Xen-Cap A Capability Framework for Xen Yathindra Naik School of Computing University of Utah Advisor Robert Ricci Flux Research Group University of Utah.

Slides:



Advertisements
Similar presentations
MicroKernel Pattern Presented by Sahibzada Sami ud din Kashif Khurshid.
Advertisements

Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines J. LeVasseur V. Uhlig J. Stoess S. G¨otz University of Karlsruhe,
Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)
Operating System Structures
XEN AND THE ART OF VIRTUALIZATION Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, lan Pratt, Andrew Warfield.
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
Bart Miller. Outline Definition and goals Paravirtualization System Architecture The Virtual Machine Interface Memory Management CPU Device I/O Network,
NWCLUG 01/05/2010 Jared Moore Xen Open Source Virtualization.
Microkernels How to build a dependable, modular and secure operating system?
Using DSVM to Implement a Distributed File System Ramon Lawrence Dept. of Computer Science
Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented by Alana Sweat.
Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Dawson R. Engler, M. Frans Kaashoek, and James O'Tool Jr.
Operating System Structure. Announcements Make sure you are registered for CS 415 First CS 415 project is up –Initial design documents due next Friday,
Figure 1.1 Interaction between applications and the operating system.
Exokernel: An Operating System Architecture for Application-Level Resource Management Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr. M.I.T.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
NFS. The Sun Network File System (NFS) An implementation and a specification of a software system for accessing remote files across LANs. The implementation.
CS533 Concepts of OS Class 16 ExoKernel by Constantia Tryman.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Xen and the Art of Virtualization. Introduction  Challenges to build virtual machines Performance isolation  Scheduling priority  Memory demand  Network.
Methodologies, strategies and experiences Virtualization.
Virtual Infrastructure in the Grid Kate Keahey Argonne National Laboratory.
 Cloud computing  Workflow  Workflow lifecycle  Workflow design  Workflow tools : xcp, eucalyptus, open nebula.
Microkernels, virtualization, exokernels Tutorial 1 – CSC469.
Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人:張逸文.
APPLICATION PERFORMANCE AND FLEXIBILITY ON EXOKERNEL SYSTEMS M. F. Kaashoek, D. R. Engler, G. R. Ganger H. M. Briceño, R. Hunt, D. Mazières, T. Pinckney,
Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.
CS533 Concepts of Operating Systems Jonathan Walpole.
Virtualization The XEN Approach. Virtualization 2 CS5204 – Operating Systems XEN: paravirtualization References and Sources Paul Barham, et.al., “Xen.
Benefits: Increased server utilization Reduced IT TCO Improved IT agility.
Xen I/O Overview. Xen is a popular open-source x86 virtual machine monitor – full-virtualization – para-virtualization para-virtualization as a more efficient.
Xen I/O Overview.
Improving Network I/O Virtualization for Cloud Computing.
4P13 Week 1 Talking Points. Kernel Organization Basic kernel facilities: timer and system-clock handling, descriptor management, and process Management.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Hakim Weatherspoon Robbert van Renesse SUPERCLOUD: GOING BEYOND FEDERATED CLOUDS 1.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
“Trusted Passages”: Meeting Trust Needs of Distributed Applications Mustaque Ahamad, Greg Eisenhauer, Jiantao Kong, Wenke Lee, Bryan Payne and Karsten.
NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.
Virtual Workspaces Kate Keahey Argonne National Laboratory.
Outline for Today Announcements –1 st programming assignment coming soon. Objective of the lecture –OS and Virtual Machines.
Processes Introduction to Operating Systems: Module 3.
Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand.
Operating Systems Security
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
Wireless and Mobile Security
Full and Para Virtualization
Operating-System Structures
CENG334 Introduction to Operating Systems 1 Erol Sahin Dept of Computer Eng. Middle East Technical University Ankara, TURKEY URL:
Implementing Remote Procedure Call Landon Cox February 12, 2016.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
1 PERFORMANCE DIFFERENTIATION OF NETWORK I/O in XEN by Kuriakose Mathew ( )‏ under the supervision of Prof. Purushottam Kulkarni and Prof. Varsha.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
Overview of today’s lecture Major components of an operating system Structure and internal architecture of an operating system Monolithic Vs Micro-kernels.
Computer System Structures
Xen and the Art of Virtualization
Breaking Up is Hard to Do
Presented by Yoon-Soo Lee
Chapter 14: System Protection
Operating System Structure
Xen: The Art of Virtualization
XenFS Sharing data in a virtualised environment
Chapter 14: Protection.
Operating Systems Structure
Presentation transcript:

