secure out-of-band remote management using encrypted virtual serial consoles in iaas clouds kenichi...
TRANSCRIPT
Secure Out-of-band Remote Management Using Encrypted Virtual Serial Consoles in IaaS
Clouds
Kenichi KouraiTatsuya Kajiwara
Kyushu Institute of Technology
IaaS CloudsProvide users with virtual machines (VMs)
Users manage their systems through SSHIn-band remote management is usually
usedA user connects an SSH client to an SSH server
running in his VMNot usable when a user failed network
configurationsSSH
serverSSH
client
user VM
cloud
firewall
Virtual Serial Console (VSC)IaaS provides out-of-band remote
managementAn SSH server runs in the management VM
Access a user VM via a VSCA VSC consists of a virtual serial device and a
serial driverA user can access his VM without relying on
VM's network
virtualserial device
serialdriver
SSH serverSSH
client
management VM user VM
VSCfirewall
Untrusted Admins in IaaSThe management VM is not always
trustworthyHonest-but-curious admins take information
that they can easily look atMalicious admins act as inside attackersSkill-less admins cause a vulnerable
management VM to be penetrated by outside attackers
management VM user VM
untrustedadmins
outsideattackers
Attacks againstRemote ManagementAttackers can eavesdrop on inputs and
outputs of out-of-band remote managementBy modifying an SSH server in the management
VMAttack examples
Extract passwords from inputs to login promptsSteal displayed secrets
virtualserial device
serialdriver
SSH serverSSH
client
management VM user VM
SCCryptProvide an encrypted VSC to prevent
information leakageReceive encrypted inputs from the management
VMDecrypt and send them to a user VM
Receive unencrypted outputs from a user VMEncrypt and send them to the management VM
virtualserial device
serialdriver
SSH serverSSHclient
management VM user VM
encryptedVSC
decrypt
encryptencrypted
inputs/outputs
Where to Encrypt/Decrypt?Virtual serial device in the management
VM?The entire management VM is untrustedAttackers can tamper with the virtual device
Serial driver in a user VM?Modifying the existing device driver is not
desirableUsers cannot use favorite OSes
virtualserial device
serialdriver
management VM user VM
en-/de-crypt?
en-/de-crypt?
Leveraging the Trusted VMMSCCrypt encrypts/decrypts data in the
virtual machine monitor (VMM)The integrity of the VMM can be guaranteedAt boot time: remote attestation with TPMAt runtime: HyperGuard [Rutkowska+ '08],
HyperCheck [Wang+ '10], and HyperSentry [Azab+
'10] with SMM
virtualserial device
serialdriver
management VM user VM
VMM
encryptedVSC
SCCrypt
trustedauthorit
y
How to Identify Inputs/Outputs?The traditional VMM does not recognize a
virtual serial device or a serial driverCannot rely on information from the untrusted
device in the management VMCannot obtain information from the unmodified
driver in a user VM
untrustedvirtualserial device
unmodifiedserial driver
management VM user VM
VMMSCCryp
t
?
Tracking Device StatesThe VMM identifies inputs/outputs without
the cooperation of the device or the driverTrack the state of a virtual serial device
From the interactions between the device and the driver
Extract only inputs/outputsBased on the knowledge of the standard of serial
devices
virtualserial device
serialdriver
management VM user VM
VMMSCCryp
t
ImplementationWe have implemented SCCrypt in Xen
4.1.3 and the OpenSSH 6.0p1 clientSupport HVM guests
Emulate hardware as isSupport PV guests (see the paper)
Define interfaces suited for virtualization
Output DeliveryA serial driver writes data using OUT
instructionThe VMM traps this instruction using Intel VT-xIt encrypts the written data using RC4
Only if the specified I/O port address is 3F8A session key is exchanged for each connection
virtualserial device
serialdriver
management VM user VM
VMM encrypt trap
OUTSSH server
SSHclient
State TrackingThe VMM encrypts the written data if
The FIFO buffers are enabledNeither in the divisor latch access nor loopback
modeDevisor latch access mode: set a baud rateLoopback mode: test a device
It watches all the writes to recognize the context
FIFOdisabled
divisor latchaccess mode
loobackmode
FIFOenabled
Input DeliveryA serial driver reads data using IN
instructionThe VMM traps this instruction
Receive input data from a virtual serial deviceIt decrypts input data using RC4
If the same conditions as in output delivery are satisfied
virtualserial device
serialdriver
management VM user VM
VMM decrypt
INSSH server
SSHclient
trap
Pending Outputs at ReconnectionAn SSH client cannot decrypt pending
outputs correctly at reconnectionConsole outputs are stored in a virtual serial
deviceWhile an SSH client is not connectedPending outputs are sent to the client at
reconnectionEncrypted with an old session key
virtualserial device
management VM
SSH serverSSH
client
pending data encrypted with an old session
key
new session
key
?
Re-encryption of OutputsThe VMM re-encrypts pending outputs
Restore unencrypted data with an old session keyCannot 'decrypt' itReverse the encryption process in RC4
Encrypt the data with a new session key
virtualserial device
management VM
VMM re-
encrypt
SSH serverSSHclient
pendingdata
old/new session
keys
!#$
A#$
AB$
ABC
!#$
!#C
!BC
ABC
decrypt reverse
ExperimentsWe confirmed the effectiveness of SCCrypt
Response time in an SSH clientThroughput of console outputsCPU utilization
We compared results betweenSCCrypt and vanilla Xen
CPU: Intel Xeon E5630Mem: 6 GBNet: Gigabit EthernetOS: Linux 3.2.0SSH: OpenSSH 6.0p1
CPU: Intel Core i7 870Mem: 4 GBNet: Gigabit EthernetVMM: Xen 4.1.3
client server
vCPU: 8Mem: 1 GBOS: Linux 3.2.0
user VM
vCPU: 8Mem: 3 GBOS: Linux 3.2.0SSH: OpenSSH 5.9p1
management VM
Response Time (Input)We measured the response time of inputs
An SSH client sent an input to an SSH serverIt received an output caused by its remote echo
Result2.9% shorter in SCCryptThe reason was unclear
0.0
0.5
1.0
1.5
2.0
vanilla Xen SCCrypt
resp
on
se t
ime
(ms)
Throughput (Output)We measured the throughput of outputs
We wrote large text to a VSC in a user VM
Result5.6% higher in SCCryptThe reason was unclear
0
10
20
30
40
vanilla Xen SCCrypt
thro
ug
hp
ut
(cp
s)
CPU Utilization (Input)We measured the CPU utilization under the
keyboard auto-repeat at a clientManagement VM: 0.8% point lower in SCCryptUser VM: almost the same
0
5
10
15
20
25
vanilla Xen SCCrypt
CP
U u
tilizati
on
(%
)
management VM
0.0 0.2 0.4 0.6 0.8 1.0 1.2 1.4
vanilla Xen SCCrypt
CP
U u
tilizati
on
(%
)
user VM
Related WorkFBCrypt [Egawa et al.'12]
Encrypt keyboard/mouse inputs and video outputs in out-of-band remote management using VNC
Strongly depend on VNCXoar [Colp et al.'11]
Run a virtual serial device in trusted Console VMConsole VM can be compromised via an SSH
serverVMware vSphere
Run virtual devices and a VNC server in the VMM
The VMM can be compromised via the VNC server
ConclusionSCCrypt for enabling secure out-of-band
remote management in untrusted IaaS cloudsProvide encrypted VSCsInputs/outputs are securely
decrypted/encrypted in the trusted VMMFuture work
Apply SCCrypt to other remote management systems using VSCsE.g., web-based Ajaxterm