hash,Digital signature
Availability: Defending DoS, Back up / restore, Load balancing
Confidentiality:Authentication,Authorization,Access control,Encryption/Decryption
2
against DoS,
![Page 4: Secure Virtual Machine Execution Under an Untrusted Management OS](https://reader030.fdocuments.in/reader030/viewer/2022020418/56816928550346895de0650c/html5/thumbnails/4.jpg)
What is virtualization? Virtualization: Technology for creating a software-controlled
environment to allow program execution in it [1]
[1] http://www.ok-labs.com/virtualization-and-security/what-is-virtualization
[2] Barham et al., “Xen and the art of virtualization,” SOSP 20033
![Page 5: Secure Virtual Machine Execution Under an Untrusted Management OS](https://reader030.fdocuments.in/reader030/viewer/2022020418/56816928550346895de0650c/html5/thumbnails/5.jpg)
Relationship between virtualization and security
On the one hand, virtualization can be utilized to enhance security Secure logging (Chen et al., 2001) Terra architecture (Garfinkel et al., 2003)
On the other hand, virtualization also gives rise to several security concerns Scaling, transience, software lifecycle,
diversity, mobility, identity and data lifetime [1]
Virtual machine-based rootkits (VMBR) [2][1] Garfinkel et al., “When virtual is harder than real,” HTOS 2005[2] King et al., “Subvirt: Implementing malware with virtual machines,” IEEE S&P 2006 4
![Page 6: Secure Virtual Machine Execution Under an Untrusted Management OS](https://reader030.fdocuments.in/reader030/viewer/2022020418/56816928550346895de0650c/html5/thumbnails/6.jpg)
Outline Background: Security & Virtualization Security challenges in virtualization-based
architecture A secure virtual machine execution
environment Implementation & results Security analysis Conclusion
5
![Page 7: Secure Virtual Machine Execution Under an Untrusted Management OS](https://reader030.fdocuments.in/reader030/viewer/2022020418/56816928550346895de0650c/html5/thumbnails/7.jpg)
Security challenges in virtualization-based architecture
6
Our work tries to solve one of the fundamental security concerns in virtualization The trusted computing base of a VM is too
large
![Page 8: Secure Virtual Machine Execution Under an Untrusted Management OS](https://reader030.fdocuments.in/reader030/viewer/2022020418/56816928550346895de0650c/html5/thumbnails/8.jpg)
A Security challenge of virtualization-based architecture Trusted computing base (TCB): a small amount of
software and hardware that security depends on and that we distinguish from a much larger amount that can misbehave without affecting security [1]
Smaller TCB more security
A
TCB
[1] Lampson et al., “Authentication in distributed systems: Theory and practice,” ACM TCS 1992 7
B
C
![Page 9: Secure Virtual Machine Execution Under an Untrusted Management OS](https://reader030.fdocuments.in/reader030/viewer/2022020418/56816928550346895de0650c/html5/thumbnails/9.jpg)
A Security challenge of virtualization-based architecture (Contd.)
Security challenge : TCB for a VM is too large
Smaller TCB
Actual TCB8
![Page 10: Secure Virtual Machine Execution Under an Untrusted Management OS](https://reader030.fdocuments.in/reader030/viewer/2022020418/56816928550346895de0650c/html5/thumbnails/10.jpg)
Xen architecture and the threat model
Management VM – Dom0 Guest VM – DomU Dom0 may be malicious
Vulnerabilities Device drivers Careless/malicious
administration Dom0 is in the TCB of DomU because it can
access the memory of DomU, which may cause information leakage/modification
9
![Page 11: Secure Virtual Machine Execution Under an Untrusted Management OS](https://reader030.fdocuments.in/reader030/viewer/2022020418/56816928550346895de0650c/html5/thumbnails/11.jpg)
Outline Background: Security & Virtualization Security challenges in virtualization-based
architecture A secure virtual machine execution
environment Implementation & results Security analysis Conclusion
10
![Page 12: Secure Virtual Machine Execution Under an Untrusted Management OS](https://reader030.fdocuments.in/reader030/viewer/2022020418/56816928550346895de0650c/html5/thumbnails/12.jpg)
Towards a secure execution environment for DomU
Scenario: A client uses the service of a cloud computing company to build a remote VM A secure network interface A secure secondary storage A secure run-time environment
Build, save, restore, destroy
11
![Page 13: Secure Virtual Machine Execution Under an Untrusted Management OS](https://reader030.fdocuments.in/reader030/viewer/2022020418/56816928550346895de0650c/html5/thumbnails/13.jpg)
Towards a secure execution environment for DomU
(Contd.) A secure run-time environment is the most
fundamental
The first two already have solutions: Network interface: Transport layer security (TLS) Secondary storage: Network file system (NFS)
The security mechanism in the first two rely on a secure run-time environment
All the cryptographic algorithms and security protocols reside in the run-time environment
12
![Page 14: Secure Virtual Machine Execution Under an Untrusted Management OS](https://reader030.fdocuments.in/reader030/viewer/2022020418/56816928550346895de0650c/html5/thumbnails/14.jpg)
Domain building Building process
13
![Page 15: Secure Virtual Machine Execution Under an Untrusted Management OS](https://reader030.fdocuments.in/reader030/viewer/2022020418/56816928550346895de0650c/html5/thumbnails/15.jpg)
Domain save/restore
14
![Page 16: Secure Virtual Machine Execution Under an Untrusted Management OS](https://reader030.fdocuments.in/reader030/viewer/2022020418/56816928550346895de0650c/html5/thumbnails/16.jpg)
Page3
Domain save/restore (Contd.)
