150 likes | 256 Views
Improving Xen Security through Disaggregation. Derek Murray. Grzegorz Milos. Steven Hand. Outline. The myth of the secure hypervisor Trusted computing bases Disaggregating Xen Results Future work. Xen. OS. VM. Small hypervisor 100k lines of code Provides isolation between VMs
E N D
Improving Xen Security through Disaggregation Derek Murray Grzegorz Milos Steven Hand
Outline • The myth of the secure hypervisor • Trusted computing bases • Disaggregating Xen • Results • Future work
Xen OS VM • Small hypervisor • 100k lines of code • Provides isolation between VMs • “Trusting the virtual machine monitor is akin to trusting a real processor” Xen Hardware
Domain Zero Dom0 VM • Full Linux distribution • User-space tools for VM management • Privileged hypervisor interface • Map foreign memory • Set foreign VCPU • Therefore must be trusted Xen Hardware
Threat Model • Malicious software running as Dom0 root • Root exploit on Dom0 • Untrusted administrator • Want to protect security of other VMs • Confidentiality • Integrity • Solution: disaggregation
Trusted Computing Base • “The set of components on which a subsystem depends” • “The totality of protection mechanisms... responsible for enforcing a computer security policy” • Anything that can directly invoke a privileged operation • And hence undermine security
Call Graph PD z PD y PD x
Current Xen Control Stack Build VM Dom0 User Make hypercall Dom0 Kernel Map memory Set VCPU Hypervisor
Minimise the TCB? Build VM Dom0 User Make hypercall Dom0 Kernel Map memory Set VCPU Hypervisor
Smaller is not always better Dom0 User Build VM Make hypercall DomB Map memory Set VCPU Hypervisor
Implementation Xend … DomB Dom0 DomU Xen
Results • Smaller, static TCB • No longer contains Dom0 userspace • Now only VMM, DomB and Dom0 kernel • With an I/O MMU, only VMM and DomB • Other VMs protected from Dom0 root
Future Work • Virtual TPM support • Automated techniques for disaggregation • Metrics for trustworthiness
Conclusions • Virtualised TCB can be surprising • Smaller TCB is not always better • Choosing appropriate interfaces is crucial