1 / 28

PALM : Security Preserving VM Live Migration for Systems with VMM-enforced Protection

PALM : Security Preserving VM Live Migration for Systems with VMM-enforced Protection. Fengzhe Zhang , Yijian Huang, Huihong Wang, Haibo Chen, Binyu Zang Parallel Processing Institute Fudan University. Outline. Motivation Challenges and solutions PALM system Conclusions.

tamarr
Download Presentation

PALM : Security Preserving VM Live Migration for Systems with VMM-enforced Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PALM:Security Preserving VM Live Migration for Systems with VMM-enforced Protection Fengzhe Zhang, Yijian Huang, Huihong Wang, Haibo Chen, Binyu Zang Parallel Processing Institute Fudan University

  2. Outline • Motivation • Challenges and solutions • PALM system • Conclusions

  3. Remote Computing Q: Could user’s privacy be kept at the remote site?

  4. Privacy in Danger Hacker Commodity OSes are not trusted Applications Device Drivers OS Kernel Module Admin Module Remote Platform TPM

  5. VMM-enforced Privacy Protection Protected App OS Kernel Modified VMM Remote Platform TPM

  6. VM Live Migration Protected App OS Kernel VMM VMM VMM VMM VMM VMM VMM VMM VMM Platform Platform Platform Platform Platform Platform HW Platform HW Platform HW Platform

  7. The Goal • The goal of PALM • Extend privacy protection to the migration procedure • The protection is transparent to existing OSes and the applications • Performance impact on the migration should be moderate

  8. Outline Motivation Challenges and solutions PALM system Conclusions

  9. Threat Model • Commodity operating systems are not trusted • The VMM is trusted • The platform owner / administrators are not trusted • Only defend against software attacks

  10. Threat Model in Xen Control VM Migrating VM Migration Tools Normal App Protected App Dom0 Kernel DomU Kernel Modified VMM Integrity Measurement Remote Platform TPM

  11. Challenge 1/3 The Control VM has the privilege to map pages from DomU DomU Memory 10 01 10 01 Migration Tools SSL 10 01 10 01 Network 10 01 10 01

  12. Memory Protection DomU Memory Memory encryption and redirection 10 01 10 01 10 01 Migration Tools Currently mapped memory chunk %*#@ 10 01 10 01 10 01

  13. Challenge 2/3 DomU Memory The migrating VM is actively running while its pages are sent (live migration) 10 01 10 01 Zero page 10 01 00 00 Migration Tools Currently mapped memory chunk %*#@ 10 01 10 01 10 01

  14. Mapping Revokation

  15. Challenge 3/3 DomU Memory A dirtied page could be sent more than once (live migration) P1V1 %*#@ 10 01 P1 V1 Replay attack 10 01 P4V1 Migration Tools %*#@ 10 01 P4V1 P4V2 Network 0 1 %*#@ 10 01 %*@ P4 V1 P4 V2 10 01 10 01 P1 V1 P4 V1 P4 V2 Hash array

  16. Outline Motivation Challenges and solutions PALM system Conclusions

  17. PALM Architecture

  18. Implementation • PALM is implemented based on Xen-3.0.2 and GNU Linux-2.6.16 • VMM-enforced process protection is based on CHAOS system 1.0 • 3 system configurations • Xen • PALM-plain • PALM-enc

  19. Vsftpd

  20. Httpd

  21. Outline Motivation Challenges PALM system Conclusions

  22. Conclusions • PALM defended against 3 kinds of attacks or vulnerabilities • Transparent to the OS and applications • Performance impact is moderate • Privacy protection could be preserved during VM live migration

  23. Questions

  24. Backup PPI, Fudan University

  25. Migration Setup • Migration session key is negotiated beforehand • Both migration side should have the modified VMM • Session key is used to encrypt • Protected application related metadata stored in the VMM • Each protected memory page • The hash values of the encrypted pages

  26. Migration Procedure Migration start Round 1 Send all DomU memory Private pages are sent in cipher-text and hashed Round 2 .. N Source Send DomU memory dirtied in Round N-1 Private pages are sent in cipher-text and hashed DomU suspend Migration Time Send the rest of DomU dirtied memory Destination Pack metadata and send in cipher-text Send the array of final page hash values Downtime DomU resume Decrypt all the private pages, compare with hashes Deploy the protection metadata Other resumption work Migration stop

  27. DMA Issue • DMA-capable devices can access arbitrary physical memory • Bypassed the MMU, not prevented by PALM • Need hardware virtualization assist • IOMMU • Intel TXT

  28. VMM-enforced Process Protection OS Kernel Protected APP 10 01 10 01 Kernel Space 10 01 10 01 10 01 %*#@ 10 01 User Space 10 01 %*#@ 10 01 10 01 %*#@ 10 01 Storage

More Related