virtual machine securitytrj1/cse443-s12/slides/cse443... · other issues 12 penn state systems and...
TRANSCRIPT
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Virtual Machine Security
CSE443 - Spring 2012Introduction to Computer and Network Security
Professor Jaegerwww.cse.psu.edu/~tjaeger/cse443-s12/
1
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Operating System Quandary• Q: What is the primary goal of system security?
• OS enables multiple users/programs to share resources on a physical device
• Q: What happens when we try to enforce Mandatory Access Control policies on UNIX systems
• Think SELinux policies
• What can we to do to simplify?
2
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Virtual Machines• Instead of using system
software to enable sharing, use system software to enable isolation
• Virtualization
• “a technique for hiding the physical characteristics of computing resources from the way in which others systems, applications, and end users interact with those resources”
• Virtual Machines
• Single physical resource can appear as multiple logical resources
3
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Virtual Machine Architectures• Full system simulation
• CPU can be simulated
• Paravirtualization (Xen)
• VM has a special API
• Requires OS changes
• Native virtualization (VMWare)
• Simulate enough HW to run OS
• OS is for same CPU
• Application virtualization (JVM)
• Application API
4
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Virtual Machine Types• Type I
• Lowest layer of software is VMM
• E.g., Xen, VAX VMM, etc.
• Type II
• Runs on a host operating system
• E.g., VMWare, JVM, etc.
• Q: What are the trust model issues with Type II compared to Type I?
5
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Virtual Machine Types
6
Penn State Systems and Internet Infrastructure Security Lab Page
Virtual Machine Monitor Approaches
Hardware!
Host OS!
VMM!
Guest OS 1! Guest OS 2!
App! App!
Hardware!
Host OS! VMM!
Guest OS 1! Guest OS 2!
App! App!
Hardware!
VMM!
Guest OS 1! Guest OS 2!
App! App!
Type 2 VMM! Type 1 VMM!Hybrid VMM!
JVM!CLR!
VMware Workstation!
MS Virtual Server!KVM!
VMware ESX!Xen!
MS Hyper-V!
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
VM Security• Isolation of VM computing
• Like a separate machine
7
VM VM
Virtual Machine Monitor
Physical Device Controls
Guest OS Guest OS
Partitioned Resources
DeviceRequests
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
VAX VMM System
8
Penn State Systems and Internet Infrastructure Security Lab Page 18
VAX VMM System • First system design to examine virtualization in the
context of information flow security!
• Virtualization mechanisms necessary to implement a reference validation mechanism that satisfies the reference monitor concept!
• Assure system design and implementation to the highest level – A1 level per the Orange Book!
• Control all system information flows according to MLS and Biba integrity policies (modulo exceptions in “privileges”)!
• Also, covert channel countermeasures were produced, approximating noninterference!
• System was piloted, but not released commercially!
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
VAX VMM System
9
Penn State Systems and Internet Infrastructure Security Lab Page
Virtualization Mechanisms • Key design tasks of secure VMM!
‣ Virtualize processor!
• All security-sensitive instructions must be mediated by VMM!
‣ VMM protection ring!
• VMM must be deployed in a more privileged protection ring than the VMs!
‣ I/O emulation!
• Privileged I/O tasks must be executed in VMM or trusted VM!
‣ Self-virtualizable!
• OS must not detect when running on a VMM (or VMMs)!
19
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Virtualizing Instructions
10
Penn State Systems and Internet Infrastructure Security Lab Page
Virtualize Processor • Security-Sensitive Instructions!
‣ Instructions that read or modify privileged system state!
• Privileged Instructions!
‣ Instructions that cause a trap when executed in a non- privileged ring!
• All security-sensitive instructions must be privileged to enable the VMM to manage privileged system state (rather than individual VMs)!
• This requirement was not met by VAX hardware nor x86 originally!
21
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
I/O Emulation
11
Penn State Systems and Internet Infrastructure Security Lab Page
I/O Emulation • Access to devices is expected by each operating
system, but this access is security-sensitive!
‣ Thus, devices are virtualized!
• Access to devices must be directed to the party with physical device access!
‣ Memory-mapped I/O uses unprivileged instructions!
• VAX VMM adds a layer of indirection!
‣ I/O interface that causes a trap!
‣ OS must be modified to use that interface (paravirtualize)!
22
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Other Issues
12
Penn State Systems and Internet Infrastructure Security Lab Page
Other Issues • Driver management!
‣ In VAX VMM, all drivers were in the VMM kernel!
