applications of feather-weight virtual machine
DESCRIPTION
Applications of Feather-Weight Virtual Machine. Yang Yu Hariharan Govindarajan Lap-chung Lam Tzi-cker Chiueh Stony Brook University Symantec Research Labs. Virtualization Technology Spectrum. - PowerPoint PPT PresentationTRANSCRIPT
04/19/23 VEE 2008 1
Applications of Feather-Weight Virtual Machine
Yang Yu Hariharan Govindarajan Lap-chung Lam Tzi-cker Chiueh
Stony Brook UniversitySymantec Research Labs
04/19/23 VEE 2008 2
Virtualization Technology Spectrum Software emulation of an operating environment: an example
of “every computer science problem can be solved by adding an additional level of indirection” Intercept & perform additional value-added operations
Multiple possible interception interfaces Instruction set architecture (ISA): Bochs, QEMU Hardware abstraction layer (HAL): VMware, Virtual PC, Xen, System call interface: BSD Jail, Linux Vserver, Virtuozzo,
Softricity Library call interface: Wine, Interix, Cgwin Language level: JVM, .NET framework
Tradeoff among implementation complexity, flexibility, performance overhead and isolation strength
04/19/23 VEE 2008 3
OS-level Virtualization Virtualizing the system call interface so as to provide the
illusion of multiple operating environments that are isolated from one another
P1, P3, P4
OS-Virtualization Layer
P2, P5 P1, P2, P3, P4, P5
Hardware
Operating System Kernel
Hardware
Operating System Kernel
04/19/23 VEE 2008 4
OS-level vs. HAL-based VM One OS vs. Multiple (possibly heterogeneous) OSes
HAL Virtualization Layer
GuestProcesses
Hardware
Host OS
OS-level Virtualization Layer
OS-level Virtualization HAL-level Virtualization
GuestProcesses
Hardware
Guest OS
GuestProcesses
Guest OS
GuestProcesses
04/19/23 VEE 2008 5
Properties of OS-level Virtualization Pro
OS-required resource does not need to be duplicated Low per-VM resource requirement and better scalability Instant creation and destruction of VMs More flexibility in initial state set-up of new VM Easier to share VM states whenever necessary No changes required to existing applications or computing
infrastructure Con
Share a single OS kernel: weaker isolations among VMs kernel rootkit problem
Higher implementation complexity Additional restrictions on applications running in a VM
04/19/23 VEE 2008 6
FVM: Feather-weight Virtual Machine
Multiple OS-level VMs forked from the base operating environment of a Windows kernel
Goals of FVM Properly isolates different VMs running on a Windows kernel Offers a flexible framework for developing security
applications on end user machines
Technical challenges How to achieve reasonable isolation among VMs without
incurring inordinate implementation complexity How to reliably commit a VM’s state back to the host
04/19/23 VEE 2008 7
Concrete Design Requirements Can start multiple instances of the same executable binary
in multiple concurrent VMs Daemon process: Apache web server, DNS server GUI process: Microsoft Office suite, IE, Acrobat reader Some service processes cannot be multi-instanced: Windows Installer
service Isolation of persistent state: files and registries
Read from the common base operating environment File-level copy-on-write
Communication confinement: IPC, device access, kernel object access, interaction with services
Performance isolation
04/19/23 VEE 2008 8
Basic FVM design A virtualization layer that intercepts Windows system
calls No modification to applications, libraries or OS kernel
Access redirection via renaming and copy-on-write Mapping virtual name to physical name
Communication confinement Virtualization through renaming of communication end-
points Visibility control: broadcast and enumeration operations
Performance isolation: using “job object” to limit dis/memory usage and CPU scheduling priority
04/19/23 VEE 2008 9
Low-Level Enabling Mechanisms File/registry virtualization Running multiple instances of the same application Inter-process communication confinement Daemon/Service virtualization Network interface/stack virtualization Resource usage control
04/19/23 VEE 2008 10
IPC ConfinementCommon IPC Confinement Techniques FVM level
Named pipe/mailslot Rename named pipe and mailslot Kernel
Synchronization object Rename mutex, semaphore, event, timer, etc Kernel
Shared memory Rename the section object Kernel
Local Procedure Call Rename the LPC port object Kernel
Socket IP aliasing; associate the VM’s IP address with a socket
User
Windows class Hide a VM’s window class from other VMs User
Windows message Block message unless sender and receiver are in the same VM
