Breaking Up is Hard to Do - UBC Department of Computer Science
Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor Patrick Colp, Mihir Nanavati, Jun Zhu William Aiello, George Coker*, Tim Deegan, Peter Loscocco*, Andrew Warfield Department of Computer Science, University of British Columbia Citrix Systems R&D * National Security Agency 1 2 Companies in the Cloud (all these run in EC2 or Rackspace) 3 Hypervisors are Secure Narrow interface
Small codebase x86 x86 x86 Hypervisor Xen: 280 KLOC (based on the current version) Nova: 9 KLOC (microvisor) + 20 KLOC (VMM) [EuroSys10] SecVisor: 2 KLOC [SOSP07] Flicker: 250 LOC [EuroSys08] 4 CERT Vulnerabilities 38 Xen CERT vulnerabilities 23 originate in guest VMs 2 are against the hypervisor What the heck are the other 90%?
5 We are the 90% Control VM (Dom0) IPC Management Device Emulation User As VM Platform Device Drivers Manage devices Create and destroy VMs Arbitrarily access memory User Bs VM
Hypervisor 6 Exposure to Risk Isolate services into least-privileged service VMs Make sharing between components explicit Contain scope of exploits in both space and time Constraint: Dont reduce functionality, performance, or maintainability of the system 7 SPACE 8 Space Control VM IPC
Management Device Emulation User As VM Platform Device Drivers User Bs VM Hypervisor 9 Space Isolation Control VM
Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 25 SPACE + TIME 26 Space + Time
Space Time Isolation Configurable Sharing Auditing Disposable Timed Restarts Stateless IPC XenStore Builder Tools Device Emulation PCI Config Management
Emulator Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 27 Composition
OK User As VM XenStore B: Network can map 0xDEADBEEF User Bs VM Ive enabled the network driver Ive enabled 0xPWND to map page 0xDEADBEEF 28 Composition User As VM OK XenStore-State XenStore-Logic B: Network can map 0xDEADBEEF
A: Please shut me down A: Please shut me down User Bs VM Ive enabled the network driver Ive enabled 0xPWND to map page 0xDEADBEEF 29 Composition Monitor Userrollback As VM OK Newly XenStore-Logic XenStore-State bootB and Snapshot Created
Image initialization VM process request Copy-onWrite User Bs VM B: Network can map 0xDEADBEEF limit access A: Please shut me down Ive enabled the network driver Ive enabled 0xPWND to map page 0xDEADBEEF 30 Space + Time Space
Emulator Platform User As VM Device Drivers System Boot Network Block User Bs VM Hypervisor 31 EVALUATION
32 Evaluation What do privileges look like now? What is the impact on the security of the system? What are the overheads? What impact does isolation have on performance? What impact do restarts have on performance? 33 Privileges Privilege Arbitrarily Access Memory Access and Virtualize PCI
devices Create VMs Manage VMs Manage Assigned Devices System Boot PCI Config X X X X X X
X X X X X X X Builder Tools Block Network XenStore X X X
X X X X X X X X X X X X X X
X X X X X 34 Security Of the 21 vulnerabilities against the control plane, we contain all 21 TCB is reduced from the control VMs 7.5 million lines of code (Linux) to Builders 13,500 (on top of Xen) 35 Memory Overhead Component
Kernel build performance 38 CONCLUSION 39 Summing it All Up Components of control VM a major source of risk Xoar isolates components in space and time Contains exploits Provides explicit exposure to risk Functionality, performance, and maintainability are not impacted 40
How do I sign onto the Project? All Luton and Bedfordshire community pharmacies will automatically be opted in to the TCAM project.. If you wish to opt out of . TCAM . you must complete . an opt . out...
No orthodontic coverage. $750 per person annual maximum for all Basic and Major Services. ... Prepare or update a standard will at no cost, using one of Hyatt Legal Plans' more than 10,000 network attorneys ... on the Dow Intranet....
Revise as needed to align this sample agenda to new IEP format on Welligent. Signatures of people present: List of who is present at the meeting- parent is not consenting to anything at this time. Difference between parent conference and...
Task T - CMS at LHC. Wesley H. Smith. ... US CMS Production Management (Talk by Dasu w/Physics) Endcap Muon: Project Management, Chambers & Infrastructure, Alignment (Loveless) ... KiraGrogg, Christos Lazaridis, Jeff Klukas, Jessica Leonard, Isobel Ojalvo, Will Parker, Bethany...
Draw a Bar Chart to Display the Marginal Distribution of Pizza Topping Preference. ... Simpson's Paradox is the reversal of the direction of a comparison or an association when data from several groups are combined to form a single group.
alex danilo vargas diaz. alvaro franco ortiz. rodolfo de jesus diaz diaz. teodoro barrera. gustavo heladio torres sanchez. jose roldan maldonado perez. armando manuel eslava gomez. john ancizar amaya camargo. jairo enrique millan malpica. la playa de belen. si. en...
MTS: same goal as chasing convex functions on an arbitrary metric space, with an arbitrary set of. cost functions allowed. Worst-case MTS competitive ratio is between ????loglog? and log2(?) for an n-point metric space.
Outline Further Motivation Application study new taxonomy to classify application sharing needs Composable Consistency (CC) model Novel interface to express consistency semantics for each access Small option set can express more diverse semantics Evaluation Existing Models are Inadequate Provide a...
Ready to download the document? Go ahead and hit continue!