Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha.

Similar presentations


Presentation on theme: "Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha."— Presentation transcript:

1 Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha

2 Outline Background: Security & Virtualization Background: Security & Virtualization Security challenges in virtualization-based architecture Security challenges in virtualization-based architecture A secure virtual machine execution environment A secure virtual machine execution environment Implementation & results Implementation & results Security analysis Security analysis Conclusion Conclusion 1

3 The goal of computer security Computer security: a branch of information security applied to computers Computer security: a branch of information security applied to computers Three objectives of information security: Three objectives of information security: Confidentiality Confidentiality Integrity Integrity Availability Availability Integrity: Data validation, One-way Hash, Digital signature Availability: Defending DoS, Back up / restore, Load balancing Confidentiality : Authentication, Authorization, Access control, Encryption/ Decryption 2 against DoS,

4 What is virtualization? Virtualization: Technology for creating a software-controlled environment to allow program execution in it [1] Virtualization: Technology for creating a software-controlled environment to allow program execution in it [1] [1] [2] Barham et al., “Xen and the art of virtualization,” SOSP

5 Relationship between virtualization and security On the one hand, virtualization can be utilized to enhance security On the one hand, virtualization can be utilized to enhance security Secure logging (Chen et al., 2001) Secure logging (Chen et al., 2001) Terra architecture (Garfinkel et al., 2003) Terra architecture (Garfinkel et al., 2003) On the other hand, virtualization also gives rise to several security concerns On the other hand, virtualization also gives rise to several security concerns Scaling, transience, software lifecycle, diversity, mobility, identity and data lifetime [1] Scaling, transience, software lifecycle, diversity, mobility, identity and data lifetime [1] Virtual machine-based rootkits (VMBR) [2] Virtual machine-based rootkits (VMBR) [2] [1] Garfinkel et al., “When virtual is harder than real,” HTOS 2005 [2] King et al., “Subvirt: Implementing malware with virtual machines,” IEEE S&P

6 Outline Background: Security & Virtualization Background: Security & Virtualization Security challenges in virtualization-based architecture Security challenges in virtualization-based architecture A secure virtual machine execution environment A secure virtual machine execution environment Implementation & results Implementation & results Security analysis Security analysis Conclusion Conclusion 5

7 Security challenges in virtualization-based architecture 6 Our work tries to solve one of the fundamental security concerns in virtualization The trusted computing base of a VM is too large

8 A Security challenge of virtualization-based architecture Trusted computing base (TCB): a small amount of software and hardware that security depends on and that we distinguish from a much larger amount that can misbehave without affecting security [1] Trusted computing base (TCB): a small amount of software and hardware that security depends on and that we distinguish from a much larger amount that can misbehave without affecting security [1] Smaller TCB  more security Smaller TCB  more security A TCB [1] Lampson et al., “Authentication in distributed systems: Theory and practice,” ACM TCS B C

9 A Security challenge of virtualization-based architecture (Contd.) Security challenge : TCB for a VM is too large Security challenge : TCB for a VM is too large Smaller TCB Actual TCB 8

10 Xen architecture and the threat model Management VM – Dom0 Management VM – Dom0 Guest VM – DomU Guest VM – DomU Dom0 may be malicious Dom0 may be malicious Vulnerabilities Vulnerabilities Device drivers Device drivers Careless/malicious administration Careless/malicious administration Dom0 is in the TCB of DomU because it can access the memory of DomU, which may cause information leakage/modification Dom0 is in the TCB of DomU because it can access the memory of DomU, which may cause information leakage/modification 9

11 Outline Background: Security & Virtualization Background: Security & Virtualization Security challenges in virtualization-based architecture Security challenges in virtualization-based architecture A secure virtual machine execution environment A secure virtual machine execution environment Implementation & results Implementation & results Security analysis Security analysis Conclusion Conclusion 10

12 Towards a secure execution environment for DomU Scenario: A client uses the service of a cloud computing company to build a remote VM Scenario: A client uses the service of a cloud computing company to build a remote VM A secure network interface A secure network interface A secure secondary storage A secure secondary storage A secure run-time environment A secure run-time environment Build, save, restore, destroy Build, save, restore, destroy 11

13 Towards a secure execution environment for DomU (Contd.) A secure run-time environment is the most fundamental A secure run-time environment is the most fundamental The first two already have solutions: The first two already have solutions: Network interface: Transport layer security (TLS) Network interface: Transport layer security (TLS) Secondary storage: Network file system (NFS) Secondary storage: Network file system (NFS) The security mechanism in the first two rely on a secure run-time environment The security mechanism in the first two rely on a secure run-time environment All the cryptographic algorithms and security protocols reside in the run-time environment All the cryptographic algorithms and security protocols reside in the run-time environment 12

14 Domain building Building process Building process 13

15 Domain save/restore 14

16 Page3 Domain save/restore (Contd.) Dom0 Page1 Page2 Page3 Page4 Page5 DomU memory Storage Page1 Page2 Page3 S Xen Layer 15

17 Page3 Domain save/restore (Contd.) Dom0 Page1 Page2 Page3 Page4 Page5 DomU memory Storage Page1 Page2 Xen Layer Page1 Hash Page3 3egap Hash W S Page4 $ 16

18 Outline Background: Security & Virtualization Background: Security & Virtualization Security challenges in virtualization-based architecture Security challenges in virtualization-based architecture A secure virtual machine execution environment A secure virtual machine execution environment Implementation & results Implementation & results Security analysis Security analysis Conclusion Conclusion 17

19 Implementation & results Modification of Xen system only affects domain build, save and restore Modification of Xen system only affects domain build, save and restore Normal work in DomU has little performance degradation Normal work in DomU has little performance degradation 18

20 Outline Background: Security & Virtualization Background: Security & Virtualization Security challenges in virtualization-based architecture Security challenges in virtualization-based architecture A secure virtual machine execution environment A secure virtual machine execution environment Implementation & results Implementation & results Security analysis Security analysis Conclusion Conclusion 19

21 Security analysis Malicious Dom0 in original Xen system may: Malicious Dom0 in original Xen system may: Access any memory page of DomU and read its content Access any memory page of DomU and read its content Access any memory page of DomU and change its content Access any memory page of DomU and change its content Randomly start and shut down the domain, and thus control the availability of all VMs Randomly start and shut down the domain, and thus control the availability of all VMs We successfully solved the first two security concerns, with a small execution time overhead We successfully solved the first two security concerns, with a small execution time overhead 20

22 Outline Background: Security & Virtualization Background: Security & Virtualization Security challenges in virtualization-based architecture Security challenges in virtualization-based architecture A secure virtual machine execution environment A secure virtual machine execution environment Implementation & results Implementation & results Security analysis Security analysis Conclusion Conclusion 21

23 Conclusion Virtualization technology can both benefit and undermine computer security in different ways Virtualization technology can both benefit and undermine computer security in different ways One of the fundamental security concerns of virtualization-based architecture is that the TCB of a VM is too large One of the fundamental security concerns of virtualization-based architecture is that the TCB of a VM is too large A protection mechanism in Xen virtualization system proposed, which successfully excludes the management domain out of the TCB with small execution time overhead A protection mechanism in Xen virtualization system proposed, which successfully excludes the management domain out of the TCB with small execution time overhead 22

24 Thank you!


Download ppt "Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha."

Similar presentations


Ads by Google