breaking up is hard to do security and functionality in a commodity hypervisor 1 patrick colp†,...
TRANSCRIPT
![Page 1: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/1.jpg)
1
Breaking Up is Hard to DoSecurity and Functionality in a
Commodity Hypervisor
Patrick Colp†, Mihir Nanavati†, Jun Zhu‡William Aiello†, George Coker*, Tim Deegan‡, Peter Loscocco*, Andrew Warfield†
† Department of Computer Science, University of British Columbia‡ Citrix Systems R&D
* National Security Agency
![Page 2: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/2.jpg)
2
![Page 3: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/3.jpg)
3
Companies in the Cloud(all these run in EC2 or Rackspace)
![Page 4: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/4.jpg)
4
Hypervisors are Secure
Hypervisor
Smallcodebase
x86
Narrowinterface
x86x86
Xen: 280 KLOC (based on the current version)
Nova: 9 KLOC (microvisor) + 20 KLOC (VMM) [EuroSys’10]
SecVisor: 2 KLOC [SOSP’07] Flicker: 250 LOC [EuroSys’08]
![Page 5: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/5.jpg)
5
CERT Vulnerabilities
• 38 Xen CERT vulnerabilities• 23 originate in guest VMs• 2 are against the hypervisor
What the heck are the other 90%?
![Page 6: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/6.jpg)
6
Hypervisor
Control VM (Dom0)
User A’s VM
User B’s VM
Platform
IPC
Management
Device Drivers
Device Emulation
Manage devicesCreate and destroy VMsArbitrarily access memory
“We are the 90%”
![Page 7: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/7.jpg)
7
Constraint: Don’t reduce functionality, performance, or maintainability of the system
• Isolate services intoleast-privileged service VMs
• Make sharing between components explicit
Exposure to Risk
• Contain scope of exploits in both space and time
![Page 8: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/8.jpg)
8
SPACE
![Page 9: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/9.jpg)
9
Hypervisor
Control VM
User A’s VM
User B’s VM
Platform
Device Drivers
Management
IPC
DeviceEmulation
Space
![Page 10: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/10.jpg)
10
Isolation
Control VM
Platform
Device Drivers
Management
IPC
DeviceEmulation
Platform
Device Drivers
Management
IPCD
evice Emulation
System Boot
PCI Config
Network Block
Builder Tools
XenStore
Platform
Device Drivers
Management
IPCD
evice Emulation
System Boot
PCI Config
Network Block
Builder Tools
XenStoreEm
ulator
Space
![Page 11: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/11.jpg)
11
Hypervisor
User A’s VM
User B’s VM
Platform
Device Drivers
Management
IPCD
evice Emulation
System Boot
PCI Config
Network Block
Builder Tools
XenStoreEm
ulator
SpaceIsolation
![Page 12: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/12.jpg)
12
Configurable Sharing
User B’s Tools
User A’s Tools
User B’s Block
User B’s Network
User A’s Block
User A’s Network
User B’s VM
User A’s VM
![Page 13: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/13.jpg)
13
Configurable Sharing
Tools
Block
Network
User A’s VM
User B’s VM
![Page 14: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/14.jpg)
14
Configurable Sharing
User B’s Tools
User A’s Tools
User B’s Block
User B’s Network
User A’s Block
User A’s Network
User B’s VM
User A’s VM
![Page 15: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/15.jpg)
15
Hypervisor
User A’s VM
User B’s VM
Platform
Device Drivers
Management
IPCD
evice Emulation
System Boot
PCI Config
Network Block
Builder Tools
XenStoreEm
ulator
SpaceIsolationConfigurable Sharing
![Page 16: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/16.jpg)
16
Auditing
CreateNetworkBlock
Which VMs were relying on the Block component while it was compromise?
Which VMs were relying on the Block component while it was compromise?
