1 / 15

Improving Xen Security through Disaggregation

Improving Xen Security through Disaggregation. Derek Murray. Grzegorz Milos. Steven Hand. Outline. The myth of the secure hypervisor Trusted computing bases Disaggregating Xen Results Future work. Xen. OS. VM. Small hypervisor 100k lines of code Provides isolation between VMs

zody
Download Presentation

Improving Xen Security through Disaggregation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Improving Xen Security through Disaggregation Derek Murray Grzegorz Milos Steven Hand

  2. Outline • The myth of the secure hypervisor • Trusted computing bases • Disaggregating Xen • Results • Future work

  3. Xen OS VM • Small hypervisor • 100k lines of code • Provides isolation between VMs • “Trusting the virtual machine monitor is akin to trusting a real processor” Xen Hardware

  4. Domain Zero Dom0 VM • Full Linux distribution • User-space tools for VM management • Privileged hypervisor interface • Map foreign memory • Set foreign VCPU • Therefore must be trusted Xen Hardware

  5. Threat Model • Malicious software running as Dom0 root • Root exploit on Dom0 • Untrusted administrator • Want to protect security of other VMs • Confidentiality • Integrity • Solution: disaggregation

  6. Trusted Computing Base • “The set of components on which a subsystem depends” • “The totality of protection mechanisms... responsible for enforcing a computer security policy” • Anything that can directly invoke a privileged operation • And hence undermine security

  7. Call Graph PD z PD y PD x

  8. Current Xen Control Stack Build VM Dom0 User Make hypercall Dom0 Kernel Map memory Set VCPU Hypervisor

  9. Minimise the TCB? Build VM Dom0 User Make hypercall Dom0 Kernel Map memory Set VCPU Hypervisor

  10. Smaller is not always better Dom0 User Build VM Make hypercall DomB Map memory Set VCPU Hypervisor

  11. Implementation Xend … DomB Dom0 DomU Xen

  12. Results • Smaller, static TCB • No longer contains Dom0 userspace • Now only VMM, DomB and Dom0 kernel • With an I/O MMU, only VMM and DomB • Other VMs protected from Dom0 root

  13. Future Work • Virtual TPM support • Automated techniques for disaggregation • Metrics for trustworthiness

  14. Conclusions • Virtualised TCB can be surprising • Smaller TCB is not always better • Choosing appropriate interfaces is crucial

  15. Questions

More Related