Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,

Slides:



Advertisements
Similar presentations
Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.
Advertisements

1
Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.
© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint
Processes and Operating Systems
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
UNITED NATIONS Shipment Details Report – January 2006.
RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) Customer Supplier Customer authorizes Enrollment ( )
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×
Create an Application Title 1A - Adult Chapter 3.
Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Year 6 mental test 5 second questions
Year 6 mental test 10 second questions
1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.
REVIEW: Arthropod ID. 1. Name the subphylum. 2. Name the subphylum. 3. Name the order.
Break Time Remaining 10:00.
PP Test Review Sections 6-1 to 6-6
EU market situation for eggs and poultry Management Committee 20 October 2011.
Bright Futures Guidelines Priorities and Screening Tables
EIS Bridge Tool and Staging Tables September 1, 2009 Instructor: Way Poteat Slide: 1.
Bellwork Do the following problem on a ½ sheet of paper and turn in.
XML and Databases Exercise Session 3 (courtesy of Ghislain Fourny/ETH)
2 |SharePoint Saturday New York City
Operating Systems Operating Systems - Winter 2012 Dr. Melanie Rieback Design and Implementation.
Exarte Bezoek aan de Mediacampus Bachelor in de grafische en digitale media April 2014.
VOORBLAD.
Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)
Sample Service Screenshots Enterprise Cloud Service 11.3.
Copyright © 2012, Elsevier Inc. All rights Reserved. 1 Chapter 7 Modeling Structure with Blocks.
1 RA III - Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Buenos Aires, Argentina, 25 – 27 October 2006 Status of observing programmes in RA.
Factor P 16 8(8-5ab) 4(d² + 4) 3rs(2r – s) 15cd(1 + 2cd) 8(4a² + 3b²)
Basel-ICU-Journal Challenge18/20/ Basel-ICU-Journal Challenge8/20/2014.
1..
CONTROL VISION Set-up. Step 1 Step 2 Step 3 Step 5 Step 4.
© 2012 National Heart Foundation of Australia. Slide 2.
Adding Up In Chunks.
Understanding Generalist Practice, 5e, Kirst-Ashman/Hull
Note to the teacher: Was 28. A. to B. you C. said D. on Note to the teacher: Make this slide correct answer be C and sound to be “said”. to said you on.
Model and Relationships 6 M 1 M M M M M M M M M M M M M M M M
25 seconds left…...
Subtraction: Adding UP
: 3 00.
1 hi at no doifpi me be go we of at be do go hi if me no of pi we Inorder Traversal Inorder traversal. n Visit the left subtree. n Visit the node. n Visit.
Analyzing Genes and Genomes
©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.
Essential Cell Biology
Clock will move after 1 minute
Intracellular Compartments and Transport
PSSA Preparation.
Essential Cell Biology
Immunobiology: The Immune System in Health & Disease Sixth Edition
Physics for Scientists & Engineers, 3rd Edition
1 Chapter 13 Nuclear Magnetic Resonance Spectroscopy.
Energy Generation in Mitochondria and Chlorplasts
Select a time to count down from the clock above
Murach’s OS/390 and z/OS JCLChapter 16, Slide 1 © 2002, Mike Murach & Associates, Inc.
Bart Miller – October 22 nd,  TCB & Threat Model  Xen Platform  Xoar Architecture Overview  Xoar Components  Design Goals  Results  Security.
Breaking Up is Hard to Do
Presentation transcript:

Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*, Tim Deegan‡, Peter Loscocco*, Andrew Warfield† † Department of Computer Science, University of British Columbia ‡ Citrix Systems R&D * National Security Agency

2

Companies in the Cloud (all these run in EC2 or Rackspace) 3

Hypervisors are Secure 4 Hypervisor Small codebase x86 Narrow interface x86 Xen: 280 KLOC (based on the current version) Nova: 9 KLOC (microvisor) + 20 KLOC (VMM) [EuroSys’10] SecVisor: 2 KLOC [SOSP’07]Flicker: 250 LOC [EuroSys’08]

CERT Vulnerabilities 38 Xen CERT vulnerabilities 23 originate in guest VMs 2 are against the hypervisor What the heck are the other 90%? 5

6 Hypervisor Control VM (Dom0) User A’s VM User B’s VM Platform IPC Management Device Drivers Device Emulation Manage devices Create and destroy VMs Arbitrarily access memory Manage devices Create and destroy VMs Arbitrarily access memory “We are the 90%”

7 Constraint:Don’t reduce functionality, performance, or maintainability of the system Isolate services into least-privileged service VMs Make sharing between components explicit Exposure to Risk Contain scope of exploits in both space and time

SPACE 8

9 Hypervisor Control VM User A’s VM User B’s VM Platform Device Drivers Management IPC Device Emulation Space

Isolation 10 Control VM Platform Device Drivers Management IPC Device Emulation Platform Device Drivers Management IPC Device Emulation System Boot PCI Config NetworkBlock Builder Tools XenStore Platform Device Drivers Management IPC Device Emulation System Boot PCI Config NetworkBlock BuilderTools XenStore Emulator

11 Hypervisor User A’s VM User B’s VM Platform Device Drivers Management IPC Device Emulation System Boot PCI Config NetworkBlock BuilderTools XenStore Emulator Space Isolation

