Upload
vivekbhat
View
376
Download
2
Embed Size (px)
DESCRIPTION
Citation preview
Bryan Nairn, CISSP Senior Manager, Trustworthy Computing Microsoft Corporation [email protected]
Why should I care? Server virtualization is now a given in the majority of
enterprise datacenters – source IDC
The virtual server and virtual server management software market is forecast to reach a market opportunity of approximately $4.1 billion by 2014. This represents a CAGR of 13.1%. – source IDC
Over 40% of production virtual machines will be less secure than their physical counterparts through 2014 – source Gartner
Virtualization powers the cloud
Private Cloud
• Mimics public cloud
• Benefits enterprise users
• Highly virtualized
• Strings together IT infrastructure into resources pools
Public Cloud
• Available to anyone with a network connection
• Pay-as-you-go
• Multi-tenant and virtualized
• Self-service portals
Virtualization is a good thing!
“I only have to patch my host OS / Kernel”
“If I protect my Host machine, it will protect my VMs.”
“Virtual Hard Disk files are secure by default.”
“If you expose the virtual machine, you have to expose all virtual machines and the host.”
“All virtual machines can see each other.”
“I don’t need Anti-Virus with Virtualization”
Some Common VM Security Myths
Protection Rings
Server Hardware
Windows Kernel
Virtualization Service
Providers (VSPs)
Primary Partition
VM Service
Child Partitions
Windows hypervisor
Applications
Ring “-1”
MinWin
IHV Drivers
VMBus
WMI Provider
VM Worker Processes
Ring 0
Ring 3
Virtualization Service Clients (VSCs)
VMBus
Virtualization Stack
Guest OS Kernel
Enlightenments
Virtualization Architecture- Hypervisor
Guests are untrusted
Trust relationships Parent must be trusted by hypervisor
Parent must be trusted by children
Hypercall interface will be well documented and widely available to attackers
All hypercalls can be attempted by guests
Can detect you are running on a hypervisor + version
The internal design of the hypervisor will be well understood
Hypervisor Security Assumptions
Hypervisor Security Goals
Strong isolation between partitions
Protect confidentiality and integrity of guest data
Separation Unique hypervisor resource pools per guest
Separate worker processes per guest
Guest-to-parent communications over unique channels
Non-interference Guests cannot affect the contents of other guests, parent, hypervisor
Guest computations protected from other guests
Guest-to-guest communications not allowed through VM interfaces
Hyper-V Isolation
No sharing of virtualized devices
Separate VMBus per VM to the parent
No sharing of memory
Each has its own address space
VMs cannot communicate with each other, except through traditional networking
Guests can’t perform DMA attacks because they’re never mapped to physical devices
Guests cannot write to the hypervisor
Parent partition cannot write to the hypervisor
Hypervisor has separate address space
Guest addresses != Hypervisor addresses
No 3rd party code in the Hypervisor
Limited number of channels from guests to hypervisor
No “IOCTL”-like things
Guest to guest communication through hypervisor is prohibited
No shared memory mapped between guests
Guests never touch real hardware I/O
Hyper-V Security Hardening
Uses Authorization Manager (AzMan) Fine grained authorization and access
control Department and role based Segregate who can manage groups of
VMs
Define specific functions for individuals or roles Start, stop, create, add hardware,
change drive image
VM administrators don’t have to be Server 2008 administrators
Guest resources are controlled by per VM configuration files
Shared resources are protected Read-only (CD ISO file) Copy on write (differencing disks)
Hyper-V Security Model
Host Hardware
Virtual Machine Host OS
Virtual Machine Hard Disk Files
Virtual Machine Configuration Files
Remote Management/Control interfaces
Guest Operating System
Virtual Networks
Virtualization Attack Vectors
Host Compromise for
Deployment, Duplication and Deletion
Control of Virtual Machines
Direct Code / File injection to Virtualization File Structure Virtual Hard Disks
Virtual Configuration Files
Time Sync
Hardware
Rootkits / Malware
Drivers (Attack Surface / Stability)
Common Attacks: Host
It’s all about the what’s underneath…
All Virtualization Solutions include some form of remote control. Access to these tools should be limited.