Dom0
Page1Page2Page3Page4Page5
DomU memory
Storage
Page1Page2
Page3
S
Xen Layer
15
![Page 17: Secure Virtual Machine Execution Under an Untrusted Management OS](https://reader030.fdocuments.in/reader030/viewer/2022020418/56816928550346895de0650c/html5/thumbnails/17.jpg)
Page3
Domain save/restore (Contd.)
Dom0
Page1Page2Page3Page4Page5
DomU memory
Storage
Page1Page2 Xen
Layer
Page1Hash
Page3Page33egap
Hash
WS Page4$
16
![Page 18: Secure Virtual Machine Execution Under an Untrusted Management OS](https://reader030.fdocuments.in/reader030/viewer/2022020418/56816928550346895de0650c/html5/thumbnails/18.jpg)
Outline Background: Security & Virtualization Security challenges in virtualization-based
architecture A secure virtual machine execution
environment Implementation & results Security analysis Conclusion
17
![Page 19: Secure Virtual Machine Execution Under an Untrusted Management OS](https://reader030.fdocuments.in/reader030/viewer/2022020418/56816928550346895de0650c/html5/thumbnails/19.jpg)
Implementation & results Modification of Xen system only affects domain build,
save and restore Normal work in DomU has little performance
degradation
18
![Page 20: Secure Virtual Machine Execution Under an Untrusted Management OS](https://reader030.fdocuments.in/reader030/viewer/2022020418/56816928550346895de0650c/html5/thumbnails/20.jpg)
Outline Background: Security & Virtualization Security challenges in virtualization-based
architecture A secure virtual machine execution
environment Implementation & results Security analysis Conclusion
19
![Page 21: Secure Virtual Machine Execution Under an Untrusted Management OS](https://reader030.fdocuments.in/reader030/viewer/2022020418/56816928550346895de0650c/html5/thumbnails/21.jpg)
Security analysis Malicious Dom0 in original Xen system
may: Access any memory page of DomU and
read its content Access any memory page of DomU and
change its content Randomly start and shut down the
domain, and thus control the availability of all VMs
We successfully solved the first two security concerns, with a small execution time overhead
20
![Page 22: Secure Virtual Machine Execution Under an Untrusted Management OS](https://reader030.fdocuments.in/reader030/viewer/2022020418/56816928550346895de0650c/html5/thumbnails/22.jpg)
Outline Background: Security & Virtualization Security challenges in virtualization-based
architecture A secure virtual machine execution
environment Implementation & results Security analysis Conclusion
21
![Page 23: Secure Virtual Machine Execution Under an Untrusted Management OS](https://reader030.fdocuments.in/reader030/viewer/2022020418/56816928550346895de0650c/html5/thumbnails/23.jpg)
Conclusion Virtualization technology can both benefit and
undermine computer security in different ways One of the fundamental security concerns of
virtualization-based architecture is that the TCB of a VM is too large
A protection mechanism in Xen virtualization system proposed, which successfully excludes the management domain out of the TCB with small execution time overhead
22
![Page 24: Secure Virtual Machine Execution Under an Untrusted Management OS](https://reader030.fdocuments.in/reader030/viewer/2022020418/56816928550346895de0650c/html5/thumbnails/24.jpg)
Thank you!