Secure Virtual Machine Execution Under an Untrusted

Management OSChunxiao Li

Anand RaghunathanNiraj K. Jha

Outline Background: Security & Virtualization Security challenges in virtualization-based

architecture A secure virtual machine execution

environment Implementation & results Security analysis Conclusion

1

The goal of computer security Computer security: a branch of information

security applied to computers Three objectives of

information security: Confidentiality Integrity Availability

Integrity:Data validation,One-way Hash,Digital signature

Availability: Defending DoS, Back up / restore, Load balancing

Confidentiality:Authentication,Authorization,Access control,Encryption/Decryption

2

against DoS,

What is virtualization? Virtualization: Technology for creating a software-controlled

environment to allow program execution in it [1]

[1] http://www.ok-labs.com/virtualization-and-security/what-is-virtualization

[2] Barham et al., “Xen and the art of virtualization,” SOSP 20033

Relationship between virtualization and security

On the one hand, virtualization can be utilized to enhance security Secure logging (Chen et al., 2001) Terra architecture (Garfinkel et al., 2003)

On the other hand, virtualization also gives rise to several security concerns Scaling, transience, software lifecycle,

diversity, mobility, identity and data lifetime [1]

Virtual machine-based rootkits (VMBR) [2][1] Garfinkel et al., “When virtual is harder than real,” HTOS 2005[2] King et al., “Subvirt: Implementing malware with virtual machines,” IEEE S&P 2006 4

Outline Background: Security & Virtualization Security challenges in virtualization-based

architecture A secure virtual machine execution

environment Implementation & results Security analysis Conclusion

5

Security challenges in virtualization-based architecture

6

Our work tries to solve one of the fundamental security concerns in virtualization The trusted computing base of a VM is too

large

A Security challenge of virtualization-based architecture Trusted computing base (TCB): a small amount of

software and hardware that security depends on and that we distinguish from a much larger amount that can misbehave without affecting security [1]

Smaller TCB more security

A

TCB

[1] Lampson et al., “Authentication in distributed systems: Theory and practice,” ACM TCS 1992 7

B

C

A Security challenge of virtualization-based architecture (Contd.)

Security challenge : TCB for a VM is too large

Smaller TCB

Actual TCB8

Xen architecture and the threat model

Management VM – Dom0 Guest VM – DomU Dom0 may be malicious

Vulnerabilities Device drivers Careless/malicious

administration Dom0 is in the TCB of DomU because it can

access the memory of DomU, which may cause information leakage/modification

9

Outline Background: Security & Virtualization Security challenges in virtualization-based

architecture A secure virtual machine execution

environment Implementation & results Security analysis Conclusion

10

Towards a secure execution environment for DomU

Scenario: A client uses the service of a cloud computing company to build a remote VM A secure network interface A secure secondary storage A secure run-time environment

Build, save, restore, destroy

11

Towards a secure execution environment for DomU

(Contd.) A secure run-time environment is the most

fundamental

The first two already have solutions: Network interface: Transport layer security (TLS) Secondary storage: Network file system (NFS)

The security mechanism in the first two rely on a secure run-time environment

All the cryptographic algorithms and security protocols reside in the run-time environment

12

Domain building Building process

13

Domain save/restore

14

Page3

Domain save/restore (Contd.)

Dom0

Page1Page2Page3Page4Page5

DomU memory

Storage

Page1Page2

Page3

S

Xen Layer

15

Page3

Domain save/restore (Contd.)

Dom0

Page1Page2Page3Page4Page5

DomU memory

Storage

Page1Page2 Xen

Layer

Page1Hash

Page3Page33egap

Hash

WS Page4$

16

Outline Background: Security & Virtualization Security challenges in virtualization-based

architecture A secure virtual machine execution

environment Implementation & results Security analysis Conclusion

17

Implementation & results Modification of Xen system only affects domain build,

save and restore Normal work in DomU has little performance

degradation

18

Outline Background: Security & Virtualization Security challenges in virtualization-based

architecture A secure virtual machine execution

environment Implementation & results Security analysis Conclusion

19

Security analysis Malicious Dom0 in original Xen system

may: Access any memory page of DomU and

read its content Access any memory page of DomU and

change its content Randomly start and shut down the

domain, and thus control the availability of all VMs

We successfully solved the first two security concerns, with a small execution time overhead

20

Outline Background: Security & Virtualization Security challenges in virtualization-based

architecture A secure virtual machine execution

environment Implementation & results Security analysis Conclusion

21

Conclusion Virtualization technology can both benefit and

undermine computer security in different ways One of the fundamental security concerns of

virtualization-based architecture is that the TCB of a VM is too large

A protection mechanism in Xen virtualization system proposed, which successfully excludes the management domain out of the TCB with small execution time overhead

22

Thank you!