VM B and VM C
User A’s VM
User B’s VM
User C’s VM
Network
Block
![Page 17: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/17.jpg)
17
Hypervisor
User A’s VM
User B’s VM
Platform
Device Drivers
Management
IPCD
evice Emulation
System Boot
PCI Config
Network Block
Builder Tools
XenStoreEm
ulator
SpaceIsolationConfigurable SharingAuditing
![Page 18: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/18.jpg)
18
TIME
![Page 19: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/19.jpg)
19
Hypervisor
User A’s VM
User B’s VM
Platform
Device Drivers
Management
IPCD
evice Emulation
System Boot
PCI Config
Network Block
Builder Tools
XenStoreEm
ulator
SpaceContainmentConfigurable SharingAuditing
Time
![Page 20: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/20.jpg)
20
Disposable
Hypervisor
System Boot
PCI Config
Services
![Page 21: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/21.jpg)
21
Hypervisor
User A’s VM
User B’s VM
Platform
Device Drivers
Management
IPCD
evice Emulation
System Boot
PCI Config
Network Block
Builder Tools
XenStoreEm
ulator
SpaceIsolationConfigurable SharingAuditing
TimeDisposable
![Page 22: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/22.jpg)
22
Snapshots
VMVM
4-25 ms
![Page 23: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/23.jpg)
23
Hypervisor
User A’s VM
User B’s VM
Platform
Device Drivers
Management
IPCD
evice Emulation
System Boot
PCI Config
Network Block
Builder Tools
XenStoreEm
ulator
SpaceIsolationConfigurable SharingAuditing
TimeDisposable
Timed Restarts
![Page 24: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/24.jpg)
24
Stateless VMs
BuilderBuilderBuilder
User A’s VMUser B’s VM
Newly Created VM
Snapshot Image
Copy-on-Write
rollback
boot andinitialization
processrequest
![Page 25: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/25.jpg)
25
Hypervisor
User A’s VM
User B’s VM
Platform
Device Drivers
Management
IPCD
evice Emulation
System Boot
PCI Config
Network Block
Builder Tools
XenStoreEm
ulator
SpaceIsolationConfigurable SharingAuditing
TimeDisposable
Timed RestartsStateless
![Page 26: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/26.jpg)
26
SPACE + TIME
![Page 27: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/27.jpg)
27
Hypervisor
User A’s VM
User B’s VM
Platform
Device Drivers
Management
IPCD
evice Emulation
System Boot
PCI Config
Network Block
Builder Tools
XenStoreEm
ulator
SpaceIsolationConfigurable SharingAuditing
TimeDisposable
Timed RestartsStateless
Space + Time
![Page 28: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/28.jpg)
28
Composition
User A’s VM
User B’s VM
XenStore
I’ve enabled the network driver to map page 0xDEADBEEF
OK
B: Network can map 0xDEADBEEF
I’ve enabled 0xPWND
![Page 29: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/29.jpg)
29
Composition
User A’s VM
User B’s VM
XenStore-State XenStore-Logic
I’ve enabled the network driver to map page 0xDEADBEEF
OK
B: Network can map 0xDEADBEEF
I’ve enabled 0xPWNDA: Please shut me down
A: Please shut me down
![Page 30: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/30.jpg)
30
Composition
User A’s VM
User B’s VM
XenStore-State XenStore-Logic
I’ve enabled the network driver to map page 0xDEADBEEF
OK
B: Network can map 0xDEADBEEF
I’ve enabled 0xPWNDA: Please shut me down
Monitor
BNewly Created VM
Snapshot Image
Copy-on-Write
rollback
boot andinitialization
processrequest
limit access
![Page 31: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/31.jpg)
31
Hypervisor
User A’s VM
User B’s VM
Platform
Device Drivers
Management
IPCD
evice Emulation
System Boot
PCI Config
Network Block
Builder Tools
XenStoreEm
ulator
SpaceIsolationConfigurable SharingAuditing
TimeDisposable
Timed RestartsStateless
Space + TimeComposition
![Page 32: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/32.jpg)
32
EVALUATION
![Page 33: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/33.jpg)
33
Evaluation
• What do privileges look like now?• What is the impact on the security of the system?• What are the overheads?• What impact does isolation have on performance?• What impact do restarts have on performance?
![Page 34: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/34.jpg)
34
Privileges
Privilege System Boot
PCI Config Builder Tools Block Network XenStore
Arbitrarily Access
MemoryX X X X X X X
Access and Virtualize PCI
devicesX X X X X X X
Create VMs X X X X X X X
Manage VMs X X X X X X XManage Assigned Devices
X X X X X X X
Privilege System Boot
PCI Config Builder Tools Block Network XenStore
Arbitrarily Access
MemoryX X
Access and Virtualize PCI
devicesX
Create VMs X X
Manage VMs X X XManage Assigned Devices
X X
Privilege System Boot
PCI Config Builder Tools Block Network XenStore
Arbitrarily Access
MemoryX X
Access and Virtualize PCI
devicesX
Create VMs X X
Manage VMs X X XManage Assigned Devices
X X
![Page 35: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/35.jpg)
35
Security
• Of the 21 vulnerabilities against the control plane, we contain all 21
• TCB is reduced from the control VM’s 7.5 million lines of code (Linux) to Builder’s 13,500 (on top of Xen)
![Page 36: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/36.jpg)
36
Memory OverheadComponent Memory
System Boot 128MB
PCI Config 128MB
XenStore-Logic 32MB
XenStore-State 32MB
Block 128MB
Network 128MB
Builder 64MB
Tools 128MB
Total 512MB
![Page 37: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/37.jpg)
37
Isolation Performance
Postmark performance wget performance
![Page 38: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/38.jpg)
38
Restart Performance
Kernel build performance
![Page 39: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/39.jpg)
39
CONCLUSION
![Page 40: Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,](https://reader035.vdocument.in/reader035/viewer/2022062303/551c0d43550346ad4f8b521e/html5/thumbnails/40.jpg)
40
Summing it All Up
• Components of control VM a major source of risk
• Xoar isolates components in space and time– Contains exploits– Provides explicit exposure to risk
• Functionality, performance, and maintainability are not impacted