Presentation is loading. Please wait.

Presentation is loading. Please wait.

Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,

Published byNaomi Whaley Modified over 10 years ago

Similar presentations

Presentation on theme: "Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,"— Presentation transcript:

1 Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*, Tim Deegan‡, Peter Loscocco*, Andrew Warfield† † Department of Computer Science, University of British Columbia ‡ Citrix Systems R&D * National Security Agency

2 2

3 Companies in the Cloud (all these run in EC2 or Rackspace) 3

4 Hypervisors are Secure 4 Hypervisor Small codebase x86 Narrow interface x86 Xen: 280 KLOC (based on the current version) Nova: 9 KLOC (microvisor) + 20 KLOC (VMM) [EuroSys’10] SecVisor: 2 KLOC [SOSP’07]Flicker: 250 LOC [EuroSys’08]

5 CERT Vulnerabilities 38 Xen CERT vulnerabilities 23 originate in guest VMs 2 are against the hypervisor What the heck are the other 90%? 5

6 6 Hypervisor Control VM (Dom0) User A’s VM User B’s VM Platform IPC Management Device Drivers Device Emulation Manage devices Create and destroy VMs Arbitrarily access memory Manage devices Create and destroy VMs Arbitrarily access memory “We are the 90%”

7 7 Constraint:Don’t reduce functionality, performance, or maintainability of the system Isolate services into least-privileged service VMs Make sharing between components explicit Exposure to Risk Contain scope of exploits in both space and time

8 SPACE 8

9 9 Hypervisor Control VM User A’s VM User B’s VM Platform Device Drivers Management IPC Device Emulation Space

10 Isolation 10 Control VM Platform Device Drivers Management IPC Device Emulation Platform Device Drivers Management IPC Device Emulation System Boot PCI Config NetworkBlock Builder Tools XenStore Platform Device Drivers Management IPC Device Emulation System Boot PCI Config NetworkBlock BuilderTools XenStore Emulator

11 11 Hypervisor User A’s VM User B’s VM Platform Device Drivers Management IPC Device Emulation System Boot PCI Config NetworkBlock BuilderTools XenStore Emulator Space Isolation

12 Configurable Sharing 12 User B’s Tools User A’s Tools User B’s Block User B’s Network User A’s Block User A’s Network User B’s VM User A’s VM

13 Configurable Sharing 13 Tools Block Network User A’s VM User B’s VM

14 Configurable Sharing 14 User B’s Tools User A’s Tools User B’s Block User B’s Network User A’s Block User A’s Network User B’s VM User A’s VM

15 15 Hypervisor User A’s VM User B’s VM Platform Device Drivers Management IPC Device Emulation System Boot PCI Config NetworkBlock BuilderTools XenStore Emulator Space Isolation Configurable Sharing

16 Auditing 16 Create NetworkBlock Which VMs were relying on the Block component while it was compromise? VM B and VM C User A’s VM User B’s VM User C’s VM Network Block

17 17 Hypervisor User A’s VM User B’s VM Platform Device Drivers Management IPC Device Emulation System Boot PCI Config NetworkBlock BuilderTools XenStore Emulator Space Isolation Configurable Sharing Auditing

18 TIME 18

19 19 Hypervisor User A’s VM User B’s VM Platform Device Drivers Management IPC Device Emulation System Boot PCI Config NetworkBlock BuilderTools XenStore Emulator Space Containment Configurable Sharing Auditing Time

20 Disposable 20 Hypervisor System Boot PCI Config Services

21 21 Hypervisor User A’s VM User B’s VM Platform Device Drivers Management IPC Device Emulation System Boot PCI Config NetworkBlock BuilderTools XenStore Emulator Space Isolation Configurable Sharing Auditing Time Disposable

22 Snapshots 22 VM 4-25 ms

23 23 Hypervisor User A’s VM User B’s VM Platform Device Drivers Management IPC Device Emulation System Boot PCI Config NetworkBlock BuilderTools XenStore Emulator Space Isolation Configurable Sharing Auditing Time Disposable Timed Restarts

24 Stateless VMs 24 Builder User A’s VM User B’s VM Newly Created VM Snapshot Image Copy-on- Write rollback boot and initialization process request

