virtualization_security_features.pdf

7/28/2019 Virtualization_Security_Features.pdf

1/16

What security features are

appropriate for virtualization

technology?John McDermott

[email protected]
mailto:[email protected]:[email protected]:[email protected]


2/16

Virtualization Security Workshop

NRL

ACSAC 24

Organization of this talk

Scope / meaning of virtualization

Security features for virtualizationtechnology (VT) per se

Security features that make sense forcomplete products that includevirtualization but ...

should not be implemented by VT

Security features that you might supportwith virtualization


3/16

NRL

Virtualization Security Workshop ACSAC 24

What is virtualization technology?

virtual is the new goodstructured

object-oriented

open

distributed

web-based

service-oriented


4/16

Virtualization Security Workshop

NRL

ACSAC 24

We restrict this talk to virtual machine monitors

Hypervisor/VMM - software that

virtualizes complete hardware platforms

to run operating systems

Type I or Type II (more later) a virtualization product may include aVMM

a product may include features notimplemented within the VMM per se


5/16

NRL

Virtualization Security Workshop ACSAC 24

Robustness and threat model

Since security is never perfect,

it should always be described in terms ofthreat model and robustness.

Understanding these concepts can save you money.


6/16


7/16Virtualization Security Workshop

NRL

ACSAC 24

Robustness I

Our understanding of security flaws thatmay remain after a product is developed

Robustness = strength of mechanism+assurance

Strength of mechanism is about

conceptual flaws

present even in perfect implementations

e.g. Caesar cipher Assurance is about developmentpractices and assurance measures taken

to address flaws that are not conceptual



NRL

ACSAC 24

Robustness II

A low-strength / high-assurance solution canbe broken through its conceptual flaws

A high-strength / low-assurance solution can

be broken through its implementation flaws

Low/low can be broken either way

High/high is expensive to defeat


9/16



NRL

ACSAC 24

VMM Robustness II

If a VMM is to have allof its guests connectedto the same network ...

... then the VMM doesnot need to be anymore robust than itsguests ...

... because the guests

can all be attacked viathe common network.



NRL

ACSAC 24

Sensitive instructions

sensitive instructionscan affect processor mode,memory maps, DMA, interrupt handling ... i.e.

VMM control

privileged instructionscause a trap into the VMMcode

sensitive instructions should be a subset ofprivileged instructions

guests should execute innocuous instructionsdirectly

define Type I and Type II VMMs: how does theVMM get the trap?



NRL

ACSAC 24

VMM security features: separation

program counter / flags

registers cache

descriptor tables

main memory

interrupts

APCI boot firmware (e.g. BIOS)

TPM



NRL

ACSAC 24

VMM security features: sharing

simple network-based abstractions IP packets Ethernet frames

high-level guest-based abstractions file systems

windows

disks desktops



NRL

ACSAC 24

You are using virtualization to ... ?

Share hardwareexecutionenvironments

Remove (hide)undesirable hardwarefeatures

Add (virtualize)desirable hardwarefeatures



NRL

ACSAC 24

Product security features that should not be

implemented in the VMM

most network security measurement, including TPM cryptographic features, including TPM intrusion detection identification or authentication

RBAC More research is needed on how to

implement these outside of the VMM



NRL

ACSAC 24

Interesting security features that can be well-

supported by virtualization

Measurement

Attack space reduction

Multiple single-level information-flowsecurity

virtualization_security_features.pdf

Documents