![Page 1: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/1.jpg)
Advanced Security Features of the Xen Project Hypervisor
Russell PavlicekXen Project Evangelist
Citrix Systems
![Page 2: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/2.jpg)
Who is the Old, Fat Geek Up Front?
● Xen Project Evangelist (I have a big mouth...)
● Employed by Citrix, focused entirely on Xen project
● History with open source begins in 1995
● Former columnist for Infoworld, Processor magazines
● Former panelist on The Linux Show, speaker at over 50 Open Source conferences
● Over 150 pieces published, one book on open source, plus blogs
![Page 3: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/3.jpg)
Presentation Goals
● Introduce the subject of security in the Cloud
● Introduce you to the Xen Project Security Tools
● Discuss some key Xen Project security features
● Get you started in the right direction toward securing your Xen Project Hypervisor installation
![Page 4: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/4.jpg)
Presentation Outline
● A few thoughts on the problem of securing the Cloud
● Overview of the Xen Project architecture
● Brief introduction to the principles of security analysis
● Examine some of the attack surfaces and the Xen Project features we can use to mitigate them:
– Driver Domains
– PVgrub
– Stub Domains
– Paravirtualization (PV) versus Hardware Virtualization (HVM)
– FLASK example policy
![Page 5: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/5.jpg)
Introduction: Xen Project, The Cloud,and Security
![Page 6: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/6.jpg)
Introduction: Xen Project and Security
● Xen Project produces an enterprise-grade Type 1 hypervisor
● Built for the cloud before it was called cloud
● A number of advanced security features
– Driver domains, stub domains, FLASK, and more
– Most of them are not (or cannot) be turned on by default
– Although they can be simple to use, sometimes they appear complicated
![Page 7: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/7.jpg)
The Cloud Security Conundrum
● Cloud Security: The 800lb Gorilla in the room
– Nothing generates more fear in specific, and FUD in general
– Probably the single greatest barrier to Cloud adoption
● Immediately behind it is the inability to get out of the 20th century IT mindset
– Must get past the “Change is Bad” concept of 1980– Cloud is about embracing change at a rapid pace
– The good news: the “Gorilla” is actually a “Red Herring”
● We don't need to fear it – we just need to solve it
![Page 8: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/8.jpg)
Cloud Security: New Visibility to an Old Problem
● Security has always been an IT issue
● Putting a truly secure system in the open does not reduce its security, it just increases the frequency of attack
● Unfortunately, system security behind the firewall has not always been comprehensive
● Having solutions in an external cloud forces us to solve the security issues we should have already solved
News Flash: Security Through Obscurity is Dead
![Page 9: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/9.jpg)
Use Security by Design, Not by Wishful Thinking
● Security by wishful thinking no longer works
– Merely hoping that your firewall holds off the marauding hordes is NOT good enough
– Addressing security in one area while ignoring others is NOT good enough
– Saying, “We never had a problem before” is NOT good enough
● Comprehensive security starts with design
– It needs to be planned carefully and thought through
– It needs to be implemented at multiple levels
– It needs components which are themselves securable
![Page 10: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/10.jpg)
Xen Project: Security by Design
● Xen Project software was designed for clouds before the term “cloud” was ever coined in the industry
– Designers foresaw the day of “infrastructure for wide-area distributed computing” which we now call “the cloud”
– http://www.cl.cam.ac.uk/research//srg/netos/xeno/publications.html
● The hypervisor is designed to thwart attacks from many attack vectors, using different defensive techniques
![Page 11: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/11.jpg)
Basic Architecture of the Xen Project Hypervisor
![Page 12: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/12.jpg)
Hypervisor Architectures
Type 1: Bare metal HypervisorA pure Hypervisor that runs directly on the hardware and hosts Guest OS’s.
Provides partition isolation + reliability, higher security
Provides partition isolation + reliability, higher security
Host HWHost HWMemory CPUsI/O
HypervisorHypervisor SchedulerScheduler
MMUMMUDevice Drivers/
ModelsDevice Drivers/
Models
VMnVMn
VM1VM1
VM0VM0
Guest OSand AppsGuest OSand Apps
![Page 13: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/13.jpg)
Hypervisor Architectures
Type 1: Bare metal HypervisorA pure Hypervisor that runs directly on the hardware and hosts Guest OS’s.
