Security at the VMM Layer Theodore Winograd OWASP June 14, 2007 Outline Why? VMM Selection Syslog Capture
Simple MAC via sys_open Simple MAC via LSM Future Work Why at the VMM layer? COTS software is notoriously buggy We still have to use it Isolate itand protect the VM system at the same time
Why at the VMM layer? Honeypots require fine-grained access control We cant trust anything on a honeypot VMM Selection QEMU Little documentation Unstable Logging is too detailed Code difficult to
follow UML Little documentation Kernel code documented arch/um/include/os.h Ideal for security VMM
os_open_file os_read_file os_write_file os_close_file Logging Capture Audit logs must maintain integrity Logs may be recorded at:
HW VM Introspection OS OS service API API hooking Application syslog, log4j, etc Each layer loses integrity Syslog Capture Why?
Why not via the network? Most Linux applications use syslog Improve the integrity of the logs Attackers could modify the syslog daemon Would require network access to the host This could be implemented for any
Capture ALL socket data sys_send* function calls net/unix/af_unix.c unix_dgram_connect unix_dgram_sendmsg Capture Functions unix_dgram_connect
unix_dgram_sendmsg Both receive struct sockaddr * Same address Only connect receives the path name sockaddr * list Store a list of sockaddr * pointers
Add to the list at unix_dgram_connect Compare unix_dgram_sendmsg to the list Remove at unix_release MAC Enforces Bell-LaPadula security model No write-down
No read-up Enforces process separation Red Hats SELinux targeted policies Simple MAC via sys_open Why?
Prevent malicious code from accessing sensitive portions of the system Prevent information leakage Maintain file integrity External policy file sys_open is easy to intercept One step towards LSM-based approach Access Control File Format +/-[rwa]:file:UID -r:/tmp/log:1000 -r:/tmp/log:0 +w:/tmp/log:0
Linux kernel: do_sys_open long do_sys_open( int dfd, const char __user *filename, int flags, int mode ) MAC For every open, compare filename, flags, and uid against the access file
current macro process descriptor UID, PID, GID, parent, etc Flags 00 01 10
11 read-only write-only read-write - special sys_open problem filename can be relative
current->fs knows the current working directory Allows for an easy bypass Must find equivalent inode Simple MAC via LSM Linux Security Modules NSA SELinux Why?
External policy Access control for OSs without MAC No need to configure the existing OS Access Control Same access file as sys_open MAC Map filename to an inode Compare inodes
Demonstration Future Work Code hooks to external LSM modules QEMU implementation Log capture and MAC for other OSs Related work:
A VM Introspection Based Architecture for Intrusion Detection T. Garfinkel: http://suif.stanford.edu/papers/vmi-ndss03.pdf Towards a VMM-based Usage Control Framework for OS Kernel Integrity Protection X. Jiang: http://www.ise.gmu.edu/~xjiang/pubs/SACMAT07.pdf Questions? [email protected]
Answers Directions: 1. If your answer was incorrect, try again. 2. When you finally arrive at the correct answer, complete the following questions. a) What did you assume incorrectly? b) What information do you think was left out that led...
Chapter 7: Regions of the USSection 1 - The Northeast. Titan Blaster #1: List from memory the nine states that form the Northeast. ... The area from Boston to Washington DC is considered a megalopolis of over 40 million people....
Renee Aitken - works with Assessment and Accreditation. Building a university level assessment process. Collecting, analyzing data, and sharing the results. Sharing assessment plans and procedures across the university. UH280C. EXT. 4984
A fossil is made when a plant or animal is covered quickly with mud or ash The organism's tissues are replaced over a long period of time with minerals from the soil it was buried in Fossils can be dated...
The pathway your child chooses will determine the electives they need to take in HS. Copies of each HS pathways are at the table and available in the HS Course Selection Handbook (CSH) on pg. 7. Portal to select their...