Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ian Pratt SVP, Products Bromium Inc.

Published byDalia Hallock Modified over 10 years ago

Similar presentations

Presentation on theme: "Ian Pratt SVP, Products Bromium Inc."— Presentation transcript:

1 Ian Pratt SVP, Products Bromium Inc.
.org µ-Xen Ian Pratt SVP, Products Bromium Inc.

2 Architecture and implementation Evolutionary path
Outline µ-Xen Goals Architecture and implementation Evolutionary path Use case: Bromium end-point security

3 The µ-Xen Client Hypervisor
Derived from the Xen code base Designed to address client hypervisor deployment challenges Designed to achieve a high-degree of security assurance No requirement to support legacy s/w or h/w Optimized to support micro-virtualization Evolution to a new class of hypervisor

4 Evolution to a new class of hypervisor
Start with a self-contained type-2 Host kernel module containing µ-Xen blob Well-defined interface to/from the host Memory allocation, Schedule VCPUs, Timers, Events Similar to hXen project Windows, OS X; easily portable µ-Xen drives VT hardware, leaves IO and other hardware to host OS

5 µ-Xen streamlines Xen code base
x64 only No support for systems that are not VTx/EPT or AMDV/NPT capable No support for PV MMU guests Significant code size reductions No compat code Separate build target Future: slim down instruction emulator

6 µ-Xen virtual IO µ-Xen demultiplexes IORecs and events to multiple host processes per VM Able to have separate video, audio, disk, net etc processes Helps scheduling latency, enables better exploitation mitigation lock-down Use just the relevant parts of QEMU User-space PV backend drivers Post-boot virtual IO device revocation

7 Support for large numbers of similar VMs
Support for VM fork Simple extension of Populate on Demand code Tree of templates/VMs supported PV driver support for re-sharing free pages IO tracking to re-share swapped and re-read pages

8 Evolution to a new class of hypervisor
Goal: host is responsible for resource allocation, but can not interfere with the privacy or integrity of the hypervisor or other guests, e.g.: Hypervisor asks host for memory, receives it, then removes host access to it Host may perform IO on behalf of hypervisor and guests, but must be privacy and integrity protected Host may deny service, crash; IO tamper detectable

9 De-privilege host into a VT container
Remove host access to hypervisor and guest memory in EPT tables h/w devices passed through to host, VTd protected Device models can only access Granted memory Require PV network and disk as no virtual DMA Guest IO buffers encrypted/authenticated before grant copy/map Save/restore, dom builder must first have guest memory encrypted/authenticated by hypervisor Hypervisor paging requires similar treatment

10 Further Enhanced Security
Migrate certain host h/w devices to ownership by hypervisor or privileged guest(s), replace with virtual device E.g. Keyboard controller to avoid key logging Possibly WiFi/NIC too Measured launch of hypervisor TXT/TPM to establish DRoT Remote attestation of hypervisor configuration

11 Task-based Micro-virtualization
11

12 The Challenge !

13 What Went Wrong? Poor Isolation leads to Vulnerability
Multi-tenancy of code (& data) from a huge set of trust sources Code & Data are executed in the context of a few, weakly organized and poorly isolated “bins” representing levels of trust - e.g. UID, GID, PID Overloaded, complex specs & buggy implementations of porous interfaces Thus malware can: Access data and documents in the same “bin” Subvert other good code that is placed into the same “bin” Use another bug in an App or OS to elevate its privilege

14 Why Legacy Security Solutions Fail
Black-listing: Detection is not protection Doesn’t protect users from zero day attacks Unable to detect targeted & advanced malware White-listing: Restriction is not protection Users want to be productive Attackers can compromise trusted applications and web sites dynamic content cannot be blacklisted malicious content can compromise whitelisted apps

15 The Challenge How do we plan for the unknown threat?
What do we do about human mistakes? Bromium Confidential

16 The Micro-Virtualization Approach
Next generation endpoint security A pragmatic approach to trusted computing Based on hardware based isolation and not detection Contain risky activity from corporate data and network Block zero day and polymorphic threats Provides isolation & trust through hardware virtualization

17 Micro-Virtualization
Lightweight, fast, hidden, with an unchanged native UX Virtualizes vulnerable tasks within a single Windows desktop Hypervisor Small code base for maximum security I/O Virtualization (VT-d) TXT & TPM based hardware root of trust Hardware Virtualization (VT-x)

18 Windows and IT provisioned apps are trusted
The Microvisor isolates vulnerable tasks from Windows, each other & key system resources Windows and IT provisioned apps are trusted Micro-VMs have “least privilege” access to files, networks & devices, and execute CoW Microvisor Each vulnerable task is instantly isolated in a micro-VM, invisible to the user Kernel OS Libs Apps

19 Demo

20 Key Threat Vectors Are Isolated
Web Browsing External Documents Attachments USB files

21 µ-Xen is targeted at client systems
Conclusions µ-Xen is targeted at client systems Combines ease of deployment with useful security properties Enables task-based micro-virtualization, allowing mandatory access control to be retrofitted to commodity client OSes We’re hiring! Please

Download ppt "Ian Pratt SVP, Products Bromium Inc."

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Remus: High Availability via Asynchronous Virtual Machine Replication

Remus: High Availability via Asynchronous Virtual Machine Replication
Debugging operating systems with time-traveling virtual machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.

Debugging operating systems with time-traveling virtual machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
Content Overview Virtual Disk Port to Intel platform

Content Overview Virtual Disk Port to Intel platform
Virtualization Technology

Virtualization Technology
Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)

Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)
Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.

Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.
Bart Miller. Outline Definition and goals Paravirtualization System Architecture The Virtual Machine Interface Memory Management CPU Device I/O Network,

Bart Miller. Outline Definition and goals Paravirtualization System Architecture The Virtual Machine Interface Memory Management CPU Device I/O Network,
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.

Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
Network Implementation for Xen and KVM Class project for E6998-01: Network System Design and Implantation 12 Apr 2010 Kangkook Jee (kj2181)

Network Implementation for Xen and KVM Class project for E : Network System Design and Implantation 12 Apr 2010 Kangkook Jee (kj2181)
KVM/ARM: The Design and Implementation of the Linux ARM Hypervisor Fall 2014 Presented By: Probir Roy.

KVM/ARM: The Design and Implementation of the Linux ARM Hypervisor Fall 2014 Presented By: Probir Roy.
CS533 Concepts of OS Class 16 ExoKernel by Constantia Tryman.

CS533 Concepts of OS Class 16 ExoKernel by Constantia Tryman.
The Origin of the VM/370 Time-sharing system Presented by Niranjan Soundararajan.

The Origin of the VM/370 Time-sharing system Presented by Niranjan Soundararajan.
Xen and the Art of Virtualization. Introduction  Challenges to build virtual machines Performance isolation  Scheduling priority  Memory demand  Network.

Xen and the Art of Virtualization. Introduction  Challenges to build virtual machines Performance isolation  Scheduling priority  Memory demand  Network.
Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.

Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.
E Virtual Machines Lecture 4 Device Virtualization

E Virtual Machines Lecture 4 Device Virtualization
Tanenbaum 8.3 See references

Tanenbaum 8.3 See references
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Microkernels, virtualization, exokernels Tutorial 1 – CSC469.

Microkernels, virtualization, exokernels Tutorial 1 – CSC469.
Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人:張逸文.

Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人:張逸文.

Similar presentations

Ads by Google