Type 2: OS ‘Hosted’A Hypervisor that runs within a Host OS and hosts Guest OS’s inside of it, using the host OS services to provide the virtual environment.
Provides partition isolation + reliability, higher security
Provides partition isolation + reliability, higher security
Low cost, no additional drivers Ease of use and installation
Low cost, no additional drivers Ease of use and installation
Host HWHost HWMemory CPUsI/O
Host HWHost HWMemory CPUsI/O
HypervisorHypervisor SchedulerScheduler
MMUMMUDevice Drivers/
ModelsDevice Drivers/
Models
VMnVMn
VM1VM1
VM0VM0
Guest OSand AppsGuest OSand Apps
Host OSHost OS
Device DriversDevice DriversRing-0 VM Monitor “Kernel “Ring-0 VM Monitor “Kernel “
VMnVMn
VM1VM1
VM0VM0
Guest OSand AppsGuest OSand Apps
UserAppsUserApps
User-level VMMUser-level VMM
Device ModelsDevice Models
![Page 14: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/14.jpg)
Xen Project: Type 1 with a Twist
Type 1: Bare metal Hypervisor
VMnVMn
VM1VM1
VM0VM0
Guest OSand AppsGuest OSand Apps
Host HWHost HWMemory CPUsI/O
HypervisorHypervisor SchedulerScheduler
MMUMMUDevice Drivers/
ModelsDevice Drivers/
Models
![Page 15: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/15.jpg)
Xen Project: Type 1 with a Twist
VMnVMn
VM1VM1
VM0VM0
Guest OSand AppsGuest OSand Apps
Host HWHost HWMemory CPUsI/O
HypervisorHypervisor SchedulerScheduler
MMUMMUDevice Drivers/
ModelsDevice Drivers/
Models
Type 1: Bare metal Hypervisor
VMnVMn
VM1VM1
VM0VM0
Guest OSand AppsGuest OSand Apps
Host HWHost HWMemory CPUsI/O
SchedulerScheduler MMUMMU
XEN Architecture
![Page 16: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/16.jpg)
Xen Project: Type 1 with a Twist
VMnVMn
VM1VM1
VM0VM0
Guest OSand AppsGuest OSand Apps
Host HWHost HWMemory CPUsI/O
HypervisorHypervisor SchedulerScheduler
MMUMMUDevice Drivers/
ModelsDevice Drivers/
Models
Type 1: Bare metal Hypervisor
VMnVMn
VM1VM1
VM0VM0
Guest OSand AppsGuest OSand Apps
Host HWHost HWMemory CPUsI/O
SchedulerScheduler MMUMMU
XEN Architecture
Control domain (dom0)Control domain (dom0)
DriversDrivers
Device ModelsDevice Models
Linux & BSDLinux & BSD
![Page 17: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/17.jpg)
Xen Project Architecture: Basic Parts
![Page 18: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/18.jpg)
Security Thinking: An Approach
![Page 19: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/19.jpg)
An Approach to Security Thinking
● Threat models:
– Attacker can access network
– Attacker controls one Guest VM
● Security considerations to evaluate:
– How much code is accessible?
– What is the interface like? (e.g., pointers vs scalars)
– Defense-in-depth: how many rings of defense surround you?
● Then combine security tactics to secure the installation
– There is no single "magic bullet"
– Individual tactics reduce danger; combined tactics go farther
![Page 20: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/20.jpg)
Example System For This Discussion
● Hardware setup
– Two networks: one Control network, one Guest network
– IOMMU with interrupt remapping (AMD or Intel VT-d v2) to allow for full hardware virtualization (HVM)
● Default configuration
– Network drivers in the Control Domain (aka "Domain 0" or just "Dom0")
– Paravirtualized (PV) guests using PyGrub (grub-like boot utility within context of Guest Domain)
– Hardware Virtualized (HVM) guests using Qemu (as the device model) running in the Control Domain
![Page 21: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/21.jpg)
Attacking the Network Interface
![Page 22: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/22.jpg)
Attack Surface: Network Path
![Page 23: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/23.jpg)
Attack Surface: Network Path
● Where might an exploit focus?
