1 / 26

Applications of Feather-Weight Virtual Machine

Applications of Feather-Weight Virtual Machine. Yang Yu Hariharan Govindarajan Lap-chung Lam Tzi-cker Chiueh Stony Brook University Symantec Research Labs. Virtualization Technology Spectrum.

Download Presentation

Applications of Feather-Weight Virtual Machine

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Applications of Feather-Weight Virtual Machine Yang Yu Hariharan Govindarajan Lap-chung Lam Tzi-cker Chiueh Stony Brook University Symantec Research Labs VEE 2008

  2. Virtualization Technology Spectrum • Software emulation of an operating environment: an example of “every computer science problem can be solved by adding an additional level of indirection” Intercept & perform additional value-added operations • Multiple possible interception interfaces • Instruction set architecture (ISA): Bochs, QEMU • Hardware abstraction layer (HAL): VMware, Virtual PC, Xen, • System call interface: BSD Jail, Linux Vserver, Virtuozzo, Softricity • Library call interface: Wine, Interix, Cgwin • Language level: JVM, .NET framework • Tradeoff among implementation complexity, flexibility, performance overheadandisolation strength VEE 2008

  3. OS-level Virtualization • Virtualizing the system call interface so as to provide the illusion of multiple operating environments that are isolated from one another P1, P2, P3, P4, P5 P1, P3, P4 P2, P5 OS-VirtualizationLayer Operating System Kernel Operating System Kernel Hardware Hardware VEE 2008

  4. OS-level vs. HAL-based VM • One OS vs. Multiple (possibly heterogeneous) OSes Guest Processes Guest Processes Guest Processes Guest Processes OS-level VirtualizationLayer Guest OS Guest OS Host OS HAL Virtualization Layer Hardware Hardware OS-level Virtualization HAL-level Virtualization VEE 2008

  5. Properties of OS-level Virtualization • Pro • OS-required resource does not need to be duplicated • Low per-VM resource requirement and better scalability • Instant creation and destruction of VMs • More flexibility in initial state set-up of new VM • Easier to share VM states whenever necessary • No changes required to existing applications or computing infrastructure • Con • Share a single OS kernel: weaker isolations among VMs • kernel rootkit problem • Higher implementation complexity • Additional restrictions on applications running in a VM VEE 2008

  6. FVM: Feather-weight Virtual Machine • Multiple OS-level VMs forked from the base operating environment of a Windows kernel • Goals of FVM • Properly isolates different VMs running on a Windows kernel • Offers a flexible framework for developing security applications on end user machines • Technical challenges • How to achieve reasonable isolation among VMs without incurring inordinate implementation complexity • How to reliably commit a VM’s state back to the host VEE 2008

  7. Concrete Design Requirements • Can start multiple instances of the same executable binary in multiple concurrent VMs • Daemon process: Apache web server, DNS server • GUI process: Microsoft Office suite, IE, Acrobat reader • Some service processes cannot be multi-instanced: Windows Installer service • Isolation of persistent state: files and registries • Read from the common base operating environment • File-level copy-on-write • Communication confinement: IPC, device access, kernel object access, interaction with services • Performance isolation VEE 2008

  8. Basic FVM design • A virtualization layer that intercepts Windows system calls • No modification to applications, libraries or OS kernel • Access redirection via renaming and copy-on-write • Mapping virtual name to physical name • Communication confinement • Virtualization through renaming of communication end-points • Visibility control: broadcast and enumeration operations • Performance isolation: using “job object” to limit dis/memory usage and CPU scheduling priority VEE 2008

  9. Low-Level Enabling Mechanisms • File/registry virtualization • Running multiple instances of the same application • Inter-process communication confinement • Daemon/Service virtualization • Network interface/stack virtualization • Resource usage control VEE 2008

  10. IPC Confinement VEE 2008

  11. An FVM’s State • A VM identifier • A set of processes • Root directories for file, registry, kernel object • A log of files and registry entries deleted/renamed by the VM • An IP address • A set of policies: resource usage quota, device access and service interaction VEE 2008

