Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor Patrick Colp, Mihir Nanavati, Jun Zhu William Aiello, George Coker*, Tim Deegan, Peter Loscocco*, Andrew Warfield Department of Computer Science, University of British Columbia Citrix Systems R&D * National Security Agency 1 2 Companies in the Cloud (all these run in EC2 or Rackspace) 3 Hypervisors are Secure Narrow interface
Small codebase x86 x86 x86 Hypervisor Xen: 280 KLOC (based on the current version) Nova: 9 KLOC (microvisor) + 20 KLOC (VMM) [EuroSys10] SecVisor: 2 KLOC [SOSP07] Flicker: 250 LOC [EuroSys08] 4 CERT Vulnerabilities 38 Xen CERT vulnerabilities 23 originate in guest VMs 2 are against the hypervisor What the heck are the other 90%?
5 We are the 90% Control VM (Dom0) IPC Management Device Emulation User As VM Platform Device Drivers Manage devices Create and destroy VMs Arbitrarily access memory User Bs VM
Hypervisor 6 Exposure to Risk Isolate services into least-privileged service VMs Make sharing between components explicit Contain scope of exploits in both space and time Constraint: Dont reduce functionality, performance, or maintainability of the system 7 SPACE 8 Space Control VM IPC
Management Device Emulation User As VM Platform Device Drivers User Bs VM Hypervisor 9 Space Isolation Control VM
IPC IPC XenStore Device Emulation Device Emulation PCI PCI Config Config Platform Management Management Builder Tools Builder Tools Emulator
Platform Device Drivers Device Drivers System Boot Network Block 10 Space Isolation IPC XenStore Builder Tools Device Emulation
PCI Config Management Emulator Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 11
Configurable Sharing User As Network User As Tools User As VM User As Block User Bs Network User Bs Tools User Bs VM User Bs Block
12 Configurable Sharing User As VM Network Tools Block User Bs VM 13 Configurable Sharing User As Network User As Tools User As VM
User As Block User Bs Network User Bs Tools User Bs VM User Bs Block 14 Space Isolation Configurable Sharing IPC XenStore Builder
Tools Device Emulation PCI Config Management Emulator Platform User As VM Device Drivers System Boot Network Block User Bs VM
Hypervisor 15 Auditing Which VMs were relying on the Block component while it was compromise? User As VM Network User Bs VM Block Network Create Block User Cs
VM VM B and VM C 16 Space Isolation Configurable Sharing Auditing IPC XenStore Builder Tools Device Emulation PCI Config Management Emulator
Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 17 TIME 18
Time Space Containment Configurable Sharing Auditing IPC XenStore Builder Tools Device Emulation PCI Config Management Emulator Platform User As
VM Device Drivers System Boot Network Block User Bs VM Hypervisor 19 Disposable PCI Config Services System Boot Hypervisor
20 Time Space Isolation Configurable Sharing Auditing Disposable IPC XenStore Builder Tools Device Emulation PCI Config Management
Emulator Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 21 Snapshots 4-25 ms
VM 22 Time Space Isolation Configurable Sharing Auditing Disposable Timed Restarts IPC XenStore Builder Tools Device Emulation PCI Config
Management Emulator Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 23 Stateless VMs
rollback Builder Newly Created VM boot and initialization Snapshot Image process request Copy-onWrite User Bs As VM 24 Time
Space Isolation Configurable Sharing Auditing Disposable Timed Restarts Stateless IPC XenStore Builder Tools Device Emulation PCI Config Management Emulator
Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 25 SPACE + TIME 26 Space + Time
Space Time Isolation Configurable Sharing Auditing Disposable Timed Restarts Stateless IPC XenStore Builder Tools Device Emulation PCI Config Management
Emulator Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 27 Composition
OK User As VM XenStore B: Network can map 0xDEADBEEF User Bs VM Ive enabled the network driver Ive enabled 0xPWND to map page 0xDEADBEEF 28 Composition User As VM OK XenStore-State XenStore-Logic B: Network can map 0xDEADBEEF
A: Please shut me down A: Please shut me down User Bs VM Ive enabled the network driver Ive enabled 0xPWND to map page 0xDEADBEEF 29 Composition Monitor Userrollback As VM OK Newly XenStore-Logic XenStore-State bootB and Snapshot Created
Image initialization VM process request Copy-onWrite User Bs VM B: Network can map 0xDEADBEEF limit access A: Please shut me down Ive enabled the network driver Ive enabled 0xPWND to map page 0xDEADBEEF 30 Space + Time Space
Isolation Configurable Sharing Auditing Time Composition Disposable Timed Restarts Stateless IPC XenStore Builder Tools Device Emulation PCI Config Management
Emulator Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 31 EVALUATION
32 Evaluation What do privileges look like now? What is the impact on the security of the system? What are the overheads? What impact does isolation have on performance? What impact do restarts have on performance? 33 Privileges Privilege Arbitrarily Access Memory Access and Virtualize PCI
devices Create VMs Manage VMs Manage Assigned Devices System Boot PCI Config X X X X X X
X X X X X X X Builder Tools Block Network XenStore X X X
X X X X X X X X X X X X X X
X X X X X 34 Security Of the 21 vulnerabilities against the control plane, we contain all 21 TCB is reduced from the control VMs 7.5 million lines of code (Linux) to Builders 13,500 (on top of Xen) 35 Memory Overhead Component
Memory System Boot 128MB PCI Config 128MB XenStore-Logic 32MB XenStore-State 32MB Block 128MB Network
128MB Builder 64MB Tools 128MB Total 512MB 36 Isolation Performance Postmark performance wget performance 37 Restart Performance
Kernel build performance 38 CONCLUSION 39 Summing it All Up Components of control VM a major source of risk Xoar isolates components in space and time Contains exploits Provides explicit exposure to risk Functionality, performance, and maintainability are not impacted 40