– Bugs in hardware driver
– Bugs in bridging / filtering
– Bugs in netback (via the ring protocol)
● Netback and Netfront are part of the Paravirtualization mode● Note the exploits
– The main exploits exist already, even in hardware
– The netback surface is very small, but needs to be acknowledged
– When these are attacked in hardware, you have deep trouble
– You actually have better defense in the VM than in hardware
![Page 24: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/24.jpg)
Result: Network Path Compromised
![Page 25: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/25.jpg)
Result: Network Path Compromised
This could lead to the control of the whole system
Vulnerability Analysis:
What could a successful exploit yield?
Control of Domain 0 kernel
![Page 26: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/26.jpg)
Security Feature: Driver Domains
![Page 27: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/27.jpg)
Security Feature: Driver Domains
● What is a Driver Domain?
– Unprivileged VM which drives hardware
– It provides driver access to guest VMs
– Very limited scope; not a full operating system
– Does not have the access or capability of a full VM
![Page 28: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/28.jpg)
Result: Driver Domain Compromised
![Page 29: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/29.jpg)
Result: Driver Domain Compromised
● Now a successful exploit could yield:
– Control of the Driver Domain (Paravirtualization hypercall interface)
● But the Driver Domain is limited: no shell, no utilities
– Control of that guest's network traffic
● But in the cloud, most orchestrators detect network traffic failure
● The problem is not allowed to stand very long
– Control of the network interface card (NIC)
– An opportunity to attack the netfront of other guest VMs
● But to take advantage of this platform, you need to launch another attack
● Compound attacks are complex, and they take time which you may not have
![Page 30: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/30.jpg)
Basic How To: Driver Domains
● Create a VM with appropriate drivers
– Use any distribution suitable as a Control Domain
● Install the Xen Project hotplug scripts
– Just installing the Xen Project tools in the VM is usually good enough
● Give the VM access to the physical NIC with PCI passthrough
● Configure the network topology in the Driver Domain
– Just like you would for the Control Domain
![Page 31: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/31.jpg)
Basic How To: Driver Domains
● Configure the guest Virtual Network Interface (vif) to use the new domain ID
– Add “backend=domnet” to vif declaration
vif = [ 'type=pv, bridge=xenbr0, backend=domnet' ]
Detailed Info
http://wiki.xenproject.org/wiki/Driver_Domain
![Page 32: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/32.jpg)
Attacking the PyGrub Boot Loader
![Page 33: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/33.jpg)
Attack Surface: PyGrub
![Page 34: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/34.jpg)
Attack Surface: PyGrub
● What is PyGrub?
– “grub” implementation for Paravirtualized guests
– A Python program running in Control Domain
● What does it do?
– It reads the guest VM's filesystem
– It parses grub.conf
– It displays a boot menu to the user
– It passes the selected kernel image to domain builder
![Page 35: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/35.jpg)
Attack Surface: PyGrub
![Page 36: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/36.jpg)
Attack Surface: PyGrub
● Where might an exploit focus?
– Bugs in file system parser
– Bugs in menu parser
– Bugs in domain builder
● Again, note the exploits
– Forms of these exist in hardware as well
– But hardware doesn't have as many options to combat the situation
![Page 37: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/37.jpg)
Result: PyGrub Compromised
![Page 38: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/38.jpg)
Result: PyGrub Compromised
This could lead to the control of the whole system
Vulnerability Analysis:
What could a successful exploit yield?
Control of Domain 0 user space
![Page 39: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/39.jpg)
Security Feature: Fixed Kernels
![Page 40: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/40.jpg)
Security Feature: Fixed Kernels
● What is a fixed kernel?
– Passing a known-good kernel from Control Domain
● No longer allows a user to choose the kernel
● Best practice for anything in production
– Removes attacker avenue to domain builder
● Disadvantages
– Host administrator must keep up with kernel updates
– Guest admin can't pass kernel parameters or custom kernels
![Page 41: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/41.jpg)
Security Feature: PVgrub
![Page 42: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/42.jpg)
Security Feature: PVgrub
● What is PVgrub?
