11World-Leading Research with Real-World Impact!

ZeroVM Backgroud

Prosunjit BiswasInstitute for Cyber Security

University of Texas at San Antonio

April 23, 2014Institute of Cyber Security, ICS @ UTSA

Institute for Cyber Security

22World-Leading Research with Real-World Impact!

Motivation Behind ZeroVM

Institute for Cyber Security

1. In Amazon map/reduces a considerable amount of overhead was due to fetching the data from s3 to EC2 Instances and put it back to s3.

2. The overhead was hurting when the customers need to remake to cluster and do the map/reduce again.

3. A significant amount of customer’s money was spent due to moving the data back and forth.

33World-Leading Research with Real-World Impact!

Motivation Behind ZeroVM(continued)

Institute for Cyber Security

1. can we bring to Application to the data(very limited I/O overhead)?

2. How can we ensure no harm even if the application is malicious?

Challenge with High I/O

Challenge with Application Isolation

44World-Leading Research with Real-World Impact!

What is ZeroVM

Institute for Cyber Security

ZeroVM is an open–source lightweight virtualization

platform based on the Chromium Native Client

project.

55World-Leading Research with Real-World Impact!

ZeroVM Properties

Institute for Cyber Security

1. ZeroVM virtualizes Application not Operating System.

2. Single threaded (thus deterministic) execution

3. Constraint Resource Channel based I/O Predefine socket port / network

Restricted Memory Access Limited Read/ Write (in bytes) Limited life time / Predefined

timeout

66World-Leading Research with Real-World Impact!

ZeroVM Properties

Institute for Cyber Security

1. ZeroVM virtualizes Application not Operating System.

2. Single threaded (thus deterministic) execution

3. Constraint Resource Channel based I/O Predefine socket port / network

Restricted Memory Access Limited Read/ Write (in bytes) Limited life time / Predefined

timeout

77World-Leading Research with Real-World Impact!

Popular Virtualizations

Institute for Cyber Security

1. ZeroVM virtualizes Application not Operating System.

2. Does zeroVM uses process level virtualization ?

OS Level Virtualization Process Level Virtualization

No

88World-Leading Research with Real-World Impact!

Popular Virtualizations

Institute for Cyber Security

OS Level Virtualization Process Level Virtualization

Pros:1.Complete Isolation

Dedicated V. Memory Dedicated V. Storage Dedicated V. CPU

2. Flexible ArchitectureAlmost all OS is supported

3. Fault Tolerance

Cons:1.High Resource Overhead2.High Maintenance Cost.

Pros:1.Easy to maintain2. Comparative low overhead.

Cons:1.Single Large Fault domain

a. One malicious app may crush the whole system.

2.No Complete isolation.

99World-Leading Research with Real-World Impact!

ZeroVM Virtualization

Institute for Cyber Security

Process Level Virtualization

Pros:1.Nearly Complete Isolation

- Uses Google Native Client (NaCl) Project

2.Low Resource overhead.

3. Fault Tolerant

Cons:

1.Run Only special executables/ binary.

2.Very limited support for existing Application

1010World-Leading Research with Real-World Impact!

ZeroVM Properties

Institute for Cyber Security

1. ZeroVM virtualizes Application not Operating System.

2. Single threaded (thus deterministic) execution

3. Constraint Resource Channel based I/O Predefine socket port / network

Restricted Memory Access Limited Read/ Write (in bytes) Limited life time / Predefined

timeout

1111World-Leading Research with Real-World Impact!

ZeroVM Properties

Institute for Cyber Security

1. ZeroVM virtualizes Application not Operating System.

2. Single threaded (thus deterministic) execution

3. Constraint Resource Channel based I/O Predefine socket port / network

Restricted Memory Access Limited Read/ Write (in bytes) Limited life time / Predefined

timeout

Single Threaded Execution:

1.No Fork

2.No Context Switch

3.No Fault due to concurrency

1212World-Leading Research with Real-World Impact!

ZeroVM Properties

Institute for Cyber Security

1. ZeroVM virtualizes Application not Operating System.

2. Single threaded (thus deterministic) execution

3. Constraint Resource Channel based I/O Predefine socket port / network

Restricted Memory Access Limited Read/ Write (in bytes) Limited life time / Predefined

timeout

1313World-Leading Research with Real-World Impact!

Channel Based Input / Output

Institute for Cyber Security

1. ZeroVM virtualizes Application not Operating System.

2. Single threaded (thus deterministic) execution

3. Constraint Resource Channel based I/O Predefine socket port / network

Restricted Memory Access Limited Read/ Write (in bytes) Limited life time / Predefined

timeout

Before execution ZeroVM is given a manifest/ configuration file which specify predefined Resources through Channel.

Input file, Output file / File System Network (socket, DNS) Memory

Channel = /tmp/input.txt, /dev/stdin, 0, 1, 0x1000, 0x1000, 0, 0

Which means :Zerovm input (/dev/stdin) comes from : /tmp/input.txt of

local filesystem. 0: Only sequential Read / Write is allowed

0x1000: only 1000 bytes is allowed to be read from input file.