  12. Limitations of FVM Prototype • Kernel modification in a VM • Prohibit loading/unloading kernel driver • Prohibit mapping physical memory • \Device\PhysicalMemory • Device access and IPC with daemon/service • Tradeoff between isolation and functionality • Policy • Lack of VM migration support VEE 2008

  13. App1: Secure Mobile Code Execution • Start web browser, email client or any suspicious program in a separate VM • Selective commit based on analysis of system/API call log – detect suspicious process behaviors • Mark a file when it is committed to the host • A marked file is always opened/executed in a separate VM until it is explicitly unmarked VEE 2008

  14. App1: Secure Mobile Code Execution VEE 2008

  15. Local Mirror VM Web Browser VM URL DB Web Browser VM Pool Testing Report Web Crawler Web Browser VM Web Servers App2: Scalable Web Site Testing VEE 2008

  16. Web Site Testing Set-up • Web crawler: WinHTTrack • URL source: 237 websites from McAfee’s SiteAdvisor • Internet Explorer 5.0 runs on unpatched Win2K • IE security settings: high • VM setup • One IE instance per VM • Total number of concurrent IE instances: 50 • Two parameters: • Number of seconds to wait • Number of URLs visited during the life time of each VM VEE 2008

  17. VEE 2008

  18. Results • VM start-up overhead in web site testing • FVM: 0.3 seconds • VMware Workstation 5.0: 30 ~ 50 seconds • Scanning throughput • One URL visit per VM • Waiting time: 120 seconds • FVM-based: 50,000 ~ 70,000 per day per machine • MS Strider HoneyMonkey (VMware-based): < 8,000 per day per machine VEE 2008

  19. App3: Shared Application Binary Server • Application binary delivery architecture • Applications installed and executed on end user machines • Applications installed and executed on a central server: Thin-client computing • Applications installed on a central server and executed on individual user machines: Shared application binary server • Challenge: Ensure applications are executed against the operating environment in which they are installed VEE 2008

  20. Design • When a client launches an executable stored on the server, associate the launched process with a VM running on the client • Redirect access to the operating environment to the shared binary server • Exe, DLL, Registry, Environment Variable, COM object • System DLLs (kernel32, user32, …) • Accesses to user files and registry entries are not redirected VEE 2008

  21. File File App1 App Registry App2 Registry Env Var App3 Env Var FVM OLE/COM …… OLE/COM AppK Local Data Client Shared Binary Server Shared Binary Server Architecture VEE 2008

  22. DOFS Firewall Screen Capture Blocker App Terminal Session Remote Display Content Filter Document Link Protected Document DOFS Client DOFS Server App4: Distributed Display-Only File Service • Goal: protect confidential documents from information theft by insiders VEE 2008

  23. DDOFS Design • Motivation • Application compatibility & performance issue in the DOFS architecture • Approach • Move application execution back to client in a VM to carve out a piece of client as a logical extension of the central server • Document opened in a VM cannot leak out of the VM because all writes go to the central server • Documents are encrypted as they travel over the network and decrypted after they enter the VM VEE 2008

  24. App4: DDOFS Architecture Screen Capture Blocker VM Write Workspace App Encrypt & Decrypt Protected Document Decrypt & Encrypt FVM DDOFS Server DDOFS Client VEE 2008

  25. Conclusion • FVM is a full-scale implementation of OS-level virtualization for the Windows platform • Making legitimate applications happy vs. preventing malicious applications from doing bad things • Tamper resistance support is needed • Optimized for sharing rather than for isolation  allow users to seamlessly interact with multiple VMs simultaneously • Faster start-up and shut-down • Facilitating development of security solutions for end user machines VEE 2008

  26. Open-source version of FVM 1.0 available in https://sourceforge.net/projects/fvm-rni Questions?Thank You! VEE 2008

More Related