Breaking Up is Hard to Do - UBC Department of Computer Science
Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor Patrick Colp, Mihir Nanavati, Jun Zhu William Aiello, George Coker*, Tim Deegan, Peter Loscocco*, Andrew Warfield Department of Computer Science, University of British Columbia Citrix Systems R&D * National Security Agency 1 2 Companies in the Cloud (all these run in EC2 or Rackspace) 3 Hypervisors are Secure Narrow interface
Small codebase x86 x86 x86 Hypervisor Xen: 280 KLOC (based on the current version) Nova: 9 KLOC (microvisor) + 20 KLOC (VMM) [EuroSys10] SecVisor: 2 KLOC [SOSP07] Flicker: 250 LOC [EuroSys08] 4 CERT Vulnerabilities 38 Xen CERT vulnerabilities 23 originate in guest VMs 2 are against the hypervisor What the heck are the other 90%?
5 We are the 90% Control VM (Dom0) IPC Management Device Emulation User As VM Platform Device Drivers Manage devices Create and destroy VMs Arbitrarily access memory User Bs VM
Hypervisor 6 Exposure to Risk Isolate services into least-privileged service VMs Make sharing between components explicit Contain scope of exploits in both space and time Constraint: Dont reduce functionality, performance, or maintainability of the system 7 SPACE 8 Space Control VM IPC
Management Device Emulation User As VM Platform Device Drivers User Bs VM Hypervisor 9 Space Isolation Control VM
Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 25 SPACE + TIME 26 Space + Time
Space Time Isolation Configurable Sharing Auditing Disposable Timed Restarts Stateless IPC XenStore Builder Tools Device Emulation PCI Config Management
Emulator Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 27 Composition
OK User As VM XenStore B: Network can map 0xDEADBEEF User Bs VM Ive enabled the network driver Ive enabled 0xPWND to map page 0xDEADBEEF 28 Composition User As VM OK XenStore-State XenStore-Logic B: Network can map 0xDEADBEEF
A: Please shut me down A: Please shut me down User Bs VM Ive enabled the network driver Ive enabled 0xPWND to map page 0xDEADBEEF 29 Composition Monitor Userrollback As VM OK Newly XenStore-Logic XenStore-State bootB and Snapshot Created
Image initialization VM process request Copy-onWrite User Bs VM B: Network can map 0xDEADBEEF limit access A: Please shut me down Ive enabled the network driver Ive enabled 0xPWND to map page 0xDEADBEEF 30 Space + Time Space
Emulator Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 31 EVALUATION
32 Evaluation What do privileges look like now? What is the impact on the security of the system? What are the overheads? What impact does isolation have on performance? What impact do restarts have on performance? 33 Privileges Privilege Arbitrarily Access Memory Access and Virtualize PCI
devices Create VMs Manage VMs Manage Assigned Devices System Boot PCI Config X X X X X X
X X X X X X X Builder Tools Block Network XenStore X X X
X X X X X X X X X X X X X X
X X X X X 34 Security Of the 21 vulnerabilities against the control plane, we contain all 21 TCB is reduced from the control VMs 7.5 million lines of code (Linux) to Builders 13,500 (on top of Xen) 35 Memory Overhead Component
Kernel build performance 38 CONCLUSION 39 Summing it All Up Components of control VM a major source of risk Xoar isolates components in space and time Contains exploits Provides explicit exposure to risk Functionality, performance, and maintainability are not impacted 40
The Roaring 20's . ... Car became a symbol of recklessness. During the 1920's alone, 25,000 died, and 600,00 were injured in accidents. The Harlem Renaissance . There is an extra credit opportunity tied to this, should you choose to...
UCSD Pascal at UC Irvine Terak (′78) MicroEngine (′81) PC(′83) Alternative to BASIC Replace BASIC 18 students 1000 students/year Dennis Volper Keller Plan Mastery Learning A-quizzes, P-quizzes, Booker Bowles' "Microcomputer: Problem Solving with PASCAL" Implementing CAI with UCSD Pascal Alfred...
1. Porifera means "pore-bearing"; their sac-like bodies are perforated by many pores. 2. They are . sessile. and depend on water currents to bring in food and oxygen and carry away wastes. 3. Their body is a mass of cells...
Potential Questions to address:Do you think this experience is a good choice? Why or why not?Have I identified the basic elements correctly? Did I miss any?Do you think I will be able to encode this data? What challenges do you...
- The Holy Mountain prefecture in Macedonia is considered an independent pure monastery region, which administratively belongs to the Patriarchate of Constantinople. Greek Traditions 2 Chatzigiannaki Sofia
Other Drug Types Drug Type Frequency Percent of all fills Psychoactive 546046 24.5 Cardiac 135691 6.1 Antihypertensive 67872 3.0 Antilipemic 61718 2.8 Antidiabetic 35119 1.6 Clients in Own Home Significantly Less Adherent for All 5 Medication Classes Own Home vs....
Windows Server 2016. Sue Hartford and Vinicius Apolinario. September 19, 2016. Today, we are going to talk about Windows Server 2016. This release of the OS is dramatically different from prior releases, as it goes well beyond server virtualization, because...
Ready to download the document? Go ahead and hit continue!