Security at the VMM Layer - OWASP

Security at the VMM Layer - OWASP

Security at the VMM Layer Theodore Winograd OWASP June 14, 2007 Outline Why? VMM Selection Syslog Capture

Simple MAC via sys_open Simple MAC via LSM Future Work Why at the VMM layer? COTS software is notoriously buggy We still have to use it Isolate itand protect the VM system at the same time

Why at the VMM layer? Honeypots require fine-grained access control We cant trust anything on a honeypot VMM Selection QEMU Little documentation Unstable Logging is too detailed Code difficult to

follow UML Little documentation Kernel code documented arch/um/include/os.h Ideal for security VMM

os_open_file os_read_file os_write_file os_close_file Logging Capture Audit logs must maintain integrity Logs may be recorded at:

HW VM Introspection OS OS service API API hooking Application syslog, log4j, etc Each layer loses integrity Syslog Capture Why?

Why not via the network? Most Linux applications use syslog Improve the integrity of the logs Attackers could modify the syslog daemon Would require network access to the host This could be implemented for any

logging framework Syslog Capture: Syslog Architecture util-linux logger.c glibc syslog.h and syslog.c

UNIX datagram sockets /dev/log Sample contents: <38>Mar 25 22:05:09 login[1890]: ROOT_LOGIN on `tty0 Capture Options net/socket.c

Capture ALL socket data sys_send* function calls net/unix/af_unix.c unix_dgram_connect unix_dgram_sendmsg Capture Functions unix_dgram_connect

unix_dgram_sendmsg Both receive struct sockaddr * Same address Only connect receives the path name sockaddr * list Store a list of sockaddr * pointers

Add to the list at unix_dgram_connect Compare unix_dgram_sendmsg to the list Remove at unix_release MAC Enforces Bell-LaPadula security model No write-down

No read-up Enforces process separation Red Hats SELinux targeted policies Simple MAC via sys_open Why?

Prevent malicious code from accessing sensitive portions of the system Prevent information leakage Maintain file integrity External policy file sys_open is easy to intercept One step towards LSM-based approach Access Control File Format +/-[rwa]:file:UID -r:/tmp/log:1000 -r:/tmp/log:0 +w:/tmp/log:0

Linux kernel: do_sys_open long do_sys_open( int dfd, const char __user *filename, int flags, int mode ) MAC For every open, compare filename, flags, and uid against the access file

current macro process descriptor UID, PID, GID, parent, etc Flags 00 01 10

11 read-only write-only read-write - special sys_open problem filename can be relative

current->fs knows the current working directory Allows for an easy bypass Must find equivalent inode Simple MAC via LSM Linux Security Modules NSA SELinux Why?

External policy Access control for OSs without MAC No need to configure the existing OS Access Control Same access file as sys_open MAC Map filename to an inode Compare inodes

LSM Hooks security/selinux/hooks.c selinux_file* security/dummy.c dummy_file*

Demonstration Future Work Code hooks to external LSM modules QEMU implementation Log capture and MAC for other OSs Related work:

A VM Introspection Based Architecture for Intrusion Detection T. Garfinkel: http://suif.stanford.edu/papers/vmi-ndss03.pdf Towards a VMM-based Usage Control Framework for OS Kernel Integrity Protection X. Jiang: http://www.ise.gmu.edu/~xjiang/pubs/SACMAT07.pdf Questions? [email protected]

Recently Viewed Presentations

  • False Assumptions - sd273.com

    False Assumptions - sd273.com

    Answers Directions: 1. If your answer was incorrect, try again. 2. When you finally arrive at the correct answer, complete the following questions. a) What did you assume incorrectly? b) What information do you think was left out that led...
  • Chapter 7: Regions of the US Section 1 - The Northeast

    Chapter 7: Regions of the US Section 1 - The Northeast

    Chapter 7: Regions of the USSection 1 - The Northeast. Titan Blaster #1: List from memory the nine states that form the Northeast. ... The area from Boston to Washington DC is considered a megalopolis of over 40 million people....
  • How Do We Know Our Students Are Learning?

    How Do We Know Our Students Are Learning?

    Renee Aitken - works with Assessment and Accreditation. Building a university level assessment process. Collecting, analyzing data, and sharing the results. Sharing assessment plans and procedures across the university. UH280C. EXT. 4984
  • 易經與管理 - faculty.csuci.edu

    易經與管理 - faculty.csuci.edu

    活化經典,豐富人生 訟卦 作事謀始,化解衝突 Minder Chen, Ph.D. Professor of Management Information Systems Martin V. Smith School of Business and Economics
  • Fossils - worldofteaching.com

    Fossils - worldofteaching.com

    A fossil is made when a plant or animal is covered quickly with mud or ash The organism's tissues are replaced over a long period of time with minerals from the soil it was buried in Fossils can be dated...
  • Science 9 Year End Review

    Science 9 Year End Review

    Biological Diversity. How do organisms reproduce and how are the characteristics of the species passed on? Types of asexual reproduction. Advantages of sexual and asexual reproduction
  • High School 101 - pearlandisd.org

    High School 101 - pearlandisd.org

    The pathway your child chooses will determine the electives they need to take in HS. Copies of each HS pathways are at the table and available in the HS Course Selection Handbook (CSH) on pg. 7. Portal to select their...
  • Welkom bij Maastricht University  Afdeling

    Welkom bij Maastricht University Afdeling

    bij Maastricht University Afdeling Afdeling . Title: PowerPoint Presentation Author: Vormgeversassociatie / Sjoerd Kulsdom Last modified by: ... Verdana Arial Calibri Times Blank Presentation 1_Blank Presentation PowerPoint Presentation PowerPoint Presentation ...