25 25 Hypervisor User A’s VM User B’s VM Platform Device Drivers Management IPC Device Emulation System Boot PCI Config NetworkBlock BuilderTools XenStore Emulator Space Isolation Configurable Sharing Auditing Time Disposable Timed Restarts Stateless

26 SPACE + TIME 26

27 27 Hypervisor User A’s VM User B’s VM Platform Device Drivers Management IPC Device Emulation System Boot PCI Config NetworkBlock BuilderTools XenStore Emulator Space Isolation Configurable Sharing Auditing Time Disposable Timed Restarts Stateless Space + Time

28 Composition 28 User A’s VM User B’s VM XenStore I’ve enabled the network driver to map page 0xDEADBEEF OK B: Network can map 0xDEADBEEF I’ve enabled 0xPWND

29 Composition 29 User A’s VM User B’s VM XenStore-State XenStore-Logic I’ve enabled the network driver to map page 0xDEADBEEF OK B: Network can map 0xDEADBEEF I’ve enabled 0xPWNDA: Please shut me down

30 Composition 30 User A’s VM User B’s VM XenStore-State XenStore-Logic I’ve enabled the network driver to map page 0xDEADBEEF OK B: Network can map 0xDEADBEEF I’ve enabled 0xPWNDA: Please shut me down Monitor B Newly Created VM Snapshot Image Copy-on- Write rollback boot and initialization process request limit access

31 31 Hypervisor User A’s VM User B’s VM Platform Device Drivers Management IPC Device Emulation System Boot PCI Config NetworkBlock BuilderTools XenStore Emulator Space Isolation Configurable Sharing Auditing Time Disposable Timed Restarts Stateless Space + Time Composition

32 EVALUATION 32

33 Evaluation What do privileges look like now? What is the impact on the security of the system? What are the overheads? What impact does isolation have on performance? What impact do restarts have on performance? 33

34 Privileges 34 Privilege System Boot PCI Config BuilderToolsBlockNetworkXenStore Arbitrarily Access Memory XXXXXXX Access and Virtualize PCI devices XXXXXXX Create VMsXXXXXXX Manage VMsXXXXXXX Manage Assigned Devices XXXXXXX Privilege System Boot PCI Config BuilderToolsBlockNetworkXenStore Arbitrarily Access Memory XX Access and Virtualize PCI devices X Create VMsXX Manage VMsXXX Manage Assigned Devices XX Privilege System Boot PCI Config BuilderToolsBlockNetworkXenStore Access and Virtualize PCI devices X Create VMsXX Manage VMsXXX Manage Assigned Devices XX

35 Security Of the 21 vulnerabilities against the control plane, we contain all 21 TCB is reduced from the control VM’s 7.5 million lines of code (Linux) to Builder’s 13,500 (on top of Xen) 35

36 Memory Overhead 36 ComponentMemory System Boot128MB PCI Config128MB XenStore-Logic32MB XenStore-State32MB Block128MB Network128MB Builder64MB Tools128MB Total512MB

37 Isolation Performance Postmark performancewget performance 37

38 Restart Performance Kernel build performance 38

39 CONCLUSION 39

40 Summing it All Up Components of control VM a major source of risk Xoar isolates components in space and time – Contains exploits – Provides explicit exposure to risk Functionality, performance, and maintainability are not impacted 40

Download ppt "Breaking Up is Hard to Do Security and Functionality in a Commodity Hypervisor 1 Patrick Colp†, Mihir Nanavati†, Jun Zhu‡ William Aiello†, George Coker*,"

Similar presentations

Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.

Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.
1

1
Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.

Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.
© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.

© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
Processes and Operating Systems

Processes and Operating Systems
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley

Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.

Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
UNITED NATIONS Shipment Details Report – January 2006.

UNITED NATIONS Shipment Details Report – January 2006.
RXQ.11.4.1 Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) Customer Supplier Customer authorizes Enrollment (11.3.2.1)

RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) Customer Supplier Customer authorizes Enrollment ( )
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.

1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×

Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×
Create an Application Title 1A - Adult Chapter 3.

Create an Application Title 1A - Adult Chapter 3.
Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.

Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.

FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Year 6 mental test 5 second questions

Year 6 mental test 5 second questions

Similar presentations

Ads by Google