Limit scope of access / control
Protect the remote control mechanisms! Use limited use accounts for control
Make sure the connections are encrypted / authenticated (SSL, RDP over SSL)
Use logging
VM VM VM
VM
VM VM
VM
VM VM VM
VM VM VM
VM VM
VM VM VM
VM
VM VM VM VM
VM
Use Remote Management
.vhd disk file – In folder you specify
in settings
.vhdd disk file – In folder you specify
in settings
.vud disk file – In vmc-file folder
.vsv disk file – In vmc-file folder
File Types and Locations
Common Attacks: Guest
Unpatched Virtual Machines
Older Operating Systems
Test or Development machines (these often are not managed in the same way as production machines)
Un-managed or user deployed virtual machines
Backups and archives
<hardware> <memory> <ram_size type="integer">256</ram_size> </memory> ... <pci_bus> <ethernet_adapter> <controller_count type="integer">2</controller_count> </ethernet_adapter> </pci_bus> </hardware>
Guest Attacks The Virtualization File Structure
Virtual Hard Disks
File / Code Injection
Can be Directly Mounted / accessed
Virtual Configuration Files
Base Configuration changes
Redirection / addition of Virtual drives / Resoures
BIOS
VHD Redirection
Is this is one of the next big attack vectors on the horizon?
The VM industry is focused on securing the VMs from attack. Very little thought of VMs being used as the attacker.
Cases are starting to appear where people use VMs to attack, then shutdown the VM to remove any trace of evidence.
Threat Landscape: Virtualized Attackers?
But we do write all events to the SysLog
Things that go into drive slack are recoverable using forensics tools
We still have network traces…
…and audit logs
…and firewall and router logs
…not to mention video cameras in the server room.
Threat Landscape: Virtualized Attackers?
Defending Yourself
Harden the Host Servers
Where a Hypervisor or Specialist Kernel is used, the Host attack surface is smaller, however updating and patching is still required.
Use single role servers and remove unwanted and un-necessary services / attack vectors
Use a local firewall and only allow limited host control / management ports over encrypted and authenticated channels.
Use limited scope admin accounts with strong passwords
Protect the Virtual Machine files
Access Control Lists (limited to the security context for the users who manage them and the services that control them.
Encryption
Disk / Volume / Folder / File
Auditing
file access, creation, deletion …
Don’t forget the backup files / archives
Host Attacks: Potential Solutions
Harden the Guest Operating Systems
Treat the guest OS as if it was a physical machine
Isolate the machine with Virtual Networks / VLANs
Local Only Access
NAT
Segmented networks
IPSec Isolation
Physical Isolation (Separate NICs)
Guest Attacks: Potential Solutions
Use Access Control Lists
Deny
• Cannot modify VMC file
• Will not appear in web console or VMRC
Read-only
• See the VM in web console and VRMC
• Can interact with VM
• Cannot start, stop, pause or resume VMs
Read/Write
• See the VM in web console and VMRC
• Can interact with the VM
• Can start, stop, pause, resume VMs
Minimize risk to the Parent Partition Use Server Core
Don’t run arbitrary apps, no web surfing Run your apps and services in guests
Moving VMs from Virtual Server to Hyper-V FIRST: Uninstall the VM Additions
Two physical network adapters at minimum One for management (use a VLAN too)
One (or more) for vm networking
Dedicated iSCSI
Connect to back-end management network Only expose guests to internet traffic
Deployment Considerations
Parent partition Run AV software and exclude .vhd
Child partitions Run AV software within each VM
BitLocker Great for branch office
Can be used within a VM http://blogs.technet.com/virtualworld/archive/2008/02/16/using-
bitlocker-under-virtual-pc-virtual-server.aspx
Anti-Virus & BitLocker…
Conclusions
Reduce the attack surface on the Host
Use least privilege access
Audit the deployment, maintenance, control and access to virtual machines
Leverage backups, snapshots and redundancy to reduce impact of Host / Guest maintenance
Secure your Virtual Machine Hard Disk and configuration files, including backups and archives
Use Virtual Networks / VLANs / IPSec to Isolate machines, especially before they are exposed to the network.
Resources
Step-by-Step Guide to Getting Started with Hyper-V http://technet2.microsoft.com/windowsserver2008/en/library/c513e254-
adf1-400e-8fcb-c1aec8a029311033.mspx?mfr=true
Virtualization Team Blog http://blogs.technet.com/virtualization
Microsoft Virtualization Website http://www.microsoft.com/virtualization
Using BitLocker under Virtual PC / Virtual Server http://blogs.technet.com/virtualworld/archive/2008/02/16/using-bitlocker-
under-virtual-pc-virtual-server.aspx
We would all rather be doing something else..