© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Virtualisation – Security’s Friend or Foe?
Virtualisation is set to consign traditional hardware appliances to the dustbin of computing history” Roger Howorth, IT Week
Virtualization Requirements Scheduler Memory Management VM State Machine Virtualized Devices Storage Stack Network Stack Binary Translators (optional) Drivers Management API
Old: Virtual Server Architecture Provided by: Windows ISV Virtual Server Guest Applications GuestsHost Ring 1: Guest kernel mode Ring 0: Kernel mode IIS Virtual Server WebApp Virtual Server Service Windows Server 2003/Windows XP Kernel Device Driver Server Hardware VMM Kernel Ring 3: User mode Windows (NT4, 2000, 2003) VM additions
New: Hyper-V Architecture Guest Applications Child PartitionParent Partition Ring 3: User mode Ring 0: Kernel mode Virtualisation Stack VM Service WMI Provider VM Worker Processes Server Core Virtualization Service Providers (VSPs) Windows Kernel Device Driver Windows hypervisor Server Hardware Virtualization Service Clients (VSC’s) VMBus OS Kernel OS Kernel Enlightenments Ring “-1” Provided by: Rest of Windows ISV Hyper-V
New: Hyper-V Architecture Guest Applications Child PartitionParent Partition Ring 3: User mode Ring 0: Kernel mode Virtualisation Stack VM Service WMI Provider VM Worker Processes Server Core Virtualization Service Providers (VSPs) Windows Kernel Device Driver Windows hypervisor Server Hardware Virtualization Service Clients (VSC’s) VMBus OS Kernel OS Kernel Enlightenments Ring “-1” Provided by: Rest of Windows ISV Hyper-V Hackers
Why not get rid of the parent? No defence in depth Entire hypervisor running in the most privileged mode of the system Ring “-”1 User Mode User Mode Kernel Mode Kernel Mode User Mode User Mode Kernel Mode Kernel Mode User Mode User Mode Kernel Mode Kernel Mode Ring 0 Ring 3 Virtual Machine Scheduler Memory Management Storage Stack Network Stack VM State Machine Virtualized Devices Binary Translators Drivers Management API Scheduler Memory Management Storage Stack Network Stack VM State Machine Virtualized Devices Binary Translators Drivers Management API Hardware
Micro-kernelized Hypervisor Defence in depth Using hardware to protect Hyper-V doesn’t use binary translation Further reduces the attack surface Ring -1 VM State Machine Virtualized Devices Management API VM State Machine Virtualized Devices Management API Storage Stack Network Stack Drivers Storage Stack Network Stack Drivers User Mode User Mode Kernel Mode Kernel Mode User Mode User Mode Kernel Mode Kernel Mode Ring 0 Ring 3 Virtual Machine Parent Partition Scheduler Memory Management Scheduler Memory Management Hardware
Security Assumptions Guests are untrusted Trust relationships Parent must be trusted by hypervisor Parent must be trusted by children Code in guests can run in all available processor modes, rings, and segments Hypercall interface will be well documented and widely available to attackers All hypercalls can be attempted by guests Can detect you are running on a hypervisor We’ll even give you the version The internal design of the hypervisor will be well understood Guest Applications Child PartitionParent Partition Ring 3: User mode Ring 0: Kernel mode Virtualisation Stack VM Service WMI Provider VM Worker Processes Server Core Virtualization Service Providers (VSPs) Windows Kernel Device Driver Windows hypervisor Server Hardware Virtualization Service Clients (VSC’s) VMBus OS Kernel OS Kernel Enlightenments
Security Goals Strong isolation between partitions Protect confidentiality and integrity of guest data Separation Unique hypervisor resource pools per guest Separate worker processes per guest Guest-to-parent communications over unique channels Non-interference Guests cannot affect the contents of other guests, parent, hypervisor Guest computations protected from other guests Guest-to-guest communications not allowed through VM interfaces Guest Applications Child PartitionParent Partition Ring 3: User mode Ring 0: Kernel mode Virtualisation Stack VM Service WMI Provider VM Worker Processes Server Core Virtualization Service Providers (VSPs) Windows Kernel Device Driver Windows hypervisor Server Hardware Virtualization Service Clients (VSC’s) VMBus OS Kernel OS Kernel Enlightenments
Isolation No sharing of virtualized devices Separate VMBus per VM to the parent No sharing of memory Each has its own address space VMs cannot communicate with each other, except through traditional networking Guests can’t perform DMA attacks because they’re never mapped to physical devices Guests cannot write to the hypervisor Parent partition cannot write to the hypervisor Guest Applications Child PartitionParent Partition Ring 3: User mode Ring 0: Kernel mode Virtualisation Stack VM Service WMI Provider VM Worker Processes Server Core Virtualization Service Providers (VSPs) Windows Kernel Device Driver Windows hypervisor Server Hardware Virtualization Service Clients (VSC’s) VMBus OS Kernel OS Kernel Enlightenments
