securing your cloud with xen - susecon 2013
TRANSCRIPT
![Page 1: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/1.jpg)
Securing Your Xen Virtualization Environment
Russell PavlicekXen Project Evangelist
Citrix Systems
![Page 2: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/2.jpg)
2
Who is the Old, Fat Geek Up Front?
• Xen project Evangelist
• Employed by Citrix, focused entirely on Xen project
• History with open source begins in 1995
• Former columnist for Infoworld, Processor magazines
• Former panelist on The Linux Show, repeat guest on The Linux Link Tech Show
• Over 150 pieces published, one book on open source, plus blogs
![Page 3: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/3.jpg)
3
Presentation Goals
• Introduce the subject of security in the Cloud
• Introduce you to the Xen Project Security Tools
• Discuss some key Xen security features
• Get you started in the right direction toward securing your Xen installation
![Page 4: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/4.jpg)
4
Presentation Outline
• A few thoughts on the problem of securing the Cloud
• Overview of the Xen architecture
• Brief introduction to the principles of security analysis
• Examine some of the attack surfaces and the Xen features we can use to mitigate them:‒ Driver Domains
‒ PVgrub
‒ Stub Domains
‒ Paravirtualization (PV) versus Hardware Virtualization (HVM)
‒ FLASK example policy
![Page 5: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/5.jpg)
Introduction: Xen Project, The Cloud,and Security
![Page 6: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/6.jpg)
6
Introduction: Xen Project and Security
• Xen project produces an enterprise-grade Type 1 hypervisor
• Built for the cloud before it was called cloud
• A number of advanced security features‒ Driver domains, stub domains, FLASK, and more
‒ Most of them are not (or cannot) be turned on by default
‒ Although they can be simple to use, sometimes they appear complicated
![Page 7: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/7.jpg)
7
The Cloud Security Conundrum
• Cloud Security: The 800lb Gorilla in the room‒ Nothing generates more fear in specific, and FUD in general
‒ Probably the single greatest barrier to Cloud adoption
‒ Immediately behind it is the inability to get out of the 20th century IT mindset
‒ Must get past the “Change is Bad” concept of 1980
‒ Cloud is about embracing change at a rapid pace
‒ The good news: the “Gorilla” is actually a “Red Herring”
‒ We don't need to fear it – we just need to solve it
![Page 8: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/8.jpg)
8
Cloud Security: New Visibility to an Old Problem
• Security has always been an IT issue
• Putting a truly secure system in the open does not reduce its security, it just increases the frequency of attack
• Unfortunately, system security behind the firewall has not always been comprehensive
• Having solutions in an external cloud forces us to solve the security issues we should have already solved
News Flash: Security Through Obscurity is Dead
![Page 9: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/9.jpg)
9
Use Security by Design, Not by Wishful Thinking
• Security by wishful thinking no longer works‒ Merely hoping that your firewall holds off the marauding
hordes is NOT good enough
‒ Addressing security in one area while ignoring others is NOT good enough
‒ Saying, “We never had a problem before” is NOT good enough
• Comprehensive security starts with design‒ It needs to be planned carefully and thought through
‒ It needs to be implemented at multiple levels
‒ It needs components which are themselves securable
![Page 10: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/10.jpg)
10
Xen Project: Security by Design
• Xen Project was designed for clouds before the term “cloud” was ever coined in the industry‒ Designers foresaw the day of “infrastructure for wide-area
distributed computing” which we now call “the cloud”
‒ http://www.cl.cam.ac.uk/research//srg/netos/xeno/publications.html
• Xen is designed to thwart attacks from many attack vectors, using different defensive techniques
![Page 11: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/11.jpg)
Basic Architecture of the Xen Hypervisor
![Page 12: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/12.jpg)
12
Hypervisor Architectures
Type 1: Bare metal HypervisorA pure Hypervisor that runs directly on the hardware and hosts Guest OS’s.
Provides partition isolation + reliability, higher security
Provides partition isolation + reliability, higher security
Host HWHost HWMemory CPUsI/O
HypervisorHypervisor SchedulerScheduler
MMUMMUDevice Drivers/
ModelsDevice Drivers/
Models
VMnVMn
VM1VM1
VM0VM0
Guest OSand AppsGuest OSand Apps
![Page 13: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/13.jpg)
13
Hypervisor Architectures
Type 1: Bare metal HypervisorA pure Hypervisor that runs directly on the hardware and hosts Guest OS’s.
