trusted virtual domains on opensolaris: usable secure desktop environments
TRANSCRIPT
System Security Lab
Trusted Virtual Domainson
Usable Secure Desktop Environments
Hans Löhr, Thomas Pöppelmann, Johannes Rave,Martin Steegmanns, Marcel Winandy
5th Annual Workshop on Scalable Trusted Computing (STC 2010)co-located to ACM CCS, Chicago, 4th October 2010
Marcel Winandy Trusted Virtual Domains on OpenSolaris 2
System Security Lab
Trusted Virtual Domains (TVDs)
● Coalition of virtual machines (VMs)● Distributed over various physical platforms● Same trust level, same security policy● Transparent policy enforcement
Marcel Winandy Trusted Virtual Domains on OpenSolaris 3
System Security Lab
TVD Implementations – Why a new one?
● TVDs on Xen:● Required several changes in Xen and dom0
(e.g. sHype in Xen, vSwitch in dom0, etc....)● Large VM images to deploy (e.g. Vista: ~ 2 GB)● Focus on data centers
● TVD on OpenSolaris:● Focus on end-user desktop systems● Lightweight virtualization● Requires no changes in kernel or core system
Marcel Winandy Trusted Virtual Domains on OpenSolaris 4
System Security Lab
Security Features of OpenSolaris● Zones: Lightweight (OS) virtualization● ZFS: Efficient file system● MLS: built-in mandatory access control● Secure GUI: trusted path, MLS support
And all comes for free !!!
Marcel Winandy Trusted Virtual Domains on OpenSolaris 5
System Security Lab
TVD on OpenSolaris: Architecture
Our Contribution
Marcel Winandy Trusted Virtual Domains on OpenSolaris 6
System Security Lab User Desktop
Trusted Virtual Domains on OpenSolaris 7
System Security Lab
Mapping TVD to MLS● MLS: classification (level) + compartment (category)● TVDs: non-hierarchical● Solution: all TVDs same level, but distinct compartments
(240 possible TVDs)
Marcel Winandy Trusted Virtual Domains on OpenSolaris 8
System Security Lab
TVD Management● Simple TVD management (Admin)
● Creation: name, description, network segment● Assignment of users and zone images
● Automatic and transparent policy distribution● Global Policy: MLS labels, user assignments● Local Policy: allowed zones, network config, etc.● Platform Policy: defines secure channel between
master and platforms
Marcel Winandy Trusted Virtual Domains on OpenSolaris 9
System Security Lab
Efficient Zone Image Deployment (1)
● User Login: can choose working environments
Marcel Winandy Trusted Virtual Domains on OpenSolaris 10
System Security Lab
Efficient Zone Image Deployment (2)
● Minimal standard zone: 1.4 GB (!)● But: ZFS features clones and snapshots
● Every image is snapshot of a zone● Snapshots can have dependencies (delta images)
● Tree-like organization:● Base zone images● Other zones are derived from base image
● Deployment: base in cache, deploy deltas only!
Marcel Winandy Trusted Virtual Domains on OpenSolaris 11
System Security Lab
Protected Storage Devices (1)● Encrypted Home Directories
● Stored on central server (via NFS)● Loopback-mounted (lofi) with built-in encryption● TVD layer: management of encryption key
● Mobile Storage Devices (e.g. USB sticks)● Similar approach● Transparent encryption after assignment to a TVD
Marcel Winandy Trusted Virtual Domains on OpenSolaris 12
System Security Lab
Protected Storage Devices (2)● User attaches new USB device
Marcel Winandy Trusted Virtual Domains on OpenSolaris 13
System Security Lab
Protected Storage Devices (3)● Transparent encryption after assignment to TVD
Marcel Winandy Trusted Virtual Domains on OpenSolaris 14
System Security Lab
Conclusion● TVD on OpenSolaris:
efficient and usable TVD realization for end-user desktop systems● Leverages existing OpenSolaris features
● Zones, MLS, ZFS, Secure GUI● Adds new components
● Server infrastructure (TVD Master), local TVD Layer● Transparent data encryption (home + USB sticks)● Efficient zone image deployment
● No changes on kernel or core OS services
More information:http://www.trust.rub.de/projects/tvd-solaris