– MiniOS plus the Paravirtualized port of “grub” running in a guest context
– Paravirtualized equivalent of Hardware Virtualized combination of BIOS plus grub
![Page 43: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/43.jpg)
Result: PVgrub Compromised
Control Domain is no longer at risk
Vulnerability Analysis:
Now a successful exploit could yield:
Control of the attacked Guest Domain alone
![Page 44: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/44.jpg)
Basic HowTo: PVgrub
● Make sure that you have the PVgrub image
– “pvgrub-$ARCH.gz”
– Normally lives in “/usr/lib/xen/boot”
– Debian, SLES: Currently need to build for yourself
– Included in Fedora Xen Project packages● Use appropriate PVgrub as bootloader in guest
configuration:
– kernel="/usr/lib/xen/boot/pvgrub-x86_32.gz"
See http://wiki.xenproject.org/wiki/Pvgrub
![Page 45: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/45.jpg)
Attacking the Qemu Device Model
![Page 46: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/46.jpg)
Attack Surface: Device Model (Qemu)
![Page 47: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/47.jpg)
Attack Surface: Device Model (Qemu)
● What is Qemu?
– In other contexts, a virtualization provider
– In the Xen Project context, a provider of needed device models
● Where might an exploit focus?
– Bugs in NIC emulator parsing packets
– Bugs in emulation of virtual devices
![Page 48: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/48.jpg)
Result: Device Model Compromised
This could lead to the control of the whole system
Vulnerability Analysis:
What could a successful exploit yield?
Control Domain privileged user space
![Page 49: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/49.jpg)
Security Feature: Qemu Stub Domains
● What is a stub domain?
– Stub domain: a small “service'' domain running just one application
– Qemu stub domain: run each Qemu in its own domain
![Page 50: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/50.jpg)
Result: Stub Domain Compromised
You need to devise another attack entirely to do anything more significant
Vulnerability Analysis:
Now a successful exploit could yield:
Control only of the stub domain VM(which, if FLASK is employed, is a relatively small universe)
![Page 51: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/51.jpg)
Basic HowTo: Qemu Stub Domains
● Make sure that you have the ioemu image:
– “ioemu-$ARCH.gz”
– Normally lives in “/usr/lib/xen/boot”
– SUSE SLES, currently need to build it yourself (SLES 12?)
– Included in Fedora Xen Project packages
– On Debian (and offshoots), you will need to build it yourself
● Specify stub domains in your guest configuration:
device_model_stubdomain_override = 1
http://wiki.xenproject.org/wiki/Device_Model_Stub_Domains
Detailed Info
![Page 52: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/52.jpg)
Attacking the Hypervisor Itself
![Page 53: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/53.jpg)
Attack Surface: The Hypervisor Itself
● Where might an exploit focus?
– On Paravirtualized (PV) Guests:● PV Hypercalls
– On full Hardware Virtualized (HVM) Guests:● HVM hypercalls (Subset of PV hypercalls)● Instruction emulation (MMIO, shadow pagetables)● Emulated platform devices: APIC, HPET, PIT● Nested virtualization
● Security practice: Use PV VMs whenever possible
![Page 54: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/54.jpg)
Using the Xen Project Security Module
![Page 55: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/55.jpg)
Security Feature: FLASK Policy
● What is FLASK?
– Xen Project Security Module (XSM): Xen Project equivalent of LSM
– FLASK: FLux Advanced Security Kernel
– Framework for XSM developed by NSA
– Xen Project equivalent of SELinux
– Uses same concepts and tools as SELinux
– Allows a policy to restrict hypercalls
![Page 56: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/56.jpg)
Security Feature: FLASK Policy
● What can FLASK do?
– Basic: Restricts hypercalls to those needed by a particular guest
– Advanced: Allows more fine-grained granting of privileges
● FLASK example policy
– This contains example roles for the Control Domain (dom0), User/Guest Domain(domU), stub domains, driver domains, etc.
– Make sure you TEST the example policy in your environment BEFORE putting it into production!
