Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha.

Published byAddison Taitt Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha."— Presentation transcript:

1 Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha

2 Outline Background: Security & Virtualization Background: Security & Virtualization Security challenges in virtualization-based architecture Security challenges in virtualization-based architecture A secure virtual machine execution environment A secure virtual machine execution environment Implementation & results Implementation & results Security analysis Security analysis Conclusion Conclusion 1

3 The goal of computer security Computer security: a branch of information security applied to computers Computer security: a branch of information security applied to computers Three objectives of information security: Three objectives of information security: Confidentiality Confidentiality Integrity Integrity Availability Availability Integrity: Data validation, One-way Hash, Digital signature Availability: Defending DoS, Back up / restore, Load balancing Confidentiality : Authentication, Authorization, Access control, Encryption/ Decryption 2 against DoS,

4 What is virtualization? Virtualization: Technology for creating a software-controlled environment to allow program execution in it [1] Virtualization: Technology for creating a software-controlled environment to allow program execution in it [1] [1] http://www.ok-labs.com/virtualization-and-security/what-is-virtualization [2] Barham et al., “Xen and the art of virtualization,” SOSP 2003 3

5 Relationship between virtualization and security On the one hand, virtualization can be utilized to enhance security On the one hand, virtualization can be utilized to enhance security Secure logging (Chen et al., 2001) Secure logging (Chen et al., 2001) Terra architecture (Garfinkel et al., 2003) Terra architecture (Garfinkel et al., 2003) On the other hand, virtualization also gives rise to several security concerns On the other hand, virtualization also gives rise to several security concerns Scaling, transience, software lifecycle, diversity, mobility, identity and data lifetime [1] Scaling, transience, software lifecycle, diversity, mobility, identity and data lifetime [1] Virtual machine-based rootkits (VMBR) [2] Virtual machine-based rootkits (VMBR) [2] [1] Garfinkel et al., “When virtual is harder than real,” HTOS 2005 [2] King et al., “Subvirt: Implementing malware with virtual machines,” IEEE S&P 2006 4

6 Outline Background: Security & Virtualization Background: Security & Virtualization Security challenges in virtualization-based architecture Security challenges in virtualization-based architecture A secure virtual machine execution environment A secure virtual machine execution environment Implementation & results Implementation & results Security analysis Security analysis Conclusion Conclusion 5

7 Security challenges in virtualization-based architecture 6 Our work tries to solve one of the fundamental security concerns in virtualization The trusted computing base of a VM is too large

8 A Security challenge of virtualization-based architecture Trusted computing base (TCB): a small amount of software and hardware that security depends on and that we distinguish from a much larger amount that can misbehave without affecting security [1] Trusted computing base (TCB): a small amount of software and hardware that security depends on and that we distinguish from a much larger amount that can misbehave without affecting security [1] Smaller TCB  more security Smaller TCB  more security A TCB [1] Lampson et al., “Authentication in distributed systems: Theory and practice,” ACM TCS 1992 7 B C

9 A Security challenge of virtualization-based architecture (Contd.) Security challenge : TCB for a VM is too large Security challenge : TCB for a VM is too large Smaller TCB Actual TCB 8

10 Xen architecture and the threat model Management VM – Dom0 Management VM – Dom0 Guest VM – DomU Guest VM – DomU Dom0 may be malicious Dom0 may be malicious Vulnerabilities Vulnerabilities Device drivers Device drivers Careless/malicious administration Careless/malicious administration Dom0 is in the TCB of DomU because it can access the memory of DomU, which may cause information leakage/modification Dom0 is in the TCB of DomU because it can access the memory of DomU, which may cause information leakage/modification 9

11 Outline Background: Security & Virtualization Background: Security & Virtualization Security challenges in virtualization-based architecture Security challenges in virtualization-based architecture A secure virtual machine execution environment A secure virtual machine execution environment Implementation & results Implementation & results Security analysis Security analysis Conclusion Conclusion 10

12 Towards a secure execution environment for DomU Scenario: A client uses the service of a cloud computing company to build a remote VM Scenario: A client uses the service of a cloud computing company to build a remote VM A secure network interface A secure network interface A secure secondary storage A secure secondary storage A secure run-time environment A secure run-time environment Build, save, restore, destroy Build, save, restore, destroy 11

13 Towards a secure execution environment for DomU (Contd.) A secure run-time environment is the most fundamental A secure run-time environment is the most fundamental The first two already have solutions: The first two already have solutions: Network interface: Transport layer security (TLS) Network interface: Transport layer security (TLS) Secondary storage: Network file system (NFS) Secondary storage: Network file system (NFS) The security mechanism in the first two rely on a secure run-time environment The security mechanism in the first two rely on a secure run-time environment All the cryptographic algorithms and security protocols reside in the run-time environment All the cryptographic algorithms and security protocols reside in the run-time environment 12

