1 / 16

Virtualization and Cloud Security

Virtualization and Cloud Security. Huzur Saran IIT Delhi. Typical Cloud. Cloud API. m1. m2. m3. m4. m5. m1. m2. m3. m4. m5. m1. m2. m3. m4. m5. hypervisor. hypervisor. hypervisor. hw. hw. hw. m1. m2. m3. m4. m5. m1. m2. m3. m4. m5. hypervisor. hypervisor. hw.

valin
Download Presentation

Virtualization and Cloud Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Virtualization and Cloud Security Huzur Saran IIT Delhi

  2. Typical Cloud Cloud API m1 m2 m3 m4 m5 m1 m2 m3 m4 m5 m1 m2 m3 m4 m5 hypervisor hypervisor hypervisor hw hw hw m1 m2 m3 m4 m5 m1 m2 m3 m4 m5 hypervisor hypervisor hw m1 m2 m3 m4 m5 hw m1 m2 m3 m4 m5 hypervisor m1 m2 m3 m4 m5 hypervisor hw hypervisor hw hw

  3. Typical Server Virtualization Deployment Ubuntu Win 2003 Win 2008 Redhat Management App App App App App App App App App App App App App App App App App App App App App App App App OS OS OS OS Hypervisor Hardware

  4. Typical VDI Deployment desktop desktop desktop desktop desktop desktop Dom0 OS OS OS OS OS OS Enterprise Hypervisor Hardware Thin client Thin client Thin client Thin client Thin client Thin client

  5. Security Issues • Hypervisor is the underlying component of all these architectures. It is a new layer which needs to be protected • Scale of deployments – Just the sheer scale of deployments make this a security nightmare. Imagine 150 machines running a simultaneous scheduled AV scan on the same physical host. Chokes IO/Disk bandwidth. • Isolation - Machines of a company and its competitor could be running on the same physical machine. Insufficient isolation could lead to disaster • New API’s to access Virtualization/Cloud services. Bugs in these could lead to compromise of entire infrastructure.

  6. Sample Hypervisor Security Issues • CVE-2007-4496, CVE-2007-4497 – ESX3.01, guest operating system can cause buffer overflow and arbitrary code execution in the host • CVE-2007-0948 – Virtual PC – Heap overflow which could cause arbitrary privilege escalation • CVE-2007-4993 – Xen 3.0.3 – User can escape to domain0 via grub.conf and pygrub

  7. Security Issues – Why? • Hypervisors are written by humans. They have bugs – typically buffer overflows • Hypervisor are complex – Xen is about 300K source lines of code • Complete isolation is hard – Most systems don’t have IOMMU’s which make it possible to DMA to arbitrary physical memory • Compromised Domain0 on Xen pretty much means a hosed hypervisor. Domain0 runs commodity OS’s which could have bugs.

  8. Security Issues – Why? • DMA is a big problem on non IOMMU based systems: • Xen can setup DMA • Dom0 can setup DMA • Driver domains can setup DMA • The range of physical addresses is not verified • IOMMU based systems can restrict the range of addresses but they are not present in commodity hardware • There are some techniques to even bypass IOMMU checks

  9. Security Solutions • Trusted hypervisor • Hyperguard – Phoenix Technologies – A hypervisor integrity scanner in SMM. • Deepwatch – Intel project – Virtualization rootkit scanner • Domain 0 Hardening – Various security solutions to white-list and harden Dom0

  10. Security Opportunities • New breed of security products is now possible to protect guest OS’s from being hijacked • Hypervisor based security suites cannot be detected by malware running in the guest • Hypervisors allow introspection of very early boot sequences of the guest, thereby making possible an entire need breed of BIOS rootkit and kernel rootkit scanners

  11. Security Opportunities • API’s like VMSAFE from VMWare allow introspection of interesting system events in the guests • These events can then be processed on a dedicated security appliance • These events include CPU state monitoring, page faults, memory/register accesses, File-system events, network events etc.

  12. Early Trends – Consolidate common security functions to security appliance AV F W AV F W AV F W AV F W AV F W AV F W OS OS OS OS OS OS Enterprise Hypervisor Hardware Security Appliance Manager Antivirus Firewall OS OS OS OS OS OS AV Shim Enterprise Hypervisor FW Shim Hardware

  13. Security is hard – at all levels A prisoner was wrongly released after a fax was received from a grocery store stating that the Kentucky Supreme Court had demanded his release: http://www.cnn.com/2007/US/04/21/wrongly.freed.ap/index.html

  14. Security principles Open design:you need all the help you can get Economy of mechanism: fewer things to get right Minimize secrets: secrets don’t remain secret Fail-safe defaults: most users won’t change them Least privilege: limit the damage of an accident Separation of privilege: dangerous operation should require multiple principals Complete mediation: check every operation

  15. Sample Security Issues • http://taviso.decsystem.org/virtsec.pdf - Paper detailing several bugs in Virtual PC, Xen, Vmware, Parallels and BOCHS. • http://www.theregister.co.uk/2009/10/09/amazon_cloud_bitbucket_ddos_aftermath/ - UDP flood based DDoS against Amazon EC2 • Argument handling bugs in FLASK (Xen)

  16. Example: A specially crafted poke to I/O port 0x1004, results in an out-of-bounds write to an attacker controlled location. By interacting with the power management subsystem in specific ways, a write to an arbitrary location can be performed upon restarting a suspended virtual machine. VMware PIIX4 ACPI PM OOB Write section .text global _start _start: mov eax, 110 mov ebx, 3 int 0x80a mov ax, 0x6c81 mov dx, 0x1004 out dx, ax xor ebx, ebx xor eax, eax inc eax int 0x80 a. iopl()

More Related