Breaking Up is Hard to Do - UBC Department of Computer Science

Breaking Up is Hard to Do - UBC Department of Computer Science

Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor Patrick Colp, Mihir Nanavati, Jun Zhu William Aiello, George Coker*, Tim Deegan, Peter Loscocco*, Andrew Warfield Department of Computer Science, University of British Columbia Citrix Systems R&D * National Security Agency 1 2 Companies in the Cloud (all these run in EC2 or Rackspace) 3 Hypervisors are Secure Narrow interface

Small codebase x86 x86 x86 Hypervisor Xen: 280 KLOC (based on the current version) Nova: 9 KLOC (microvisor) + 20 KLOC (VMM) [EuroSys10] SecVisor: 2 KLOC [SOSP07] Flicker: 250 LOC [EuroSys08] 4 CERT Vulnerabilities 38 Xen CERT vulnerabilities 23 originate in guest VMs 2 are against the hypervisor What the heck are the other 90%?

5 We are the 90% Control VM (Dom0) IPC Management Device Emulation User As VM Platform Device Drivers Manage devices Create and destroy VMs Arbitrarily access memory User Bs VM

Hypervisor 6 Exposure to Risk Isolate services into least-privileged service VMs Make sharing between components explicit Contain scope of exploits in both space and time Constraint: Dont reduce functionality, performance, or maintainability of the system 7 SPACE 8 Space Control VM IPC

Management Device Emulation User As VM Platform Device Drivers User Bs VM Hypervisor 9 Space Isolation Control VM

IPC IPC XenStore Device Emulation Device Emulation PCI PCI Config Config Platform Management Management Builder Tools Builder Tools Emulator

Platform Device Drivers Device Drivers System Boot Network Block 10 Space Isolation IPC XenStore Builder Tools Device Emulation

PCI Config Management Emulator Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 11

Configurable Sharing User As Network User As Tools User As VM User As Block User Bs Network User Bs Tools User Bs VM User Bs Block

12 Configurable Sharing User As VM Network Tools Block User Bs VM 13 Configurable Sharing User As Network User As Tools User As VM

User As Block User Bs Network User Bs Tools User Bs VM User Bs Block 14 Space Isolation Configurable Sharing IPC XenStore Builder

Tools Device Emulation PCI Config Management Emulator Platform User As VM Device Drivers System Boot Network Block User Bs VM

Hypervisor 15 Auditing Which VMs were relying on the Block component while it was compromise? User As VM Network User Bs VM Block Network Create Block User Cs

VM VM B and VM C 16 Space Isolation Configurable Sharing Auditing IPC XenStore Builder Tools Device Emulation PCI Config Management Emulator

Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 17 TIME 18

Time Space Containment Configurable Sharing Auditing IPC XenStore Builder Tools Device Emulation PCI Config Management Emulator Platform User As

VM Device Drivers System Boot Network Block User Bs VM Hypervisor 19 Disposable PCI Config Services System Boot Hypervisor

20 Time Space Isolation Configurable Sharing Auditing Disposable IPC XenStore Builder Tools Device Emulation PCI Config Management

Emulator Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 21 Snapshots 4-25 ms

VM 22 Time Space Isolation Configurable Sharing Auditing Disposable Timed Restarts IPC XenStore Builder Tools Device Emulation PCI Config

Management Emulator Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 23 Stateless VMs

rollback Builder Newly Created VM boot and initialization Snapshot Image process request Copy-onWrite User Bs As VM 24 Time

Space Isolation Configurable Sharing Auditing Disposable Timed Restarts Stateless IPC XenStore Builder Tools Device Emulation PCI Config Management Emulator

Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 25 SPACE + TIME 26 Space + Time

Space Time Isolation Configurable Sharing Auditing Disposable Timed Restarts Stateless IPC XenStore Builder Tools Device Emulation PCI Config Management

Emulator Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 27 Composition

OK User As VM XenStore B: Network can map 0xDEADBEEF User Bs VM Ive enabled the network driver Ive enabled 0xPWND to map page 0xDEADBEEF 28 Composition User As VM OK XenStore-State XenStore-Logic B: Network can map 0xDEADBEEF

A: Please shut me down A: Please shut me down User Bs VM Ive enabled the network driver Ive enabled 0xPWND to map page 0xDEADBEEF 29 Composition Monitor Userrollback As VM OK Newly XenStore-Logic XenStore-State bootB and Snapshot Created

Image initialization VM process request Copy-onWrite User Bs VM B: Network can map 0xDEADBEEF limit access A: Please shut me down Ive enabled the network driver Ive enabled 0xPWND to map page 0xDEADBEEF 30 Space + Time Space