Xen-Cap A Capability Framework for Xen Yathindra Naik School of Computing University of Utah Advisor Robert Ricci Flux Research Group University of Utah Co-Advisor Anton Burtsev Flux Research Group University of Utah 0

Traditional systems are monolithic Network Stack Network Stack File System Device Drivers App1App2App3App4 PDF App Parse Untrusted PDF User Space Kernel Space Privilege escalation Parse Javascript engine is compromised OS interface compromised 1

Disaggregated architecture Kernel Network Stack Network Stack File System Stack File System Stack Window Manager Window Manager Network Driver Network Driver Disk Driver Disk Driver Graphics Driver Graphics Driver Xen Hypervisor Application VMs Qubes/Bromium design 2 Kernel File System Stack File System Stack

Ideal system? 3

4 File System

5 GUI User GUI cannot talk to User File System

6 GUI User File System PDF reader File read Render screen Word processor File write File read Render screen PDF reader compromised

Challenges Hypervisor 7 VM 2 VM 1 Objects at application level Objects at kernel level Objects at hypervisor level Higher level IPC Shared memory Hypercalls

Proposed solution Single interface for every layer to manage capabilities – Uniform access control across the system Applications decide the semantics of the object they manage – Applications bind capabilities to objects – Do security checks Hypervisor protects capabilities – Hypervisor also protects a small set of objects which it implements 8

Contributions Engineering Extended Xen 4.3 with a capability interface – Can run unmodified Xen VMs on top of Xen-Cap – Provide support for easy construction of guest-level capability services – Implemented an NFS-based capability protected file system Intellectual Capability framework for virtualized environments Design recipe for implementing least-privilege services 9

Design/Architecture 10

Xen-Cap capabilities 11 Xen Hypervisor VM 1 VM 2 Xen-Cap Interface 64-bit Integer Capability Record in the hypervisor protected data structure CSpace

3 hypercalls – cap_create() – cap_grant(domain id, capability_name) – cap_check(domain_id, capability_name) Capability rules are enforced by the hypervisor Capability checks made by high-level code Xen Hypervisor VM 1 VM2 Application Hypercall Interface Xen-Cap Interface Kernel cap_create Read/Write cap_check OK 12 Application Kernel cap_grant 0xcafebeef

Xen-Cap properties Global capability names – Name is decided by the hypervisor – Generated randomly Capabilities are regenerated after reboot – No persistent capabilities Xen-Cap interface is the only way to interact with capabilities 13

Securing critical services 14

Xen Overview Xen Hypervisor local - domain disk … network … XenStore Disk Blkback Net back Domain 0 xl tool Guest Domain Disk Blkfront Net front 15

Xen Overview Xen Hypervisor local - domain disk … network … XenStore Disk Blkback Net back Domain 0 xl tool Guest Domain Disk Blkfront Net front 16 Hypercalls Event Channels

Xen-level objects Hypervisor-level objects – Hypercall invocation points – Event-channels – shared memory Use XSM to avoid re-engineering XSM is a general security framework like SELinux for Xen XSM hooks transfer to Xen-Cap interfaces 17

Boot protocol The hypervisor creates capabilities for hypervisor- level objects upon boot – Grants them to the first booting domain First domain needs to learn capability names for specific objects – E.g., a capability name for each hypercall to grant them to other domain get_cap_names interface resolves a resource name into a capability name – Hypervisor implements it as a shared page with a known structure, where capability names are stored 18

Hypercalls Creating and binding capabilities – Hypervisor creates capabilities and grants them to first booting domain Distribution – Grant all hypercalls listed in a VM config file to the new VM Check – Hypervisor checks capability on every hypercall invocation 19

Inter-VM communication is built on top of two primitives – shared memory and event channels Events are signaling mechanism in Xen Securing event channels with capabilities allows us to restrict the communication channels available to VMs Event channels 20

Xen Frontend Dom 1 Securing event channel Backend Domain 0 xl tool Frontend Dom 2 est_evtchn cap_create est_evtchn cap_create Grant est_evtchn Grant est_evtchn Grant est_evtchn Securing event channels Event channel 21 Hypervisor object to bind capability

