Breaking Up is Hard to Do - UBC Department of Computer Science

Breaking Up is Hard to Do - UBC Department of Computer Science

Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor Patrick Colp, Mihir Nanavati, Jun Zhu William Aiello, George Coker*, Tim Deegan, Peter Loscocco*, Andrew Warfield Department of Computer Science, University of British Columbia Citrix Systems R&D * National Security Agency 1 2 Companies in the Cloud (all these run in EC2 or Rackspace) 3 Hypervisors are Secure Narrow interface

Small codebase x86 x86 x86 Hypervisor Xen: 280 KLOC (based on the current version) Nova: 9 KLOC (microvisor) + 20 KLOC (VMM) [EuroSys10] SecVisor: 2 KLOC [SOSP07] Flicker: 250 LOC [EuroSys08] 4 CERT Vulnerabilities 38 Xen CERT vulnerabilities 23 originate in guest VMs 2 are against the hypervisor What the heck are the other 90%?

5 We are the 90% Control VM (Dom0) IPC Management Device Emulation User As VM Platform Device Drivers Manage devices Create and destroy VMs Arbitrarily access memory User Bs VM

Hypervisor 6 Exposure to Risk Isolate services into least-privileged service VMs Make sharing between components explicit Contain scope of exploits in both space and time Constraint: Dont reduce functionality, performance, or maintainability of the system 7 SPACE 8 Space Control VM IPC

Management Device Emulation User As VM Platform Device Drivers User Bs VM Hypervisor 9 Space Isolation Control VM

IPC IPC XenStore Device Emulation Device Emulation PCI PCI Config Config Platform Management Management Builder Tools Builder Tools Emulator

Platform Device Drivers Device Drivers System Boot Network Block 10 Space Isolation IPC XenStore Builder Tools Device Emulation

PCI Config Management Emulator Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 11

Configurable Sharing User As Network User As Tools User As VM User As Block User Bs Network User Bs Tools User Bs VM User Bs Block

12 Configurable Sharing User As VM Network Tools Block User Bs VM 13 Configurable Sharing User As Network User As Tools User As VM

User As Block User Bs Network User Bs Tools User Bs VM User Bs Block 14 Space Isolation Configurable Sharing IPC XenStore Builder

Tools Device Emulation PCI Config Management Emulator Platform User As VM Device Drivers System Boot Network Block User Bs VM

Hypervisor 15 Auditing Which VMs were relying on the Block component while it was compromise? User As VM Network User Bs VM Block Network Create Block User Cs

VM VM B and VM C 16 Space Isolation Configurable Sharing Auditing IPC XenStore Builder Tools Device Emulation PCI Config Management Emulator

Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 17 TIME 18

Time Space Containment Configurable Sharing Auditing IPC XenStore Builder Tools Device Emulation PCI Config Management Emulator Platform User As

VM Device Drivers System Boot Network Block User Bs VM Hypervisor 19 Disposable PCI Config Services System Boot Hypervisor

20 Time Space Isolation Configurable Sharing Auditing Disposable IPC XenStore Builder Tools Device Emulation PCI Config Management

Emulator Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 21 Snapshots 4-25 ms

VM 22 Time Space Isolation Configurable Sharing Auditing Disposable Timed Restarts IPC XenStore Builder Tools Device Emulation PCI Config

Management Emulator Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 23 Stateless VMs

rollback Builder Newly Created VM boot and initialization Snapshot Image process request Copy-onWrite User Bs As VM 24 Time

Space Isolation Configurable Sharing Auditing Disposable Timed Restarts Stateless IPC XenStore Builder Tools Device Emulation PCI Config Management Emulator

Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 25 SPACE + TIME 26 Space + Time

Space Time Isolation Configurable Sharing Auditing Disposable Timed Restarts Stateless IPC XenStore Builder Tools Device Emulation PCI Config Management

Emulator Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 27 Composition

OK User As VM XenStore B: Network can map 0xDEADBEEF User Bs VM Ive enabled the network driver Ive enabled 0xPWND to map page 0xDEADBEEF 28 Composition User As VM OK XenStore-State XenStore-Logic B: Network can map 0xDEADBEEF

A: Please shut me down A: Please shut me down User Bs VM Ive enabled the network driver Ive enabled 0xPWND to map page 0xDEADBEEF 29 Composition Monitor Userrollback As VM OK Newly XenStore-Logic XenStore-State bootB and Snapshot Created