Hyper-V Security Hardening Hypervisor has separate address space Guest addresses != Hypervisor addresses No 3 rd party code in the Hypervisor Limited number of channels from guests to hypervisor No “IOCTL”-like things Guest to guest communication through hypervisor is prohibited No shared memory mapped between guests Guests never touch real hardware I/O Guest Applications Child PartitionParent Partition Ring 3: User mode Ring 0: Kernel mode Virtualisation Stack VM Service WMI Provider VM Worker Processes Server Core Virtualization Service Providers (VSPs) Windows Kernel Device Driver Windows hypervisor Server Hardware Virtualization Service Clients (VSC’s) VMBus OS Kernel OS Kernel Enlightenments
Hyper-V & Secure Development Lifecycle Hypervisor built with Stack guard cookies (/GS) Address Space Layout Randomization (ASLR) Hardware Data Execution Prevention No Execute (NX) AMD Execute Disable (XD) Intel Code pages marked read only Memory guard pages Hypervisor binary is signed Hypervisor and Parent going through SDL Threat modeling Static Analysis Fuzz testing & Penetration testing Guest Applications Child PartitionParent Partition Ring 3: User mode Ring 0: Kernel mode Virtualisation Stack VM Service WMI Provider VM Worker Processes Server Core Virtualization Service Providers (VSPs) Windows Kernel Device Driver Windows hypervisor Server Hardware Virtualization Service Clients (VSC’s) VMBus OS Kernel OS Kernel Enlightenments
Hyper-V Security Model Uses Authorization Manager Fine grained authorization and access control Department and role based Segregate who can manage groups of VMs Define specific functions for individuals or roles Start, stop, create, add hardware, change drive image VM administrators don’t have to be Server 2008 administrators Guest resources are controlled by per VM configuration files Shared resources are protected Read-only (CD ISO file) Copy on write (differencing disks) Guest Applications Child PartitionParent Partition Ring 3: User mode Ring 0: Kernel mode Virtualisation Stack VM Service WMI Provider VM Worker Processes Server Core Virtualization Service Providers (VSPs) Windows Kernel Device Driver Windows hypervisor Server Hardware Virtualization Service Clients (VSC’s) VMBus OS Kernel OS Kernel Enlightenments
Windows Server Core Windows Server frequently deployed for a single role Must deploy and service the entire OS in earlier Windows Server releases Server Core a new minimal installation option Provides essential server functionality Command Line Interface only, no GUI Shell Benefits Fundamentally improves availability Less code results in fewer patches and reduced servicing burden Low surface area server for targeted roles More secure and reliable with less management
Windows Server Core
What tools can help secure the Environment? IPSec for host authentication Use the principle of least privilege Only install software you have a reason to trust Ensure policy compliance – Network Access Protection can be a huge help Keep things as simple as possible Add functionality as high up the stack as possible
How to proceed? Virtualisation is not a silver bullet for security problems Nor is it a nightmare It just changes the threat landscape Carefully consider the impact on trust boundaries and the knock- on effect of compromised security at layers underneath the applications – the deeper down the stack, the worse the impact
What is Microsoft Forefront? Microsoft Forefront is a comprehensive line of business security products providing greater protection and control through integration with your existing IT infrastructure and through simplified deployment, management, and analysis. Edge Client and Server OS Server Applications
IT Service Management Data Protection Manager ‘Service Desk’ Capacity Planner Reporting Manager Operations Manager Client Data Storage & Recovery Problem Management Capacity Management IT Reporting Client Operations Management Configuration Manager Operations Manager Performance & Availability Monitoring Software Update & Deployment Microsoft System Centre Enabler for Microsoft’s Best Practices Microsoft Operations Framework Infrastructure Optimization
Next steps Receive the latest Security news, sign-up for the: Microsoft Security Newsletter Microsoft Security Notification Service Assess your current IT security environment Download the free Microsoft Security Assessment Tool Find all your security resources here
Session Evaluation Hand-in you session evaluation on your way out Win one of 2 Xbox 360 ® Elite’s in our free prize draw* Winners will be drawn at 3.30 today Collect your goody bag which includes. Windows Vista Business (Upgrade), Forefront Trials, Forefront Hand-On-Labs Security Resources CD I’ll be at the back of the room if you have any questions * Terms and conditions apply, alternative free entry route available.