1 / 22

Virtualisation – Security’s Friend or Foe?

Virtualisation – Security’s Friend or Foe?. Virtualisation is set to consign traditional hardware appliances to the dustbin of computing history” Roger Howorth , IT Week http://www.itweek.co.uk/itweek/comment/2162238/future-appliances-virtual. Virtualization Requirements. Scheduler

jill
Download Presentation

Virtualisation – Security’s Friend or Foe?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Virtualisation – Security’s Friend or Foe?

  2. Virtualisation is set to consign traditional hardware appliances to the dustbin of computing history” Roger Howorth, IT Week • http://www.itweek.co.uk/itweek/comment/2162238/future-appliances-virtual

  3. Virtualization Requirements • Scheduler • Memory Management • VM State Machine • Virtualized Devices • Storage Stack • Network Stack • Binary Translators (optional) • Drivers • Management API

  4. Old: Virtual Server Architecture Host Guests Provided by: Ring 3: User mode Virtual Server WebApp Virtual Server Service Guest Applications Windows Ring 1: Guest kernel mode IIS Virtual Server VM additions Windows (NT4, 2000, 2003) ISV Windows Server 2003/Windows XP Ring 0: Kernel mode Kernel Device Driver VMM Kernel Server Hardware

  5. New: Hyper-V Architecture Parent Partition Child Partition Provided by: Virtualisation Stack WMI Provider Guest Applications VM Worker Processes Rest of Windows VM Worker Processes VM Worker Processes VM Service Ring 3: User mode Hyper-V OS Kernel Virtualization Service Clients (VSC’s) Server Core Virtualization Service Providers (VSPs) ISV Windows Kernel Enlightenments Device Driver VMBus Ring 0: Kernel mode Windows hypervisor Ring “-1” Server Hardware

  6. New: Hyper-V Architecture Parent Partition Child Partition Provided by: Virtualisation Stack WMI Provider Guest Applications VM Worker Processes Rest of Windows VM Worker Processes VM Worker Processes VM Service Ring 3: User mode Hyper-V OS Kernel Virtualization Service Clients (VSC’s) Server Core Virtualization Service Providers (VSPs) ISV Windows Kernel Enlightenments Device Driver VMBus Hackers Ring 0: Kernel mode Windows hypervisor Ring “-1” Server Hardware

  7. Why not get rid of the parent? • No defence in depth • Entire hypervisor running in the most privileged mode of the system Virtual Machine Virtual Machine Virtual Machine User Mode User Mode User Mode Ring 3 Kernel Mode Kernel Mode Kernel Mode Ring 0 • Scheduler • Memory Management • Storage Stack • Network Stack • VM State Machine • Virtualized Devices • Binary Translators • Drivers • Management API Ring “-”1 Hardware

  8. Micro-kernelized Hypervisor • Defence in depth • Using hardware to protect • Hyper-V doesn’t use binary translation • Further reduces the attack surface Parent Partition Virtual Machine Virtual Machine VM State Machine Virtualized Devices Management API User Mode User Mode Ring 3 Storage Stack Network Stack Drivers Kernel Mode Kernel Mode Ring 0 • Scheduler • Memory Management Ring -1 Hardware

  9. Security Assumptions • Guests are untrusted • Trust relationships • Parent must be trusted by hypervisor • Parent must be trusted by children • Code in guests can run in all available processor modes, rings, and segments • Hypercall interface will be well documented and widely available to attackers • All hypercalls can be attempted by guests • Can detect you are running on a hypervisor • We’ll even give you the version • The internal design of the hypervisor will be well understood Parent Partition Child Partition Virtualisation Stack WMI Provider Guest Applications VM Worker Processes VM Worker Processes VM Worker Processes VM Service Ring 3: User mode OS Kernel Virtualization Service Clients (VSC’s) Server Core Virtualization Service Providers (VSPs) Windows Kernel Enlightenments Device Driver VMBus Ring 0: Kernel mode Windows hypervisor Server Hardware

  10. Security Goals • Strong isolation between partitions • Protect confidentiality and integrity of guest data • Separation • Unique hypervisor resource pools per guest • Separate worker processes per guest • Guest-to-parent communications over unique channels • Non-interference • Guests cannot affect the contents of other guests, parent, hypervisor • Guest computations protected from other guests • Guest-to-guest communications not allowed through VM interfaces Parent Partition Child Partition Virtualisation Stack WMI Provider Guest Applications VM Worker Processes VM Worker Processes VM Worker Processes VM Service Ring 3: User mode OS Kernel Virtualization Service Clients (VSC’s) Server Core Virtualization Service Providers (VSPs) Windows Kernel Enlightenments Device Driver VMBus Ring 0: Kernel mode Windows hypervisor Server Hardware