XenStore Xen /local … domain …… 0 ……… backend ………… …… ……… ………… /local … domain …… 0 ……… backend ………… …… ……… ………… XenStore Domain 0 Guest disk Blk backend Blk Frontend Blk Frontend disk Frontend/Back end pair connected 1 frontend cap_create cap_grant App cap_check OK Read/Write xl tool 22

Configuring capabilities via config file Xen config files specify VM configuration We specify capabilities using additional parameters in config file Provides easy mechanism to invoke VM with specific capabilities cap_hypercalls, cap_files, cap_evtchn. 23

24

Constructing least-privilege environment 25

Xen-Cap for file system File system common for sharing, even in VMs Need flexible, fine-grained delegation of rights NFS makes it easy to share files on Ethernet NFS comes with ACLs but does not have delegation capabilities We construct a least-privilege NFS shared environment using Xen-Cap 26

Least-privilege file system Kernel Xen Application VMs Export Foo.pdf Export Boo.pdf xl tool cap_create Foo.pdf cap_create Foo.pdf cap_grant Foo.pdf cap_grant Foo.pdf cap_grant Foo.pdf cap_grant Foo.pdf File System Foo. pdf Boo. pdf 27

File System File System NFS Server NFS Server Vif frontend Vif frontend TCP/IP / /home /etc /lib /usr ydev aburtsev NFS Server VM File System File System NFS Client NFS Client Vif frontend Vif frontend TCP/IP / /client /etc /lib /usr ydev NFS Client VMDomain 0 Creating the NFS VMs xl tool Xen /local … domain …… ……… ………… …… ……… …… ………… /local … domain …… ……… ………… …… ……… …… ………… XenStore /ydev backend NFS frontend NFS server VM config file Write the filesytem to be exported Create capabilities for exported files NFS client VM config file NFS client VM config file Write the domid and ip addr of NFS client Grant capabilities for exported files Grant capabilities for exported files File System File System NFS Server NFS Server Vif frontend Vif frontend TCP/IP / /home /etc /lib /usr ydev aburtsev NFS Server VM NFS Client NFS Client Vif frontend Vif frontend TCP/IP NFS Client VM App Read /ydev/foo.pdf LSM Hooks LSM Hooks cap_check OK 28 NFS request path Virtual private network

Related Work SELinux, AppArmor, FLASK, Smack and Solaris Trusted Extensions are notable MAC frameworks Capsicum adopts capabilities on FreeBSD at file descriptor level Qubes and Bromium and XenClient sandbox apps by running them in separate VMs A number of research OS such as EROS, seL4 etc., implement capabilities from scratch 29

Conclusions Xen-Cap serves as a stepping stone towards realizing a full capability access control model on popular hypervisors Xen-Cap works on unmodified OS due to its transparent capabilities We were able to secure a number of critical services using Xen-Cap without significant amount of code changes Xen-Cap is simple to use (with just 3 hypercalls) 30

Future work Capability rules needs more refinements – cap_revoke could not be implemented – cap_grant needs to be thought more carefully as we do not address transitive grant rules yet CSpace needs more efficient data structure Using persistence store for capabilities is another area that needs thinking Mechanisms to spawn light-weight VMs 31

Acknowledgements Robert Ricci Anton Burtsev Mike Hibler Eric Eide All the members of Flux Research Group 32

Thank you Questions/Answers? 33

Backup slides 34

Isolation alone is not enough Virtualization provides strong isolation Isolation does not guarantee security Isolated services but runs with ambient authority Need flexible and fine-grained access control Goal is to minimize authority 35

Flexible access control Existing security models lack flexible, fine- grained access control Dynamic privilege management is hard to get right Capabilities have been shown to provide flexible and fine-grained access control mechanism Applications need to have privileges to perform their task and no more 36

Capabilities are well understood in microkernel community Microkernel Foo.PDF App File Read IPC Invokes capability Object-oriented capability design in microkernel Capability references the object and authorizes valid operations Capability is the only way to access the object Microkernel does the capability check Capability references the object and authorizes valid operations Capability is the only way to access the object Microkernel does the capability check 37

Capabilities Capability – Special token that uniquely identifies an object and allows certain operations on the object. seL4 and EROS implement object capability model from scratch. Hypervisors do not offer objects as the basic abstraction for resources. 38

Event channels 39 Xen Backend Frontend Domain 0Guest Event channel Read request Read reply Read reply Shared ring buffer Notify Read request Notify Read request Event channel communication

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.