Type 2: OS ‘Hosted’A Hypervisor that runs within a Host OS and hosts Guest OS’s inside of it, using the host OS services to provide the virtual environment.
Provides partition isolation + reliability, higher security
Provides partition isolation + reliability, higher security
Low cost, no additional drivers Ease of use and installation
Low cost, no additional drivers Ease of use and installation
Host HWHost HWMemory CPUsI/O
Host HWHost HWMemory CPUsI/O
HypervisorHypervisor SchedulerScheduler
MMUMMUDevice Drivers/
ModelsDevice Drivers/
Models
VMnVMn
VM1VM1
VM0VM0
Guest OSand AppsGuest OSand Apps
Host OSHost OS
Device DriversDevice DriversRing-0 VM Monitor “Kernel “Ring-0 VM Monitor “Kernel “
VMnVMn
VM1VM1
VM0VM0
Guest OSand AppsGuest OSand Apps
UserAppsUserApps
User-level VMMUser-level VMM
Device ModelsDevice Models
![Page 14: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/14.jpg)
14
Xen: Type 1 with a Twist
Type 1: Bare metal Hypervisor
VMnVMn
VM1VM1
VM0VM0
Guest OSand AppsGuest OSand Apps
Host HWHost HWMemory CPUsI/O
HypervisorHypervisor SchedulerScheduler
MMUMMUDevice Drivers/
ModelsDevice Drivers/
Models
![Page 15: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/15.jpg)
15
Xen: Type 1 with a Twist
VMnVMn
VM1VM1
VM0VM0
Guest OSand AppsGuest OSand Apps
Host HWHost HWMemory CPUsI/O
HypervisorHypervisor SchedulerScheduler
MMUMMUDevice Drivers/
ModelsDevice Drivers/
Models
Type 1: Bare metal Hypervisor
VMnVMn
VM1VM1
VM0VM0
Guest OSand AppsGuest OSand Apps
Host HWHost HWMemory CPUsI/O
SchedulerScheduler MMUMMU
XEN Architecture
![Page 16: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/16.jpg)
16
Xen: Type 1 with a Twist
VMnVMn
VM1VM1
VM0VM0
Guest OSand AppsGuest OSand Apps
Host HWHost HWMemory CPUsI/O
HypervisorHypervisor SchedulerScheduler
MMUMMUDevice Drivers/
ModelsDevice Drivers/
Models
Type 1: Bare metal Hypervisor
VMnVMn
VM1VM1
VM0VM0
Guest OSand AppsGuest OSand Apps
Host HWHost HWMemory CPUsI/O
SchedulerScheduler MMUMMU
XEN Architecture
Control domain (dom0)Control domain (dom0)
DriversDrivers
Device ModelsDevice Models
Linux & BSDLinux & BSD
![Page 17: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/17.jpg)
17
Xen Architecture: Basic Parts
![Page 18: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/18.jpg)
Security Thinking: An Approach
![Page 19: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/19.jpg)
19
An Approach to Security Thinking
• Threat models:‒ Attacker can access network
‒ Attacker controls one Guest VM
• Security considerations to evaluate:‒ How much code is accessible?
‒ What is the interface like? (e.g., pointers vs scalars)
‒ Defense-in-depth: how many rings of defense surround you?
