260 likes | 366 Views
Applications of Feather-Weight Virtual Machine. Yang Yu Hariharan Govindarajan Lap-chung Lam Tzi-cker Chiueh Stony Brook University Symantec Research Labs. Virtualization Technology Spectrum.
E N D
Applications of Feather-Weight Virtual Machine Yang Yu Hariharan Govindarajan Lap-chung Lam Tzi-cker Chiueh Stony Brook University Symantec Research Labs VEE 2008
Virtualization Technology Spectrum • Software emulation of an operating environment: an example of “every computer science problem can be solved by adding an additional level of indirection” Intercept & perform additional value-added operations • Multiple possible interception interfaces • Instruction set architecture (ISA): Bochs, QEMU • Hardware abstraction layer (HAL): VMware, Virtual PC, Xen, • System call interface: BSD Jail, Linux Vserver, Virtuozzo, Softricity • Library call interface: Wine, Interix, Cgwin • Language level: JVM, .NET framework • Tradeoff among implementation complexity, flexibility, performance overheadandisolation strength VEE 2008
OS-level Virtualization • Virtualizing the system call interface so as to provide the illusion of multiple operating environments that are isolated from one another P1, P2, P3, P4, P5 P1, P3, P4 P2, P5 OS-VirtualizationLayer Operating System Kernel Operating System Kernel Hardware Hardware VEE 2008
OS-level vs. HAL-based VM • One OS vs. Multiple (possibly heterogeneous) OSes Guest Processes Guest Processes Guest Processes Guest Processes OS-level VirtualizationLayer Guest OS Guest OS Host OS HAL Virtualization Layer Hardware Hardware OS-level Virtualization HAL-level Virtualization VEE 2008
Properties of OS-level Virtualization • Pro • OS-required resource does not need to be duplicated • Low per-VM resource requirement and better scalability • Instant creation and destruction of VMs • More flexibility in initial state set-up of new VM • Easier to share VM states whenever necessary • No changes required to existing applications or computing infrastructure • Con • Share a single OS kernel: weaker isolations among VMs • kernel rootkit problem • Higher implementation complexity • Additional restrictions on applications running in a VM VEE 2008
FVM: Feather-weight Virtual Machine • Multiple OS-level VMs forked from the base operating environment of a Windows kernel • Goals of FVM • Properly isolates different VMs running on a Windows kernel • Offers a flexible framework for developing security applications on end user machines • Technical challenges • How to achieve reasonable isolation among VMs without incurring inordinate implementation complexity • How to reliably commit a VM’s state back to the host VEE 2008
Concrete Design Requirements • Can start multiple instances of the same executable binary in multiple concurrent VMs • Daemon process: Apache web server, DNS server • GUI process: Microsoft Office suite, IE, Acrobat reader • Some service processes cannot be multi-instanced: Windows Installer service • Isolation of persistent state: files and registries • Read from the common base operating environment • File-level copy-on-write • Communication confinement: IPC, device access, kernel object access, interaction with services • Performance isolation VEE 2008
Basic FVM design • A virtualization layer that intercepts Windows system calls • No modification to applications, libraries or OS kernel • Access redirection via renaming and copy-on-write • Mapping virtual name to physical name • Communication confinement • Virtualization through renaming of communication end-points • Visibility control: broadcast and enumeration operations • Performance isolation: using “job object” to limit dis/memory usage and CPU scheduling priority VEE 2008
Low-Level Enabling Mechanisms • File/registry virtualization • Running multiple instances of the same application • Inter-process communication confinement • Daemon/Service virtualization • Network interface/stack virtualization • Resource usage control VEE 2008
IPC Confinement VEE 2008
An FVM’s State • A VM identifier • A set of processes • Root directories for file, registry, kernel object • A log of files and registry entries deleted/renamed by the VM • An IP address • A set of policies: resource usage quota, device access and service interaction VEE 2008
Limitations of FVM Prototype • Kernel modification in a VM • Prohibit loading/unloading kernel driver • Prohibit mapping physical memory • \Device\PhysicalMemory • Device access and IPC with daemon/service • Tradeoff between isolation and functionality • Policy • Lack of VM migration support VEE 2008
App1: Secure Mobile Code Execution • Start web browser, email client or any suspicious program in a separate VM • Selective commit based on analysis of system/API call log – detect suspicious process behaviors • Mark a file when it is committed to the host • A marked file is always opened/executed in a separate VM until it is explicitly unmarked VEE 2008
App1: Secure Mobile Code Execution VEE 2008
Local Mirror VM Web Browser VM URL DB Web Browser VM Pool Testing Report Web Crawler Web Browser VM Web Servers App2: Scalable Web Site Testing VEE 2008
Web Site Testing Set-up • Web crawler: WinHTTrack • URL source: 237 websites from McAfee’s SiteAdvisor • Internet Explorer 5.0 runs on unpatched Win2K • IE security settings: high • VM setup • One IE instance per VM • Total number of concurrent IE instances: 50 • Two parameters: • Number of seconds to wait • Number of URLs visited during the life time of each VM VEE 2008
Results • VM start-up overhead in web site testing • FVM: 0.3 seconds • VMware Workstation 5.0: 30 ~ 50 seconds • Scanning throughput • One URL visit per VM • Waiting time: 120 seconds • FVM-based: 50,000 ~ 70,000 per day per machine • MS Strider HoneyMonkey (VMware-based): < 8,000 per day per machine VEE 2008
App3: Shared Application Binary Server • Application binary delivery architecture • Applications installed and executed on end user machines • Applications installed and executed on a central server: Thin-client computing • Applications installed on a central server and executed on individual user machines: Shared application binary server • Challenge: Ensure applications are executed against the operating environment in which they are installed VEE 2008
Design • When a client launches an executable stored on the server, associate the launched process with a VM running on the client • Redirect access to the operating environment to the shared binary server • Exe, DLL, Registry, Environment Variable, COM object • System DLLs (kernel32, user32, …) • Accesses to user files and registry entries are not redirected VEE 2008
File File App1 App Registry App2 Registry Env Var App3 Env Var FVM OLE/COM …… OLE/COM AppK Local Data Client Shared Binary Server Shared Binary Server Architecture VEE 2008
DOFS Firewall Screen Capture Blocker App Terminal Session Remote Display Content Filter Document Link Protected Document DOFS Client DOFS Server App4: Distributed Display-Only File Service • Goal: protect confidential documents from information theft by insiders VEE 2008
DDOFS Design • Motivation • Application compatibility & performance issue in the DOFS architecture • Approach • Move application execution back to client in a VM to carve out a piece of client as a logical extension of the central server • Document opened in a VM cannot leak out of the VM because all writes go to the central server • Documents are encrypted as they travel over the network and decrypted after they enter the VM VEE 2008
App4: DDOFS Architecture Screen Capture Blocker VM Write Workspace App Encrypt & Decrypt Protected Document Decrypt & Encrypt FVM DDOFS Server DDOFS Client VEE 2008
Conclusion • FVM is a full-scale implementation of OS-level virtualization for the Windows platform • Making legitimate applications happy vs. preventing malicious applications from doing bad things • Tamper resistance support is needed • Optimized for sharing rather than for isolation allow users to seamlessly interact with multiple VMs simultaneously • Faster start-up and shut-down • Facilitating development of security solutions for end user machines VEE 2008
Open-source version of FVM 1.0 available in https://sourceforge.net/projects/fvm-rni Questions?Thank You! VEE 2008