Embed Size (px)
Citation preview
Secure Virtual Machine Execution Under an Untrusted
Management OSChunxiao Li
Anand RaghunathanNiraj K. Jha
Outline
Background: Security & Virtualization
Security challenges in virtualization-based
architecture
A secure virtual machine execution
environment
Implementation & results
Security analysis
Conclusion1
The goal of computer security
Computer security: a branch of information
security applied to computers
Three objectives of
information security: Confidentiality Integrity Availability
Integrity:Data validation,One-way Hash,Digital signature
Availability: Defending DoS, Back up / restore, Load balancing
Confidentiality:
Authentication,Authorization,Access control,Encryption/Decryption
2
against DoS,
What is virtualization? Virtualization: Technology for creating a software-controlled
environment to allow program execution in it [1]
[1] http://www.ok-labs.com/virtualization-and-security/what-is-virtualization
[2] Barham et al., “Xen and the art of virtualization,” SOSP 20033
Relationship between virtualization and security
On the one hand, virtualization can be utilized to
enhance security Secure logging (Chen et al., 2001) Terra architecture (Garfinkel et al., 2003)
On the other hand, virtualization also gives rise to
several security concerns Scaling, transience, software lifecycle,
diversity, mobility, identity and data lifetime [1]
Virtual machine-based rootkits (VMBR) [2][1] Garfinkel et al., “When virtual is harder than real,” HTOS 2005[2] King et al., “Subvirt: Implementing malware with virtual machines,” IEEE S&P 2006 4
Outline
Background: Security & Virtualization
Security challenges in virtualization-based
architecture
A secure virtual machine execution
environment
Implementation & results
Security analysis
Conclusion5
Security challenges in virtualization-based architecture
6
Our work tries to solve one of the
fundamental security concerns in
virtualization
The trusted computing base of a VM is too
large
A Security challenge of virtualization-based architecture Trusted computing base (TCB): a small amount of
software and hardware that security depends on and
that we distinguish from a much larger amount that
can misbehave without affecting security [1]
Smaller TCB more security
A
TCB
[1] Lampson et al., “Authentication in distributed systems: Theory and practice,” ACM TCS 1992 7
B
C
A Security challenge of virtualization-based architecture (Contd.)
Security challenge : TCB for a VM is too large
Smaller TCB
Actual TCB8
Xen architecture and the threat model
Management VM – Dom0
Guest VM – DomU
Dom0 may be malicious Vulnerabilities Device drivers Careless/malicious
administration
Dom0 is in the TCB of DomU because it can
access the memory of DomU, which may cause
information leakage/modification9
Outline
Background: Security & Virtualization
Security challenges in virtualization-based
architecture
A secure virtual machine execution
environment
Implementation & results
Security analysis
Conclusion10
Towards a secure execution environment for DomU
Scenario: A client uses the service of a
cloud computing company to build a
remote VM
A secure network interface
A secure secondary storage
A secure run-time environment Build, save, restore, destroy
11
Towards a secure execution environment for DomU
(Contd.) A secure run-time environment is the most
fundamental
The first two already have solutions: Network interface: Transport layer security (TLS) Secondary storage: Network file system (NFS)
The security mechanism in the first two rely on a secure run-time environment
All the cryptographic algorithms and security protocols reside in the run-time environment
12
Domain building
Building process
13
Domain save/restore
14
Page3
Domain save/restore (Contd.)
Dom0
Page1Page2
Page3Page4Page5
DomU memory
Storage
Page1Page2
Page3
S
Xen Layer
15
Page3
Domain save/restore (Contd.)
Dom0
Page1Page2Page3Page4Page5
DomU memory
Storage
Page1Page2 Xen
Layer
Page1Hash
Page3Page33egap
Hash
WS Page4$
16
Outline
Background: Security & Virtualization
Security challenges in virtualization-based
architecture
A secure virtual machine execution
environment
Implementation & results
Security analysis
Conclusion17
Implementation & results
Modification of Xen system only affects domain build, save and restore
Normal work in DomU has little performance degradation
18
Outline
Background: Security & Virtualization
Security challenges in virtualization-based
architecture
A secure virtual machine execution
environment
Implementation & results
Security analysis
Conclusion19
Security analysis
Malicious Dom0 in original Xen system
may: Access any memory page of DomU and
read its content Access any memory page of DomU and
change its content Randomly start and shut down the
domain, and thus control the availability of all VMs
We successfully solved the first two
security concerns, with a small execution
time overhead
20
Outline
Background: Security & Virtualization
Security challenges in virtualization-based
architecture
A secure virtual machine execution
environment
Implementation & results
Security analysis
Conclusion21
Conclusion
Virtualization technology can both benefit and
undermine computer security in different ways
One of the fundamental security concerns of
virtualization-based architecture is that the TCB of a
VM is too large
A protection mechanism in Xen virtualization system
proposed, which successfully excludes the
management domain out of the TCB with small
execution time overhead22
Thank you!