Image initialization VM process request Copy-onWrite User Bs VM B: Network can map 0xDEADBEEF limit access A: Please shut me down Ive enabled the network driver Ive enabled 0xPWND to map page 0xDEADBEEF 30 Space + Time Space

Isolation Configurable Sharing Auditing Time Composition Disposable Timed Restarts Stateless IPC XenStore Builder Tools Device Emulation PCI Config Management

Emulator Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 31 EVALUATION

32 Evaluation What do privileges look like now? What is the impact on the security of the system? What are the overheads? What impact does isolation have on performance? What impact do restarts have on performance? 33 Privileges Privilege Arbitrarily Access Memory Access and Virtualize PCI

devices Create VMs Manage VMs Manage Assigned Devices System Boot PCI Config X X X X X X

X X X X X X X Builder Tools Block Network XenStore X X X

X X X X X X X X X X X X X X

X X X X X 34 Security Of the 21 vulnerabilities against the control plane, we contain all 21 TCB is reduced from the control VMs 7.5 million lines of code (Linux) to Builders 13,500 (on top of Xen) 35 Memory Overhead Component

Memory System Boot 128MB PCI Config 128MB XenStore-Logic 32MB XenStore-State 32MB Block 128MB Network

128MB Builder 64MB Tools 128MB Total 512MB 36 Isolation Performance Postmark performance wget performance 37 Restart Performance

Kernel build performance 38 CONCLUSION 39 Summing it All Up Components of control VM a major source of risk Xoar isolates components in space and time Contains exploits Provides explicit exposure to risk Functionality, performance, and maintainability are not impacted 40

Recently Viewed Presentations

  • Healthier Futures

    Healthier Futures

    How do I sign onto the Project? All Luton and Bedfordshire community pharmacies will automatically be opted in to the TCAM project.. If you wish to opt out of . TCAM . you must complete . an opt . out...
  • Welcome to Dow! U.S. Benefits for 2014 Dow.com

    Welcome to Dow! U.S. Benefits for 2014 Dow.com

    No orthodontic coverage. $750 per person annual maximum for all Basic and Major Services. ... Prepare or update a standard will at no cost, using one of Hyatt Legal Plans' more than 10,000 network attorneys ... on the Dow Intranet....
  • ISIC Presentation Template - LAUSD

    ISIC Presentation Template - LAUSD

    Revise as needed to align this sample agenda to new IEP format on Welligent. Signatures of people present: List of who is present at the meeting- parent is not consenting to anything at this time. Difference between parent conference and...
  • Task T - CMS at LHC

    Task T - CMS at LHC

    Task T - CMS at LHC. Wesley H. Smith. ... US CMS Production Management (Talk by Dasu w/Physics) Endcap Muon: Project Management, Chambers & Infrastructure, Alignment (Loveless) ... KiraGrogg, Christos Lazaridis, Jeff Klukas, Jessica Leonard, Isobel Ojalvo, Will Parker, Bethany...
  • Math 2311-06

    Math 2311-06

    Draw a Bar Chart to Display the Marginal Distribution of Pizza Topping Preference. ... Simpson's Paradox is the reversal of the direction of a comparison or an association when data from several groups are combined to form a single group.
  • Servicios de Acueducto y Alcantarillado

    Servicios de Acueducto y Alcantarillado

    alex danilo vargas diaz. alvaro franco ortiz. rodolfo de jesus diaz diaz. teodoro barrera. gustavo heladio torres sanchez. jose roldan maldonado perez. armando manuel eslava gomez. john ancizar amaya camargo. jairo enrique millan malpica. la playa de belen. si. en...
  • Competitively Chasing Convex Bodies

    Competitively Chasing Convex Bodies

    MTS: same goal as chasing convex functions on an arbitrary metric space, with an arbitrary set of. cost functions allowed. Worst-case MTS competitive ratio is between ????loglog? and log2⁡(?) for an n-point metric space.
  • Flexible Wide Area Consistency Management

    Flexible Wide Area Consistency Management

    Outline Further Motivation Application study new taxonomy to classify application sharing needs Composable Consistency (CC) model Novel interface to express consistency semantics for each access Small option set can express more diverse semantics Evaluation Existing Models are Inadequate Provide a...