1 / 21

Xoar

Bart Miller – October 22 nd , 2012. Xoar. Outline. TCB & Threat Model Xen Platform Xoar Architecture Overview Xoar Components Design Goals Results Security Vulnerability Mitigation Performance. TCB.

danno
Download Presentation

Xoar

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bart Miller – October 22nd, 2012 Xoar

  2. Outline • TCB & Threat Model • Xen Platform • Xoar Architecture Overview • Xoar Components • Design Goals • Results • Security • Vulnerability Mitigation • Performance

  3. TCB • Trusted Computing Base is defined as “the totality of protection mechanisms within a computer system – including hardware, firmware, and software – the combination of which is responsible for enforcing a security policy.” • Xen, by virtue of privilege, is part of the TCB

  4. TCB • In Xen, all components operate under a monolithic trust domain • Compromise of any component yields two benefits: • Gain privilege level of component • Access its interfaces to other components

  5. TCB

  6. Threat Model • Assumption #1: Administrators are not a concern • Business imperative • Assumption #2: Malicious guest VM • Violate data integrity or confidentiality • Exploiting code • Assumption #3: The control VM will contain bugs

  7. Xen Platform – A brief revisit • Device drivers • Virtualized, passed-through, or emulated • XenStore • Hierarchical key-value store • System-wide registry • Most critical component • Vulnerable to DoS attacks • Perform most administrative operations

  8. Xen Platform • Toolstack • Administrative functions • Create, destroy, managing resources and privilege for guest VMs • System Boot • Starts DomO process, initialize hardware

  9. Xoar Architecture Overview

  10. Xoar Components

  11. Design Goals • Reduce privilege • Each component should only have the privileges essential to its purpose • Each component should only expose interfaces when necessary

  12. Design Goals • Reduce sharing • Sharing components should be avoided wherever it is reasonable • Any sharing of components must be explicit • Allows for logging and auditing in the event of a compromise

  13. Design Goals

  14. Design Goals

  15. Design Goals • Reduce staleness • A component should only run for as long as it needs to perform its task. • It should be restored to a known, good state as frequently as practicable.

  16. Results - Security • Reduced TCB • Bootstrapper, PCIBack, and Builder are most privileged components • Bootstrapper and PCIBack destroyed once initialized • TCB reduced • Linux: 7.6M LoC • Builder: 13,5k LoC (Builder)

  17. Results – Vulnerability Mitigation • Solved through isolation • Device Emulation • Virtualized Drivers • XenStore, re-written • Hypervisor vulnerabilities remain

  18. Results - Performance • Test system • Ca. 2011 server • Quad-core Xeon, 4Gb RAM • All virtualization features enabled • Memory overhead • 512Mb – 896Mb in Xoar vs. • 750Mb in XenServer

  19. Theoretical Benchmarks

  20. “Real-world” Benchmarks

  21. Questions • Any questions?

More Related