virtual machine securitytrj1/cse443-s12/slides/cse443... · other issues 12 penn state systems and...
TRANSCRIPT
![Page 1: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/1.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Virtual Machine Security
CSE443 - Spring 2012Introduction to Computer and Network Security
Professor Jaegerwww.cse.psu.edu/~tjaeger/cse443-s12/
1
![Page 2: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/2.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Operating System Quandary• Q: What is the primary goal of system security?
• OS enables multiple users/programs to share resources on a physical device
• Q: What happens when we try to enforce Mandatory Access Control policies on UNIX systems
• Think SELinux policies
• What can we to do to simplify?
2
![Page 3: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/3.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Virtual Machines• Instead of using system
software to enable sharing, use system software to enable isolation
• Virtualization
• “a technique for hiding the physical characteristics of computing resources from the way in which others systems, applications, and end users interact with those resources”
• Virtual Machines
• Single physical resource can appear as multiple logical resources
3
![Page 4: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/4.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Virtual Machine Architectures• Full system simulation
• CPU can be simulated
• Paravirtualization (Xen)
• VM has a special API
• Requires OS changes
• Native virtualization (VMWare)
• Simulate enough HW to run OS
• OS is for same CPU
• Application virtualization (JVM)
• Application API
4
![Page 5: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/5.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Virtual Machine Types• Type I
• Lowest layer of software is VMM
• E.g., Xen, VAX VMM, etc.
• Type II
• Runs on a host operating system
• E.g., VMWare, JVM, etc.
• Q: What are the trust model issues with Type II compared to Type I?
5
![Page 6: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/6.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Virtual Machine Types
6
Penn State Systems and Internet Infrastructure Security Lab Page
Virtual Machine Monitor Approaches
Hardware!
Host OS!
VMM!
Guest OS 1! Guest OS 2!
App! App!
Hardware!
Host OS! VMM!
Guest OS 1! Guest OS 2!
App! App!
Hardware!
VMM!
Guest OS 1! Guest OS 2!
App! App!
Type 2 VMM! Type 1 VMM!Hybrid VMM!
JVM!CLR!
VMware Workstation!
MS Virtual Server!KVM!
VMware ESX!Xen!
MS Hyper-V!
![Page 7: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/7.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
VM Security• Isolation of VM computing
• Like a separate machine
7
VM VM
Virtual Machine Monitor
Physical Device Controls
Guest OS Guest OS
Partitioned Resources
DeviceRequests
![Page 8: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/8.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
VAX VMM System
8
Penn State Systems and Internet Infrastructure Security Lab Page 18
VAX VMM System • First system design to examine virtualization in the
context of information flow security!
• Virtualization mechanisms necessary to implement a reference validation mechanism that satisfies the reference monitor concept!
• Assure system design and implementation to the highest level – A1 level per the Orange Book!
• Control all system information flows according to MLS and Biba integrity policies (modulo exceptions in “privileges”)!
• Also, covert channel countermeasures were produced, approximating noninterference!
• System was piloted, but not released commercially!
![Page 9: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/9.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
VAX VMM System
9
Penn State Systems and Internet Infrastructure Security Lab Page
Virtualization Mechanisms • Key design tasks of secure VMM!
‣ Virtualize processor!
• All security-sensitive instructions must be mediated by VMM!
‣ VMM protection ring!
• VMM must be deployed in a more privileged protection ring than the VMs!
‣ I/O emulation!
• Privileged I/O tasks must be executed in VMM or trusted VM!
‣ Self-virtualizable!
• OS must not detect when running on a VMM (or VMMs)!
19
![Page 10: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/10.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Virtualizing Instructions
10
Penn State Systems and Internet Infrastructure Security Lab Page
Virtualize Processor • Security-Sensitive Instructions!
‣ Instructions that read or modify privileged system state!
• Privileged Instructions!
‣ Instructions that cause a trap when executed in a non- privileged ring!
• All security-sensitive instructions must be privileged to enable the VMM to manage privileged system state (rather than individual VMs)!
• This requirement was not met by VAX hardware nor x86 originally!
21
![Page 11: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/11.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
I/O Emulation
11
Penn State Systems and Internet Infrastructure Security Lab Page
I/O Emulation • Access to devices is expected by each operating
system, but this access is security-sensitive!
‣ Thus, devices are virtualized!
• Access to devices must be directed to the party with physical device access!
‣ Memory-mapped I/O uses unprivileged instructions!
• VAX VMM adds a layer of indirection!
‣ I/O interface that causes a trap!
‣ OS must be modified to use that interface (paravirtualize)!
22
![Page 12: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/12.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Other Issues
12
Penn State Systems and Internet Infrastructure Security Lab Page
Other Issues • Driver management!
‣ In VAX VMM, all drivers were in the VMM kernel!
‣ This was for assurance, but added code to VMM!
• Drivers are outside the VMM in most systems!
• DMA!
‣ Devices can use this mechanism to write to physical memory, but under guidance of untrusted VMs!
• VAX VMM trusted drivers, but not practical today!
