cloud security with libvmi
TRANSCRIPT
Outline
● What is the Cloud?
● Looking at HW based security
● Virtual Machine Introspection
● LibVMI
● Demos
● What’s next?
What is the Cloud?Big Tech Technician End user
Management Developers Researcher
Cloud Security
● Mainly an issue for the cloud providers● They need to monitor their virtual hardware
● And for enterprise cloud applications● They need to monitor their database and webapp
● An end user can only change his password● He has no access to the underlying hardware/software
Cloud Security
● Co-resident/breakout attacks● Possible
● Network based attacks● Probable
● Attackers will go after the low-hanging fruit● We need to leverage Cloud defense mechanisms
Why should you care?
● The technology powering the Cloud is also available on end-user systems● on your phone, PC, tablets..
● Defense mechanisms that work for the Cloud will work for you!
Non-comprehensive
History of HW Security..in 5 minutes
Before 1982
Real Mode
1982: Protected mode
Ring2
Ring1
Ring3
Ring0
1982: Protected mode
Ring2
Ring1
Ring3
Ring0
Application
Operating System
Unused
1982: Protected mode
Ring2
Ring1
Ring3
Ring0
Application
Operating System
UnusedMoreprivilege
Ring3Ring3
1982: Protected mode
Ring2
Ring1
Ring3
Ring0
Applications
Operating System
Unused
Ring3Ring3
Ring3Ring3
2003: Xen
Ring2
Ring3
Ring0
Applications
Xen
Unused
Operating SystemsRing1
Ring3Ring3
2003: x86-64
Ring2
Ring1
Ring3
Ring0
Applications
Operating System
Disabled
Ring3Ring3
2003: Xen on x86-64
Ring2
Ring1
Ring3
Ring0
OS/Applications
Xen
Disabled
2006: VT-x & AMD-V
Ring2
Ring1
Ring3
Ring0
App
Operating System
Disabled/Unused
Ring-1 Hypervisor
2006: VT-x & AMD-V
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
VMX rootOS/Hypervisor
VMX non-rootVirtual Machine
More privilege
2006: VT-x & AMD-V
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
VMX rootOS/Hypervisor
VMX non-rootVirtual Machines
Psst.. I’m here too (since ‘93)!
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
VMX rootOS/Hypervisor
VMX non-rootVirtual Machines
Ring-2
System Management Mode
Psst.. I’m here too (since ‘93)!
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
VMX rootOS/Hypervisor
VMX non-rootVirtual Machines
System Management Mode
Ring2
Ring1
Ring3
Ring0
2006?: Intel Dual-monitor SMM
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Secure Transfer Monitor (STM)
2008: Intel Management Engine
Ring-3Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Intel ME
2008: Intel Management Engine
User Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Kernel
ARC 600(?)
2008: Intel Management Engine
User
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
ARC 600(?)
2013: Nested virtualization!
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Nested Hypervisor
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
201x: Intel SGX
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring0
SGXRing3
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
201x: Intel SGX
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring0
SGXRing3
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring0
SGXRing3
SGXRing3
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
Oh yea, we have these too..
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring0
SGXRing3
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring0
SGXRing3
SGXRing3
User
Supervisor
User
Supervisor
User
Supervisor
ARM CPUs in your harddrive, NIC, etc.
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
The Cloud in 2015
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
VMX rootOS/Hypervisor
VMX non-rootVirtual Machines
Securing Virtual Machines
● Security based on the Hypervisor
● Move security stack outside of the OS!
● Monitoro VM Memory
o Virtual Hardware state
Virtual Machine Introspection
What is VMI
● View and control virtual machine from an external perspective
● Includingo Networko Disko Memoryo vCPU
VMI - The 3 aspects
1. Isolation
2. Interpretation
3. Interposition
Isolation
● Move security component outside of the guest operating system
● Hypervisor exposes a smaller attack surface
● Increasingly harder to tamper with or disable security system
Interposition
● Step into the execution of the machine
● Prevent attacks from modifying the system (repair hooks, privileges, etc.)
● Needs to be fast, reliable, and stealthy
● Based directly on hardware events
VMI - The 3 aspects
1. Isolation → Hypervisor
2. Interpretation → LibVMI / Volatility
3. Interposition → Intel
LibVMI
Use cases
● System-level debugging
● Timeline or trend analysis
● Runtime security
● OS Integrity
● Malware analysis
● Forensics
Core features
● Read and write VM memory
● Virtual Memory Translation (Paging)o Using various methods (DTB, PID, Kernel Symbol)
● Find and map guest OS data structures
● Place monitoring event-hooks into the guesto Exceptions, Page Faults
Events on Xen with Intel CPUs
● Intel Extended Page Tables (EPT)
● Register write events ([X]CR0/3/4, MSRs)
● Software breakpoint interrupts (INT3)
● Single-stepping (MTF)
What’s next with LibVMI?
Future directions
● More guest OS support: o Android, BSD, etc.
● More (and better) hypervisor support: o KVM events, VirtualBox, Hyper-V, ESXi, etc.
● More events support on more platforms:o AMD, ARM, Intel
What’s next in the Cloud?
Future directions in the Cloud
● Software developed with Cloud in mind
● Scalable Applications and Separation of Tasks
● Enable VMI in the cloudo The Software and Hardware is already available
o Cloud Providers do not provide access
Thanks!
Tamas K Lengyel [email protected] [email protected] @tklengyel
Thomas Kittel [email protected]
LibVMI http://libvmi.comDRAKVUF http://drakvuf.com