  11. Isolation • No sharing of virtualized devices • Separate VMBus per VM to the parent • No sharing of memory • Each has its own address space • VMs cannot communicate with each other, except through traditional networking • Guests can’t perform DMA attacks because they’re never mapped to physical devices • Guests cannot write to the hypervisor • Parent partition cannot write to the hypervisor Parent Partition Child Partition Virtualisation Stack WMI Provider Guest Applications VM Worker Processes VM Worker Processes VM Worker Processes VM Service Ring 3: User mode OS Kernel Virtualization Service Clients (VSC’s) Server Core Virtualization Service Providers (VSPs) Windows Kernel Enlightenments Device Driver VMBus Ring 0: Kernel mode Windows hypervisor Server Hardware

  12. Hyper-V Security Hardening • Hypervisor has separate address space • Guest addresses != Hypervisor addresses • No 3rd party code in the Hypervisor • Limited number of channels from guests to hypervisor • No “IOCTL”-like things • Guest to guest communication through hypervisor is prohibited • No shared memory mapped between guests • Guests never touch real hardware I/O Parent Partition Child Partition Virtualisation Stack WMI Provider Guest Applications VM Worker Processes VM Worker Processes VM Worker Processes VM Service Ring 3: User mode OS Kernel Virtualization Service Clients (VSC’s) Server Core Virtualization Service Providers (VSPs) Windows Kernel Enlightenments Device Driver VMBus Ring 0: Kernel mode Windows hypervisor Server Hardware

  13. Hyper-V & Secure Development Lifecycle • Hypervisor built with • Stack guard cookies (/GS) • Address Space Layout Randomization (ASLR) • Hardware Data Execution Prevention • No Execute (NX) AMD • Execute Disable (XD) Intel • Code pages marked read only • Memory guard pages • Hypervisor binary is signed • Hypervisor and Parent going through SDL • Threat modeling • Static Analysis • Fuzz testing & Penetration testing Parent Partition Child Partition Virtualisation Stack WMI Provider Guest Applications VM Worker Processes VM Worker Processes VM Worker Processes VM Service Ring 3: User mode OS Kernel Virtualization Service Clients (VSC’s) Server Core Virtualization Service Providers (VSPs) Windows Kernel Enlightenments Device Driver VMBus Ring 0: Kernel mode Windows hypervisor Server Hardware

  14. Hyper-V Security Model • Uses Authorization Manager • Fine grained authorization and access control • Department and role based • Segregate who can manage groups of VMs • Define specific functions for individuals or roles • Start, stop, create, add hardware, change drive image • VM administrators don’t have to be Server 2008 administrators • Guest resources are controlled by per VM configuration files • Shared resources are protected • Read-only (CD ISO file) • Copy on write (differencing disks) Parent Partition Child Partition Virtualisation Stack WMI Provider Guest Applications VM Worker Processes VM Worker Processes VM Worker Processes VM Service Ring 3: User mode OS Kernel Virtualization Service Clients (VSC’s) Server Core Virtualization Service Providers (VSPs) Windows Kernel Enlightenments Device Driver VMBus Ring 0: Kernel mode Windows hypervisor Server Hardware

  15. Windows Server Core • Windows Server frequently deployed for a single role • MustdeployandservicetheentireOS in earlier Windows Server releases • Server Core a new minimal installation option • Provides essential server functionality • Command Line Interface only, no GUI Shell • Benefits • Fundamentally improves availability • Less code results in fewer patches and reduced servicing burden • Low surface area server for targeted roles • More secure and reliable with less management

  16. Windows Server Core

  17. What tools can help secure the Environment? • IPSec for host authentication • Use the principle of least privilege • Only install software you have a reason to trust • Ensure policy compliance – Network Access Protection can be a huge help • Keep things as simple as possible • Add functionality as high up the stack as possible

  18. How to proceed? • Virtualisation is not a silver bullet for security problems • Nor is it a nightmare • It just changes the threat landscape • Carefully consider the impact on trust boundaries and the knock-on effect of compromised security at layers underneath the applications – the deeper down the stack, the worse the impact

  19. What is Microsoft Forefront? • Microsoft Forefront is a comprehensive line of business security products providing greater protection and control through integration with your existing IT infrastructure and through simplified deployment, management, and analysis. Server Applications Edge Client and Server OS

  20. Enabler for Microsoft’s Best Practices Microsoft Operations Framework Infrastructure Optimization Microsoft System Centre Performance & Availability Monitoring Operations Manager Software Update & Deployment Configuration Manager Data Protection Manager Data Storage & Recovery Problem Management ‘Service Desk’ Capacity Management Capacity Planner Reporting Manager IT Reporting Operations Manager Client Client Operations Management IT Service Management

  21. Next steps • Receive the latest Security news, sign-up for the: • Microsoft Security Newsletter • Microsoft Security Notification Service • Assess your current IT security environment • Download the free Microsoft Security Assessment Tool • Find all your security resources here http://www.microsoft.com/uk/security/infosec2008

  22. Session Evaluation • Hand-in you session evaluation on your way out • Win one of 2 Xbox 360® Elite’s in our free prize draw* • Winners will be drawn at 3.30 today • Collect your goody bag which includes.  • Windows Vista Business (Upgrade), • Forefront Trials, • Forefront Hand-On-Labs • Security Resources CD • I’ll be at the back of the room if you have any questions * Terms and conditions apply, alternative free entry route available.

More Related