• Performance – E.g., page table lookups!
23
![Page 13: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/13.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
VAX VMM System
13
Penn State Systems and Internet Infrastructure Security Lab Page
VAX VMM Design
20
Ultrix OS VMS OS
VMM Security Kernel
VMS OS
Applications(Top Secret)
Applications(Secret)
Applications(Unclassified)
MemoryDevice
DiskDevice
PrintDevice
DisplayDevice ...
![Page 14: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/14.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
NetTop• Isolated networks of VMs
• Alternative to “air gap” security
14
VM: Secret VM: Public
SELinux Host OS
Guest OS’ Guest OS’
VMWareMLS
VM: Secret VM: Public
SELinux Host OS
Guest OS’ Guest OS’
VMWareMLS
![Page 15: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/15.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Xen• Privileged VM
15
VM: DomU VM: DomU
Xen Hypervisor
Guest OS’ Guest OS’
Partitioned Resources
DeviceRequestsDom 0
Host OS’Drivers
VM Services
![Page 16: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/16.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Xen sHype• Controlled information flows among VMs
16
VM: DomU VM: DomU
Xen Hypervisor
Guest OS’ Guest OS’
Partitioned Resources
DeviceRequestsDom 0
Host OS’Drivers
VM Services
RefMon
![Page 17: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/17.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Xen sHype Policies• Type Enforcement over VM communications
• VM labels are subjects
• VM labels are objects
• How do VMs communicate in Xen?
• Grant tables: pass pages between VMs
• Event channels: notifications (e.g., when to pass pages)
• sHype controls these
• Q: What about VM communication across systems?
17
![Page 18: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/18.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Xen Security Modules• Comprehensive Reference Monitor interface for Xen
• Based on LSM ideas
• Includes about 57 “hooks” (more expected)
• Supports sHype hooks
• Plus, hooks for VM management, resource partitioning
• Another aim: Decompose domain 0
• Specialize kernel for privileged operations
• E.g., Remove drivers
18
![Page 19: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/19.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
IOMMU Role in the System
19
Penn State Systems and Internet Infrastructure Security Lab Page
IOMMU Role In System
Application!
Application!
System !Software!
RAM!
Application!
![Page 20: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/20.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
IOMMU Role in the System
20
Penn State Systems and Internet Infrastructure Security Lab Page
IOMMU Role In System
Application!
Application!
System !Software!
RAM!
Application!
![Page 21: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/21.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
IOMMU Role in the System
21
Penn State Systems and Internet Infrastructure Security Lab Page
IOMMU Role In System
Application!
Application!
System !Software!
RAM!
Application!
MMU!
control
![Page 22: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/22.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
IOMMU Role in the System
22
Penn State Systems and Internet Infrastructure Security Lab Page
IOMMU Role In System
Application!
Application!
System !Software!
RAM!
Peripheral!
Peripheral!
Peripheral!
Application!
MMU!
control
![Page 23: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/23.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
IOMMU Role in the System
23
Penn State Systems and Internet Infrastructure Security Lab Page
IOMMU Role In System
Application!
Application!
System !Software!
RAM!
Peripheral!
Peripheral!
Peripheral!
Application!
MMU!
IOM
MU!
control
![Page 24: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/24.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
I/O Device Assignment
24
Penn State Systems and Internet Infrastructure Security Lab Page
I/O Device Assignment
VM Guest 3!
VM Guest 2!RAM!
Peripheral!
Peripheral!
Peripheral!
VM Guest 1!
OS!Process!
Process! VM 1!
Hyp
ervi
sor!
Pare
nt !
VM
0!
control!IO
MM
U!
MMU!
![Page 25: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/25.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
VM Security Status
• Aim is simplicity
• Are we achieving this?
• Do we care what happens in the VMs?
• When might we care?
• Trusted computing base
• How does this compare to traditional OS?
25
![Page 26: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/26.jpg)
Page CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger
Virtual Machine Threats
• How does the insertion of a virtual machine layer change the threats against the system?
26
![Page 27: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/27.jpg)
Page CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger
Virtual Machine Rootkit
• Rootkit– Malicious software installed by an attacker on a system– Enable it to run on each boot
• OS Rootkits– Kernel module, signal handler, ...– When the kernel is booted, the module is installed and intercepts
user process requests, interrupts, etc.– E.g., keylogger
• VM Rootkit– Research project from Michigan and Microsoft– If security service runs in VM, then a rootkit in VMM can evade
security– E.g., Can continue to run even if the system appears to be off
27
![Page 28: Virtual Machine Securitytrj1/cse443-s12/slides/cse443... · Other Issues 12 Penn State Systems and Internet Infrastructure Security Lab Page Other Issues • Driver management! ‣](https://reader034.vdocument.in/reader034/viewer/2022042223/5ec966e9c26f4211407e48d9/html5/thumbnails/28.jpg)
CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger
Take Away• VM systems focus on isolation
• Enable reuse, but limited by security requirements
• Enable limited communication
• The policies are not trivial, but refer to coarser-grained objects
28