Configurable Sharing 12 User B’s Tools User A’s Tools User B’s Block User B’s Network User A’s Block User A’s Network User B’s VM User A’s VM

Configurable Sharing 13 Tools Block Network User A’s VM User B’s VM

Configurable Sharing 14 User B’s Tools User A’s Tools User B’s Block User B’s Network User A’s Block User A’s Network User B’s VM User A’s VM

15 Hypervisor User A’s VM User B’s VM Platform Device Drivers Management IPC Device Emulation System Boot PCI Config NetworkBlock BuilderTools XenStore Emulator Space Isolation Configurable Sharing

Auditing 16 Create NetworkBlock Which VMs were relying on the Block component while it was compromise? VM B and VM C User A’s VM User B’s VM User C’s VM Network Block

17 Hypervisor User A’s VM User B’s VM Platform Device Drivers Management IPC Device Emulation System Boot PCI Config NetworkBlock BuilderTools XenStore Emulator Space Isolation Configurable Sharing Auditing

TIME 18

19 Hypervisor User A’s VM User B’s VM Platform Device Drivers Management IPC Device Emulation System Boot PCI Config NetworkBlock BuilderTools XenStore Emulator Space Containment Configurable Sharing Auditing Time

Disposable 20 Hypervisor System Boot PCI Config Services

21 Hypervisor User A’s VM User B’s VM Platform Device Drivers Management IPC Device Emulation System Boot PCI Config NetworkBlock BuilderTools XenStore Emulator Space Isolation Configurable Sharing Auditing Time Disposable

Snapshots 22 VM 4-25 ms

23 Hypervisor User A’s VM User B’s VM Platform Device Drivers Management IPC Device Emulation System Boot PCI Config NetworkBlock BuilderTools XenStore Emulator Space Isolation Configurable Sharing Auditing Time Disposable Timed Restarts

Stateless VMs 24 Builder User A’s VM User B’s VM Newly Created VM Snapshot Image Copy-on- Write rollback boot and initialization process request

25 Hypervisor User A’s VM User B’s VM Platform Device Drivers Management IPC Device Emulation System Boot PCI Config NetworkBlock BuilderTools XenStore Emulator Space Isolation Configurable Sharing Auditing Time Disposable Timed Restarts Stateless

SPACE + TIME 26

27 Hypervisor User A’s VM User B’s VM Platform Device Drivers Management IPC Device Emulation System Boot PCI Config NetworkBlock BuilderTools XenStore Emulator Space Isolation Configurable Sharing Auditing Time Disposable Timed Restarts Stateless Space + Time

Composition 28 User A’s VM User B’s VM XenStore I’ve enabled the network driver to map page 0xDEADBEEF OK B: Network can map 0xDEADBEEF I’ve enabled 0xPWND

Composition 29 User A’s VM User B’s VM XenStore-State XenStore-Logic I’ve enabled the network driver to map page 0xDEADBEEF OK B: Network can map 0xDEADBEEF I’ve enabled 0xPWNDA: Please shut me down

Composition 30 User A’s VM User B’s VM XenStore-State XenStore-Logic I’ve enabled the network driver to map page 0xDEADBEEF OK B: Network can map 0xDEADBEEF I’ve enabled 0xPWNDA: Please shut me down Monitor B Newly Created VM Snapshot Image Copy-on- Write rollback boot and initialization process request limit access

31 Hypervisor User A’s VM User B’s VM Platform Device Drivers Management IPC Device Emulation System Boot PCI Config NetworkBlock BuilderTools XenStore Emulator Space Isolation Configurable Sharing Auditing Time Disposable Timed Restarts Stateless Space + Time Composition

EVALUATION 32

Evaluation What do privileges look like now? What is the impact on the security of the system? What are the overheads? What impact does isolation have on performance? What impact do restarts have on performance? 33

Privileges 34 Privilege System Boot PCI Config BuilderToolsBlockNetworkXenStore Arbitrarily Access Memory XXXXXXX Access and Virtualize PCI devices XXXXXXX Create VMsXXXXXXX Manage VMsXXXXXXX Manage Assigned Devices XXXXXXX Privilege System Boot PCI Config BuilderToolsBlockNetworkXenStore Arbitrarily Access Memory XX Access and Virtualize PCI devices X Create VMsXX Manage VMsXXX Manage Assigned Devices XX Privilege System Boot PCI Config BuilderToolsBlockNetworkXenStore Access and Virtualize PCI devices X Create VMsXX Manage VMsXXX Manage Assigned Devices XX

Security Of the 21 vulnerabilities against the control plane, we contain all 21 TCB is reduced from the control VM’s 7.5 million lines of code (Linux) to Builder’s 13,500 (on top of Xen) 35

Memory Overhead 36 ComponentMemory System Boot128MB PCI Config128MB XenStore-Logic32MB XenStore-State32MB Block128MB Network128MB Builder64MB Tools128MB Total512MB

Isolation Performance Postmark performancewget performance 37

Restart Performance Kernel build performance 38

CONCLUSION 39

Summing it All Up Components of control VM a major source of risk Xoar isolates components in space and time – Contains exploits – Provides explicit exposure to risk Functionality, performance, and maintainability are not impacted 40

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.