14 Domain building Building process Building process 13

15 Domain save/restore 14

16 Page3 Domain save/restore (Contd.) Dom0 Page1 Page2 Page3 Page4 Page5 DomU memory Storage Page1 Page2 Page3 S Xen Layer 15

17 Page3 Domain save/restore (Contd.) Dom0 Page1 Page2 Page3 Page4 Page5 DomU memory Storage Page1 Page2 Xen Layer Page1 Hash Page3 3egap Hash W S Page4 $ 16

18 Outline Background: Security & Virtualization Background: Security & Virtualization Security challenges in virtualization-based architecture Security challenges in virtualization-based architecture A secure virtual machine execution environment A secure virtual machine execution environment Implementation & results Implementation & results Security analysis Security analysis Conclusion Conclusion 17

19 Implementation & results Modification of Xen system only affects domain build, save and restore Modification of Xen system only affects domain build, save and restore Normal work in DomU has little performance degradation Normal work in DomU has little performance degradation 18

20 Outline Background: Security & Virtualization Background: Security & Virtualization Security challenges in virtualization-based architecture Security challenges in virtualization-based architecture A secure virtual machine execution environment A secure virtual machine execution environment Implementation & results Implementation & results Security analysis Security analysis Conclusion Conclusion 19

21 Security analysis Malicious Dom0 in original Xen system may: Malicious Dom0 in original Xen system may: Access any memory page of DomU and read its content Access any memory page of DomU and read its content Access any memory page of DomU and change its content Access any memory page of DomU and change its content Randomly start and shut down the domain, and thus control the availability of all VMs Randomly start and shut down the domain, and thus control the availability of all VMs We successfully solved the first two security concerns, with a small execution time overhead We successfully solved the first two security concerns, with a small execution time overhead 20

22 Outline Background: Security & Virtualization Background: Security & Virtualization Security challenges in virtualization-based architecture Security challenges in virtualization-based architecture A secure virtual machine execution environment A secure virtual machine execution environment Implementation & results Implementation & results Security analysis Security analysis Conclusion Conclusion 21

23 Conclusion Virtualization technology can both benefit and undermine computer security in different ways Virtualization technology can both benefit and undermine computer security in different ways One of the fundamental security concerns of virtualization-based architecture is that the TCB of a VM is too large One of the fundamental security concerns of virtualization-based architecture is that the TCB of a VM is too large A protection mechanism in Xen virtualization system proposed, which successfully excludes the management domain out of the TCB with small execution time overhead A protection mechanism in Xen virtualization system proposed, which successfully excludes the management domain out of the TCB with small execution time overhead 22

24 Thank you!

Download ppt "Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha."

Similar presentations

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
VCS 5.0 for VMware ESX.

VCS 5.0 for VMware ESX.
© 2006 Ravi Sandhu www.list.gmu.edu Secure Information Sharing Enabled by Trusted Computing and PEI * Models Ravi Sandhu (George Mason University and TriCipher)

© 2006 Ravi Sandhu Secure Information Sharing Enabled by Trusted Computing and PEI * Models Ravi Sandhu (George Mason University and TriCipher)
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.

By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
Business Transaction Management Software for Application Coordination 1 www.choreology.com Business Processes and Coordination.

Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
0 - 0.

0 - 0.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts 1 - 20.

Addition Facts
Universitá degli Studi di LAquila Mälardalens Högskola, Västerås 10th September 2009 Integrating Wireless Systems into Process Industry and Business Management.

Universitá degli Studi di LAquila Mälardalens Högskola, Västerås 10th September 2009 Integrating Wireless Systems into Process Industry and Business Management.
Chapter 1 Introduction Copyright © 2008. Operating Systems, by Dhananjay Dhamdhere Copyright © 20081.2 Introduction Abstract Views of an Operating System.

Chapter 1 Introduction Copyright © Operating Systems, by Dhananjay Dhamdhere Copyright © Introduction Abstract Views of an Operating System.
Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.

Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.
BT Wholesale October 2006 www.btwholesale.com 1 Creating your own telephone network WHOLESALE CALLS LINE ASSOCIATED.

BT Wholesale October Creating your own telephone network WHOLESALE CALLS LINE ASSOCIATED.
Real Time Versions of Linux Operating System Present by Tr n Duy Th nh Quách Phát Tài 1.

Real Time Versions of Linux Operating System Present by Tr n Duy Th nh Quách Phát Tài 1.
Debugging operating systems with time-traveling virtual machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.

Debugging operating systems with time-traveling virtual machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
1 VIRTUAL MACHINES By: Sai Siddharth Kumar Dantu.

1 VIRTUAL MACHINES By: Sai Siddharth Kumar Dantu.

Similar presentations

Ads by Google