0: 0 bytes can be written to /tmp/input.txt

1414World-Leading Research with Real-World Impact!

An example Manifest file

Institute for Cyber Security

1. ZeroVM virtualizes Application not Operating System.

2. Single threaded (thus deterministic) execution

3. Constraint Resource Channel based I/O Predefine socket port / network

Restricted Memory Access Limited Read/ Write (in bytes) Limited life time / Predefined

timeout

Channel = /dev/null, /dev/stdin, 0, 1, 999999, 999999, 0, 0Channel = /dev/stdout, /dev/stdout, 0, 1, 0, 0, 999999, 999999Channel = /dev/stderr, /dev/stderr, 0, 1, 0, 0, 999999, 999999

Version = 20130611Program = hello.nexe

Memory = 33554432, 1Timeout = 1

1515World-Leading Research with Real-World Impact!

Binary Support for ZeroVM

Institute for Cyber Security

ZeroVM executables have to be precompiled in .nexe format.

Currently only C (C99) and python executables are supported.

Existing C executables and python interpreter need recompilation to modify / eliminate sensitive system calls.

1616World-Leading Research with Real-World Impact!

ZeroVM from a theoretical standpoint

Institute for Cyber Security

ZeroVM

Google Native Client

Software Fault Isolation

Functional Dependencyand Security

Feature

1717World-Leading Research with Real-World Impact!

ZeroVM from a theoretical standpoint

Institute for Cyber Security

ZeroVM

Google Native Client

Software Fault Isolation

Functional Dependencyand Security

Feature

1818World-Leading Research with Real-World Impact!

Software Fault Isolation

Institute for Cyber Security

Trusted Code( Ex: Distributed by Google )

Untrusted Code

( Ex:Third party extensions)

Ex: Google Chrome Browser

Malicious access

Fault Isolation Techniques:1.Address Space Abstraction by OS

Cons:1. Communication between address space is very costly.

Valid accessRef: Efficient Software-based Fault Isolation

1919World-Leading Research with Real-World Impact!

Software Fault Isolation

Institute for Cyber Security

Fault Domain:-- Contiguous region of memory.-- have different code and data segment-- Code from different trust level have own fault domain.

Cross Domain Communication:-- No direct memory access-- All call are implemented by RPC

Single Domain Restricted Access:-- the module cannot change Code segment. (dangerous, self modifying code)-- Every jump instruction must not pass single domain.-- Most Jumps are statically verified otherwise-- verified at run time with help of checking code.

Fault domain1

Distributed code / extensions must be recompiled/rewritten.

Code Segment, RO

Data ,RW

Code Segment, RO

Data, RW

Code,RO

Data, RW

Fault Domain2

Fault Domain3

2020World-Leading Research with Real-World Impact!

Google Native Client (NaCl)

Institute for Cyber Security

Adopted from : https://developers.google.com/native-client/dev/overview

2121World-Leading Research with Real-World Impact!

Application Development for Native Client

Institute for Cyber Security

Adopted from : https://developers.google.com/native-client/dev/overview

2222World-Leading Research with Real-World Impact!

Google Native Client (NaCl)

Institute for Cyber Security

NaCl consists of Two parts:

1.Inner Sandbox: Constraint execution environment for native code to prevent unintended side effects.

2.Outer Sandbox: A Runtime for hosting these native code extensions through which allowable side effects may occur safely.

Reference: Native Client: A Sandbox for Portable, Untrusted x86 Native Code

2323World-Leading Research with Real-World Impact!

Protection Rule for Inner Sandbox

Institute for Cyber Security

Reference: Native Client: A Sandbox for Portable, Untrusted x86 Native Code

2424World-Leading Research with Real-World Impact!

Sucurity Application for ZeroVM

Institute for Cyber Security

S

Data

Swift

Object Request

Object

S

Swift

Request

Reult

AppData

zerovm

2525World-Leading Research with Real-World Impact!

Sucurity Application for ZeroVM

Institute for Cyber Security

Application Perspective

1. User Application

2. 3rd party Application

3. Provider Application

.

Data Perspective:

1. User Data

2. Public Data

3. Protected data(Data + Access Control)

.

2626World-Leading Research with Real-World Impact!

Security Application for ZeroVM

Institute for Cyber Security

Provider Application:

Authaas - Authorization as a service for object storage ( for JSON Data)

Data owner does not create a new application to restrictively publish his data. Instead just specify a AC policy and enforcement is done through Authass .

Usecase:

Texas State Library has decided to move their digital contents (book, article and so on) to the object store. Their digital content is structured in JSON format. The library has readers of various types (Public, Silver, golden, platinum etc.) and digital contents are also classified into various types (public, paid , protected , secret etc.).

.

Thank You

World-Leading Research with Real-World Impact!