virtualization_security_features.pdf
TRANSCRIPT
-
7/28/2019 Virtualization_Security_Features.pdf
1/16
What security features are
appropriate for virtualization
technology?John McDermott
mailto:[email protected]:[email protected]:[email protected] -
7/28/2019 Virtualization_Security_Features.pdf
2/16
Virtualization Security Workshop
NRL
ACSAC 24
Organization of this talk
Scope / meaning of virtualization
Security features for virtualizationtechnology (VT) per se
Security features that make sense forcomplete products that includevirtualization but ...
should not be implemented by VT
Security features that you might supportwith virtualization
-
7/28/2019 Virtualization_Security_Features.pdf
3/16
NRL
Virtualization Security Workshop ACSAC 24
What is virtualization technology?
virtual is the new goodstructured
object-oriented
open
distributed
web-based
service-oriented
-
7/28/2019 Virtualization_Security_Features.pdf
4/16
Virtualization Security Workshop
NRL
ACSAC 24
We restrict this talk to virtual machine monitors
Hypervisor/VMM - software that
virtualizes complete hardware platforms
to run operating systems
Type I or Type II (more later) a virtualization product may include aVMM
a product may include features notimplemented within the VMM per se
-
7/28/2019 Virtualization_Security_Features.pdf
5/16
NRL
Virtualization Security Workshop ACSAC 24
Robustness and threat model
Since security is never perfect,
it should always be described in terms ofthreat model and robustness.
Understanding these concepts can save you money.
-
7/28/2019 Virtualization_Security_Features.pdf
6/16
-
7/28/2019 Virtualization_Security_Features.pdf
7/16Virtualization Security Workshop
NRL
ACSAC 24
Robustness I
Our understanding of security flaws thatmay remain after a product is developed
Robustness = strength of mechanism+assurance
Strength of mechanism is about
conceptual flaws
present even in perfect implementations
e.g. Caesar cipher Assurance is about developmentpractices and assurance measures taken
to address flaws that are not conceptual
-
7/28/2019 Virtualization_Security_Features.pdf
8/16Virtualization Security Workshop
NRL
ACSAC 24
Robustness II
A low-strength / high-assurance solution canbe broken through its conceptual flaws
A high-strength / low-assurance solution can
be broken through its implementation flaws
Low/low can be broken either way
High/high is expensive to defeat
-
7/28/2019 Virtualization_Security_Features.pdf
9/16
-
7/28/2019 Virtualization_Security_Features.pdf
10/16Virtualization Security Workshop
NRL
ACSAC 24
VMM Robustness II
If a VMM is to have allof its guests connectedto the same network ...
... then the VMM doesnot need to be anymore robust than itsguests ...
... because the guests
can all be attacked viathe common network.
-
7/28/2019 Virtualization_Security_Features.pdf
11/16Virtualization Security Workshop
NRL
ACSAC 24
Sensitive instructions
sensitive instructionscan affect processor mode,memory maps, DMA, interrupt handling ... i.e.
VMM control
privileged instructionscause a trap into the VMMcode
sensitive instructions should be a subset ofprivileged instructions
guests should execute innocuous instructionsdirectly
define Type I and Type II VMMs: how does theVMM get the trap?
-
7/28/2019 Virtualization_Security_Features.pdf
12/16Virtualization Security Workshop
NRL
ACSAC 24
VMM security features: separation
program counter / flags
registers cache
descriptor tables
main memory
interrupts
APCI boot firmware (e.g. BIOS)
TPM
-
7/28/2019 Virtualization_Security_Features.pdf
13/16Virtualization Security Workshop
NRL
ACSAC 24
VMM security features: sharing
simple network-based abstractions IP packets Ethernet frames
high-level guest-based abstractions file systems
windows
disks desktops
-
7/28/2019 Virtualization_Security_Features.pdf
14/16Virtualization Security Workshop
NRL
ACSAC 24
You are using virtualization to ... ?
Share hardwareexecutionenvironments
Remove (hide)undesirable hardwarefeatures
Add (virtualize)desirable hardwarefeatures
-
7/28/2019 Virtualization_Security_Features.pdf
15/16Virtualization Security Workshop
NRL
ACSAC 24
Product security features that should not be
implemented in the VMM
most network security measurement, including TPM cryptographic features, including TPM intrusion detection identification or authentication
RBAC More research is needed on how to
implement these outside of the VMM
-
7/28/2019 Virtualization_Security_Features.pdf
16/16Virtualization Security Workshop
NRL
ACSAC 24
Interesting security features that can be well-
supported by virtualization
Measurement
Attack space reduction
Multiple single-level information-flowsecurity