User
Clipboard Tag the VM ID with clipboard data User
User-level hooks Prevent setting system-wide hooks or modify other processes
User
04/19/23 VEE 2008 11
An FVM’s State A VM identifier A set of processes Root directories for file, registry, kernel object A log of files and registry entries deleted/renamed by
the VM An IP address A set of policies: resource usage quota, device access
and service interaction
04/19/23 VEE 2008 12
Limitations of FVM Prototype Kernel modification in a VM
Prohibit loading/unloading kernel driver Prohibit mapping physical memory
\Device\PhysicalMemory
Device access and IPC with daemon/service Tradeoff between isolation and functionality Policy
Lack of VM migration support
04/19/23 VEE 2008 13
App1: Secure Mobile Code Execution
Start web browser, email client or any suspicious program in a separate VM
Selective commit based on analysis of system/API call log – detect suspicious process behaviors
Mark a file when it is committed to the host A marked file is always opened/executed in a
separate VM until it is explicitly unmarked
04/19/23 VEE 2008 15
App2: Scalable Web Site Testing
Web Crawler
URL DB
Web Browser
Web Browser
Web Browser
Testing Report
Local Mirror
Web Servers
VM Pool
VM
VM
VM
04/19/23 VEE 2008 16
Web Site Testing Set-up Web crawler: WinHTTrack URL source: 237 websites from McAfee’s SiteAdvisor Internet Explorer 5.0 runs on unpatched Win2K
IE security settings: high
VM setup One IE instance per VM Total number of concurrent IE instances: 50
Two parameters: Number of seconds to wait Number of URLs visited during the life time of each VM
04/19/23 VEE 2008 17
Websites Testing Throughput
0
1000
2000
3000
4000
5000
6000
7000
8000
0 10 20 30 40 50
Waiting Time per URL (seconds)
Tes
ting
Th
rou
gh
pu
t (U
RL
s p
er
ho
ur)
10 per VM
9 per VM
7 per VM
5 per VM
3 per VM
1 per VM
Concurrently Visited URLs
04/19/23 VEE 2008 18
Results VM start-up overhead in web site testing
FVM: 0.3 seconds VMware Workstation 5.0: 30 ~ 50 seconds
Scanning throughput One URL visit per VM Waiting time: 120 seconds FVM-based: 50,000 ~ 70,000 per day per machine MS Strider HoneyMonkey (VMware-based): < 8,000 per
day per machine
04/19/23 VEE 2008 19
App3: Shared Application Binary Server
Application binary delivery architecture Applications installed and executed on end user machines Applications installed and executed on a central server: Thin-
client computing Applications installed on a central server and executed on
individual user machines: Shared application binary server
Challenge: Ensure applications are executed against the operating environment in which they are installed
04/19/23 VEE 2008 20
Design When a client launches an executable stored on the
server, associate the launched process with a VM running on the client Redirect access to the operating environment to the shared
binary server Exe, DLL, Registry, Environment Variable, COM object System DLLs (kernel32, user32, …)
Accesses to user files and registry entries are not redirected
04/19/23 VEE 2008 21
Shared Binary Server Architecture
App1
App2
File
Registry
Env Var
OLE/COM
Shared Binary Server Client
App
FVM
File
Registry
Env Var
OLE/COM
Local Data
App3
……
AppK
04/19/23 VEE 2008 22
App4: Distributed Display-Only File Service Goal: protect confidential documents from
information theft by insiders
App
Content Filter
Document Link
Terminal Session
Remote Display
DOFS Server
Protected Document
DOFS Client
DOFS Firewall
Screen CaptureBlocker
04/19/23 VEE 2008 23
DDOFS Design Motivation
Application compatibility & performance issue in the DOFS architecture
Approach Move application execution back to client in a VM to
carve out a piece of client as a logical extension of the central server
Document opened in a VM cannot leak out of the VM because all writes go to the central server
Documents are encrypted as they travel over the network and decrypted after they enter the VM
04/19/23 VEE 2008 24
App4: DDOFS Architecture
Encrypt & Decrypt
DDOFS Server
Protected Document
DDOFS Client
Screen CaptureBlocker
VM WriteWorkspace
App
FVM
Decrypt & Encrypt
04/19/23 VEE 2008 25
Conclusion FVM is a full-scale implementation of OS-level virtualization
for the Windows platform Making legitimate applications happy vs. preventing malicious
applications from doing bad things Tamper resistance support is needed
Optimized for sharing rather than for isolation allow users to seamlessly interact with multiple VMs simultaneously
Faster start-up and shut-down Facilitating development of security solutions for end user
machines