‣ This was for assurance, but added code to VMM!
• Drivers are outside the VMM in most systems!
• DMA!
‣ Devices can use this mechanism to write to physical memory, but under guidance of untrusted VMs!
• VAX VMM trusted drivers, but not practical today!
• Performance – E.g., page table lookups!
23
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
VAX VMM System
13
Penn State Systems and Internet Infrastructure Security Lab Page
VAX VMM Design
20
Ultrix OS VMS OS
VMM Security Kernel
VMS OS
Applications(Top Secret)
Applications(Secret)
Applications(Unclassified)
MemoryDevice
DiskDevice
PrintDevice
DisplayDevice ...
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
NetTop• Isolated networks of VMs
• Alternative to “air gap” security
14
VM: Secret VM: Public
SELinux Host OS
Guest OS’ Guest OS’
VMWareMLS
VM: Secret VM: Public
SELinux Host OS
Guest OS’ Guest OS’
VMWareMLS
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Xen• Privileged VM
15
VM: DomU VM: DomU
Xen Hypervisor
Guest OS’ Guest OS’
Partitioned Resources
DeviceRequestsDom 0
Host OS’Drivers
VM Services
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Xen sHype• Controlled information flows among VMs
16
VM: DomU VM: DomU
Xen Hypervisor
Guest OS’ Guest OS’
Partitioned Resources
DeviceRequestsDom 0
Host OS’Drivers
VM Services
RefMon
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Xen sHype Policies• Type Enforcement over VM communications
• VM labels are subjects
• VM labels are objects
• How do VMs communicate in Xen?
• Grant tables: pass pages between VMs
• Event channels: notifications (e.g., when to pass pages)
• sHype controls these
• Q: What about VM communication across systems?
17
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Xen Security Modules• Comprehensive Reference Monitor interface for Xen
• Based on LSM ideas
• Includes about 57 “hooks” (more expected)
• Supports sHype hooks
• Plus, hooks for VM management, resource partitioning
• Another aim: Decompose domain 0
• Specialize kernel for privileged operations
• E.g., Remove drivers
18
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
IOMMU Role in the System
19
Penn State Systems and Internet Infrastructure Security Lab Page
IOMMU Role In System
Application!
Application!
System !Software!
RAM!
Application!
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
IOMMU Role in the System
20
Penn State Systems and Internet Infrastructure Security Lab Page
IOMMU Role In System
Application!
Application!
System !Software!
RAM!
Application!
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
IOMMU Role in the System
21
Penn State Systems and Internet Infrastructure Security Lab Page
IOMMU Role In System
Application!
Application!
System !Software!
RAM!
Application!
MMU!
control
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
IOMMU Role in the System
22
Penn State Systems and Internet Infrastructure Security Lab Page
IOMMU Role In System
Application!
Application!
System !Software!
RAM!
Peripheral!
Peripheral!
Peripheral!
Application!
MMU!
control
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
IOMMU Role in the System
23
Penn State Systems and Internet Infrastructure Security Lab Page
IOMMU Role In System
Application!
Application!
System !Software!
RAM!
Peripheral!
Peripheral!
Peripheral!
Application!
MMU!
IOM
MU!
control
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
I/O Device Assignment
24
Penn State Systems and Internet Infrastructure Security Lab Page
I/O Device Assignment
VM Guest 3!
VM Guest 2!RAM!
Peripheral!
Peripheral!
Peripheral!
VM Guest 1!
OS!Process!
Process! VM 1!
Hyp
ervi
sor!
Pare
nt !
VM
0!
control!IO
MM
U!
MMU!
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
VM Security Status
• Aim is simplicity
• Are we achieving this?
• Do we care what happens in the VMs?
• When might we care?
• Trusted computing base
• How does this compare to traditional OS?
25
Page CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger
Virtual Machine Threats
• How does the insertion of a virtual machine layer change the threats against the system?
26
Page CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger
Virtual Machine Rootkit
• Rootkit– Malicious software installed by an attacker on a system– Enable it to run on each boot
• OS Rootkits– Kernel module, signal handler, ...– When the kernel is booted, the module is installed and intercepts
user process requests, interrupts, etc.– E.g., keylogger
• VM Rootkit– Research project from Michigan and Microsoft– If security service runs in VM, then a rootkit in VMM can evade
security– E.g., Can continue to run even if the system appears to be off
27
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Take Away• VM systems focus on isolation
• Enable reuse, but limited by security requirements
• Enable limited communication
• The policies are not trivial, but refer to coarser-grained objects
28