System Security Lab

Trusted Virtual Domainson

Usable Secure Desktop Environments

Hans Löhr, Thomas Pöppelmann, Johannes Rave,Martin Steegmanns, Marcel Winandy

5th Annual Workshop on Scalable Trusted Computing (STC 2010)co-located to ACM CCS, Chicago, 4th October 2010

Marcel Winandy Trusted Virtual Domains on OpenSolaris 2

System Security Lab

Trusted Virtual Domains (TVDs)

● Coalition of virtual machines (VMs)● Distributed over various physical platforms● Same trust level, same security policy● Transparent policy enforcement

Marcel Winandy Trusted Virtual Domains on OpenSolaris 3

System Security Lab

TVD Implementations – Why a new one?

● TVDs on Xen:● Required several changes in Xen and dom0

(e.g. sHype in Xen, vSwitch in dom0, etc....)● Large VM images to deploy (e.g. Vista: ~ 2 GB)● Focus on data centers

● TVD on OpenSolaris:● Focus on end-user desktop systems● Lightweight virtualization● Requires no changes in kernel or core system

Marcel Winandy Trusted Virtual Domains on OpenSolaris 4

System Security Lab

Security Features of OpenSolaris● Zones: Lightweight (OS) virtualization● ZFS: Efficient file system● MLS: built-in mandatory access control● Secure GUI: trusted path, MLS support

And all comes for free !!!

Marcel Winandy Trusted Virtual Domains on OpenSolaris 5

System Security Lab

TVD on OpenSolaris: Architecture

Our Contribution

Marcel Winandy Trusted Virtual Domains on OpenSolaris 6

System Security Lab User Desktop

Trusted Virtual Domains on OpenSolaris 7

System Security Lab

Mapping TVD to MLS● MLS: classification (level) + compartment (category)● TVDs: non-hierarchical● Solution: all TVDs same level, but distinct compartments

(240 possible TVDs)

Marcel Winandy Trusted Virtual Domains on OpenSolaris 8

System Security Lab

TVD Management● Simple TVD management (Admin)

● Creation: name, description, network segment● Assignment of users and zone images

● Automatic and transparent policy distribution● Global Policy: MLS labels, user assignments● Local Policy: allowed zones, network config, etc.● Platform Policy: defines secure channel between

master and platforms

Marcel Winandy Trusted Virtual Domains on OpenSolaris 9

System Security Lab

Efficient Zone Image Deployment (1)

● User Login: can choose working environments

Marcel Winandy Trusted Virtual Domains on OpenSolaris 10

System Security Lab

Efficient Zone Image Deployment (2)

● Minimal standard zone: 1.4 GB (!)● But: ZFS features clones and snapshots

● Every image is snapshot of a zone● Snapshots can have dependencies (delta images)

● Tree-like organization:● Base zone images● Other zones are derived from base image

● Deployment: base in cache, deploy deltas only!

Marcel Winandy Trusted Virtual Domains on OpenSolaris 11

System Security Lab

Protected Storage Devices (1)● Encrypted Home Directories

● Stored on central server (via NFS)● Loopback-mounted (lofi) with built-in encryption● TVD layer: management of encryption key

● Mobile Storage Devices (e.g. USB sticks)● Similar approach● Transparent encryption after assignment to a TVD

Marcel Winandy Trusted Virtual Domains on OpenSolaris 12

System Security Lab

Protected Storage Devices (2)● User attaches new USB device

Marcel Winandy Trusted Virtual Domains on OpenSolaris 13

System Security Lab

Protected Storage Devices (3)● Transparent encryption after assignment to TVD

Marcel Winandy Trusted Virtual Domains on OpenSolaris 14

System Security Lab

Conclusion● TVD on OpenSolaris:

efficient and usable TVD realization for end-user desktop systems● Leverages existing OpenSolaris features

● Zones, MLS, ZFS, Secure GUI● Adds new components

● Server infrastructure (TVD Master), local TVD Layer● Transparent data encryption (home + USB sticks)● Efficient zone image deployment

● No changes on kernel or core OS services

More information:http://www.trust.rub.de/projects/tvd-solaris