Isolation Configurable Sharing Auditing Time Composition Disposable Timed Restarts Stateless IPC XenStore Builder Tools Device Emulation PCI Config Management

Emulator Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 31 EVALUATION

32 Evaluation What do privileges look like now? What is the impact on the security of the system? What are the overheads? What impact does isolation have on performance? What impact do restarts have on performance? 33 Privileges Privilege Arbitrarily Access Memory Access and Virtualize PCI

devices Create VMs Manage VMs Manage Assigned Devices System Boot PCI Config X X X X X X

X X X X X X X Builder Tools Block Network XenStore X X X

X X X X X X X X X X X X X X

X X X X X 34 Security Of the 21 vulnerabilities against the control plane, we contain all 21 TCB is reduced from the control VMs 7.5 million lines of code (Linux) to Builders 13,500 (on top of Xen) 35 Memory Overhead Component

Memory System Boot 128MB PCI Config 128MB XenStore-Logic 32MB XenStore-State 32MB Block 128MB Network

128MB Builder 64MB Tools 128MB Total 512MB 36 Isolation Performance Postmark performance wget performance 37 Restart Performance

Kernel build performance 38 CONCLUSION 39 Summing it All Up Components of control VM a major source of risk Xoar isolates components in space and time Contains exploits Provides explicit exposure to risk Functionality, performance, and maintainability are not impacted 40

Recently Viewed Presentations

  • The Roaring 20's Jazz New Money Harlem Renaissance

    The Roaring 20's Jazz New Money Harlem Renaissance

    The Roaring 20's . ... Car became a symbol of recklessness. During the 1920's alone, 25,000 died, and 600,00 were injured in accidents. The Harlem Renaissance . There is an extra credit opportunity tied to this, should you choose to...
  • Chinese I Greetings and names quiz 1 review

    Chinese I Greetings and names quiz 1 review

    (lin da: wo jiao lin da, ni shi zhe li de xue sheng ma) 王明:对,我是一年级的学生。Yes, I am a student here. (wang ming:dui, wo shi yi nian ji de xue sheng) Lesson 1 琳达:我也是一年级的学生。 also (lin da: wo ye shi yi...
  • New Facutly Orientation, 2004 - Jacobs School of Engineering

    New Facutly Orientation, 2004 - Jacobs School of Engineering

    UCSD Pascal at UC Irvine Terak (′78) MicroEngine (′81) PC(′83) Alternative to BASIC Replace BASIC 18 students 1000 students/year Dennis Volper Keller Plan Mastery Learning A-quizzes, P-quizzes, Booker Bowles' "Microcomputer: Problem Solving with PASCAL" Implementing CAI with UCSD Pascal Alfred...
  • Phylum: Porifera The Sponges What is a sponge?

    Phylum: Porifera The Sponges What is a sponge?

    1. Porifera means "pore-bearing"; their sac-like bodies are perforated by many pores. 2. They are . sessile. and depend on water currents to bring in food and oxygen and carry away wastes. 3. Their body is a mass of cells...
  • Unit 2 - Lesson 6

    Unit 2 - Lesson 6

    Potential Questions to address:Do you think this experience is a good choice? Why or why not?Have I identified the basic elements correctly? Did I miss any?Do you think I will be able to encode this data? What challenges do you...
  • Greek traditions 2 - uniba.sk

    Greek traditions 2 - uniba.sk

    - The Holy Mountain prefecture in Macedonia is considered an independent pure monastery region, which administratively belongs to the Patriarchate of Constantinople. Greek Traditions 2 Chatzigiannaki Sofia
  • UCI-RCOC NEURODEVELOPMENTAL PROGRAM AND CLINIC A 14 Year

    UCI-RCOC NEURODEVELOPMENTAL PROGRAM AND CLINIC A 14 Year

    Other Drug Types Drug Type Frequency Percent of all fills Psychoactive 546046 24.5 Cardiac 135691 6.1 Antihypertensive 67872 3.0 Antilipemic 61718 2.8 Antidiabetic 35119 1.6 Clients in Own Home Significantly Less Adherent for All 5 Medication Classes Own Home vs....
  • Windows Server 2016 L100 Presentation - download.microsoft.com

    Windows Server 2016 L100 Presentation - download.microsoft.com

    Windows Server 2016. Sue Hartford and Vinicius Apolinario. September 19, 2016. Today, we are going to talk about Windows Server 2016. This release of the OS is dramatically different from prior releases, as it goes well beyond server virtualization, because...