1 / 24

Secure Virtual Machine Execution Under an Untrusted Management OS

Secure Virtual Machine Execution Under an Untrusted Management OS. Chunxiao Li Anand Raghunathan Niraj K. Jha. Outline. Background: Security & Virtualization Security challenges in virtualization-based architecture A secure virtual machine execution environment Implementation & results

sunila
Download Presentation

Secure Virtual Machine Execution Under an Untrusted Management OS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha

  2. Outline Background: Security & Virtualization Security challenges in virtualization-based architecture A secure virtual machine execution environment Implementation & results Security analysis Conclusion 1

  3. The goal of computer security against DoS, • Computer security: a branch of information security applied to computers • Three objectives of information security: • Confidentiality • Integrity • Availability 2

  4. What is virtualization? [1] http://www.ok-labs.com/virtualization-and-security/what-is-virtualization [2] Barham et al., “Xen and the art of virtualization,” SOSP 2003 Virtualization: Technology for creating a software-controlled environment to allow program execution in it [1] 3

  5. Relationship between virtualization and security [1] Garfinkel et al., “When virtual is harder than real,” HTOS 2005 [2] King et al., “Subvirt: Implementing malware with virtual machines,” IEEE S&P 2006 • On the one hand, virtualization can be utilized to enhance security • Secure logging (Chen et al., 2001) • Terra architecture (Garfinkel et al., 2003) • On the other hand, virtualization also gives rise to several security concerns • Scaling, transience, software lifecycle, diversity, mobility, identity and data lifetime [1] • Virtual machine-based rootkits (VMBR) [2] 4

  6. Outline Background: Security & Virtualization Security challenges in virtualization-based architecture A secure virtual machine execution environment Implementation & results Security analysis Conclusion 5

  7. Security challenges in virtualization-based architecture • Our work tries to solve one of the fundamental security concerns in virtualization • The trusted computing base of a VM is too large 6

  8. A Security challenge of virtualization-based architecture C B A TCB Trusted computing base (TCB):a small amount of software and hardware that security depends on and that we distinguish from a much larger amount that can misbehave without affecting security [1] Smaller TCB  more security [1] Lampson et al., “Authentication in distributed systems: Theory and practice,” ACM TCS 1992 7

  9. A Security challenge of virtualization-based architecture (Contd.) Smaller TCB Actual TCB Security challenge : TCB for a VM is too large 8

  10. Xen architecture and the threat model • Management VM – Dom0 • Guest VM – DomU • Dom0 may be malicious • Vulnerabilities • Device drivers • Careless/malicious administration • Dom0 is in the TCB of DomU because it can access the memory of DomU, which may cause information leakage/modification 9

  11. Outline Background: Security & Virtualization Security challenges in virtualization-based architecture A secure virtual machine execution environment Implementation & results Security analysis Conclusion 10

  12. Towards a secure execution environment for DomU • Scenario: A client uses the service of a cloud computing company to build a remote VM • A secure network interface • A secure secondary storage • A secure run-time environment • Build, save, restore, destroy 11

  13. Towards a secure execution environment for DomU (Contd.) • A secure run-time environment is the most fundamental • The first two already have solutions: • Network interface: Transport layer security (TLS) • Secondary storage: Network file system (NFS) • The security mechanism in the first two rely on a secure run-time environment • All the cryptographic algorithms and security protocols reside in the run-time environment 12

  14. Domain building Building process 13

  15. Domain save/restore 14

  16. Domain save/restore (Contd.) DomU memory Page1 Page1 Xen Layer Dom0 Page2 Page2 Page3 Page3 Page4 S Page5 Storage Page3 15

  17. Domain save/restore (Contd.) DomU memory Hash Page1 Page1 Page1 Xen Layer Dom0 Page2 Page2 W Page3 Page3 Page3 Page3 3egap Page4 Page4 $ Page5 Hash Storage S 16

  18. Outline Background: Security & Virtualization Security challenges in virtualization-based architecture A secure virtual machine execution environment Implementation & results Security analysis Conclusion 17

  19. Implementation & results Modification of Xen system only affects domain build, save and restore Normal work in DomU has little performance degradation 18

  20. Outline Background: Security & Virtualization Security challenges in virtualization-based architecture A secure virtual machine execution environment Implementation & results Security analysis Conclusion 19

  21. Security analysis • Malicious Dom0 in original Xen system may: • Access any memory page of DomU and read its content • Access any memory page of DomU and change its content • Randomly start and shut down the domain, and thus control the availability of all VMs • We successfully solved the first two security concerns, with a small execution time overhead 20

  22. Outline Background: Security & Virtualization Security challenges in virtualization-based architecture A secure virtual machine execution environment Implementation & results Security analysis Conclusion 21

  23. Conclusion Virtualization technology can both benefit and undermine computer security in different ways One of the fundamental security concerns of virtualization-based architecture is that the TCB of a VM is too large A protection mechanism in Xen virtualization system proposed, which successfully excludes the management domain out of the TCB with small execution time overhead 22

  24. Thank you!

More Related