NOTE: As an example policy, it is not as rigorously tested as other parts of Xen during release; make sure it is suitable for you
![Page 57: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/57.jpg)
Basic HowTo: FLASK Example Policy
● Build Xen Project software with XSM enabled
● Build the example policy
● Add the appropriate label to guest config files:
– “seclabel=[foo]”
– “stubdom_label=[foo]”
http://wiki.xenproject.org/wiki/Xen_Security_Modules_:_XSM-FLASK
Detailed Info
![Page 58: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/58.jpg)
ARM-Specific Security Features
![Page 59: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/59.jpg)
ARM SOCARM SOC
Xen Project + ARM = A Perfect Match
ARM Architecture Features for Virtualization ARM Architecture Features for Virtualization
Hypervisor mode : EL2
Kernel mode : EL1
User mode : EL0
GICv2
GICv2GTGT
2 stageMMU
2 stageMMU
I/O
Device Tree describes …
Hypercall Interface HVCHypercall Interface HVC
![Page 60: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/60.jpg)
ARM SOCARM SOC ARM Architecture Features for Virtualization ARM Architecture Features for Virtualization
EL2
EL1
EL0
GICv2
GICv2GTGT
2 stageMMU
2 stageMMU
I/O
Device Tree describes …
HVCHVC
Xen Project + ARM = A Perfect Match
Xen Project HypervisorXen Project Hypervisor
![Page 61: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/61.jpg)
ARM SOCARM SOC ARM Architecture Features for Virtualization ARM Architecture Features for Virtualization
EL2
EL1
EL0
GICv2
GICv2GTGT
2 stageMMU
2 stageMMU
I/O
Device Tree describes …
HVCHVC
Xen Project + ARM = A Perfect Match
Xen Project HypervisorXen Project Hypervisor
Any Xen Project Guest VM (including Dom0)Any Xen Project Guest VM (including Dom0)
KernelKernel
User SpaceUser Space
HVCHVC
![Page 62: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/62.jpg)
ARM SOCARM SOC ARM Architecture Features for Virtualization ARM Architecture Features for Virtualization
EL2
EL1
EL0
GICv2
GICv2GTGT
2 stageMMU
2 stageMMU
I/O
Device Tree describes …
HVCHVC
Xen Project + ARM = A Perfect Match
Xen Project HypervisorXen Project Hypervisor
Dom0only
Dom0only
Any Xen Project Guest VM (including Dom0)Any Xen Project Guest VM (including Dom0)
KernelKernel
User SpaceUser Space
I/O
PVback
PV frontI/O
HVCHVC
![Page 63: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/63.jpg)
ARM: Right Solution for Security
● Stays in ARM Hypervisor Mode
– The ARM architecture has separate Hypervisor and Kernel modes
– Because Xen Project's architecture maps so well to the ARM architecture, the hypervisor never has to use Kernel mode
– Other hypervisors have to flip back and forth between modes
– If a hypervisor has to enter Kernel mode, it loses the security of running in a privileged mode, isolated from the rest of the system
– This is a non-issue with the Xen Project Hypervisor on ARM
● Does not need to use device emulation
– No emulation means a smaller attack surface for bad guys
![Page 64: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/64.jpg)
Xen Project Events Coming Up
● Xen Project User Summit
– September 15, 2014 in New York City
– Call For Participation closes May 31http://events.linuxfoundation.org/events/xen-project-user-summit/program/cfp
● Xen Project Developer Summit
– August 18-19, 2014 in Chicago at LinuxCon NA
– Call For Participation closes May 2http://events.linuxfoundation.org/events/xen-project-developer-summit
![Page 65: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/65.jpg)
For More Information...
Thanks to George Dunlap for supplying much of the information presented here, and Stefano Stabellini for ARM information
Center of the Xen Project universe: http://www.XenProject.org/
Contact me at [email protected]
Detailed Info
http://wiki.xenproject.org/wiki/Securing_Xen
Thank You!
![Page 66: LFNW2014 Advanced Security Features of Xen Project Hypervisor](https://reader036.vdocument.in/reader036/viewer/2022062513/555a3f80d8b42ae1398b4db7/html5/thumbnails/66.jpg)