• Then combine security tactics to secure the installation‒ There is no single "magic bullet"
‒ Individual tactics reduce danger; combined tactics go farther
![Page 20: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/20.jpg)
20
Example System For This Discussion
• Hardware setup‒ Two networks: one Control network, one Guest network
‒ IOMMU with interrupt remapping (AMD or Intel VT-d v2) to allow for full hardware virtualization (HVM)
• Default configuration‒ Network drivers in the Control Domain (aka "Domain 0" or just
"Dom0")
‒ Paravirtualized (PV) guests using PyGrub (grub-like boot utility within context of Guest Domain)
‒ Hardware Virtualized (HVM) guests using Qemu (as the device model) running in the Control Domain
![Page 21: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/21.jpg)
Attacking the Network Interface
![Page 22: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/22.jpg)
22
Attack Surface: Network Path
![Page 23: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/23.jpg)
23
Attack Surface: Network Path
• Where might an exploit focus?‒ Bugs in hardware driver
‒ Bugs in bridging / filtering
‒ Bugs in netback (via the ring protocol)
‒ Netback and Netfront are part of the Paravirtualization mode
• Note the exploits‒ The main exploits exist already, even in hardware
‒ The netback surface is very small, but needs to be acknowledged
‒ When these are attacked in hardware, you have deep trouble
‒ You actually have better defense in the VM than in hardware
![Page 24: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/24.jpg)
24
Result: Network Path Compromised
![Page 25: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/25.jpg)
25
Result: Network Path Compromised
This could lead to the control of the whole system
Vulnerability Analysis:
What could a successful exploit yield?
Control of Domain 0 kernel
![Page 26: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/26.jpg)
26
Security Feature: Driver Domains
![Page 27: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/27.jpg)
27
Security Feature: Driver Domains
• What is a Driver Domain?‒ Unprivileged VM which drives hardware
‒ It provides driver access to guest VMs
‒ Very limited scope; not a full operating system
‒ Does not have the access or capability of a full VM
![Page 28: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/28.jpg)
28
Result: Driver Domain Compromised
![Page 29: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/29.jpg)
29
Result: Driver Domain Compromised
• Now a successful exploit could yield:
‒ Control of the Driver Domain (Paravirtualization hypercall interface)
‒ But the Driver Domain is limited: no shell, no utilities
‒ Control of that guest's network traffic
‒ But in the cloud, most orchestrators detect network traffic failure
‒ The problem is not allowed to stand very long
‒ Control of the network interface card (NIC)
‒ An opportunity to attack the netfront of other guest VMs
‒ But to take advantage of this platform, you need to launch another attack
‒ Compound attacks are complex, and they take time which you may not have
![Page 30: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/30.jpg)
30
Basic How To: Driver Domains
• Create a VM with appropriate drivers
‒ Use any distribution suitable as a Control Domain
• Install the Xen-related hotplug scripts
‒ Just installing the Xen tools in the VM is usually good enough
• Give the VM access to the physical NIC with PCI passthrough
• Configure the network topology in the Driver Domain
‒ Just like you would for the Control Domain
![Page 31: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/31.jpg)
31
Basic How To: Driver Domains
• Configure the guest Virtual Network Interface (vif) to use the new domain ID
‒ Add “backend=domnet” to vif declaration
vif = [ 'type=pv, bridge=xenbr0, backend=domnet' ]
Detailed Info
http://wiki.xenproject.org/wiki/Driver_Domain
![Page 32: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/32.jpg)
Attacking the PyGrub Boot Loader
![Page 33: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/33.jpg)
33
Attack Surface: PyGrub
![Page 34: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/34.jpg)
34
Attack Surface: PyGrub
• What is PyGrub?
‒ “grub” implementation for Paravirtualized guests
‒ A Python program running in Control Domain
• What does it do?
‒ It reads the guest VM's filesystem
‒ It parses grub.conf
‒ It displays a boot menu to the user
‒ It passes the selected kernel image to domain builder
![Page 35: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/35.jpg)
35
Attack Surface: PyGrub
![Page 36: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/36.jpg)
36
Attack Surface: PyGrub
• Where might an exploit focus?
‒ Bugs in file system parser
‒ Bugs in menu parser
‒ Bugs in domain builder
• Again, note the exploits
‒ Forms of these exist in hardware as well
‒ But hardware doesn't have as many options to combat the situation
![Page 37: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/37.jpg)
37
Result: PyGrub Compromised
![Page 38: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/38.jpg)
38
Result: PyGrub Compromised
This could lead to the control of the whole system
Vulnerability Analysis:
What could a successful exploit yield?
Control of Domain 0 user space
![Page 39: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/39.jpg)
39
Security Feature: Fixed Kernels
![Page 40: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/40.jpg)
40
Security Feature: Fixed Kernels
• What is a fixed kernel?
‒ Passing a known-good kernel from Control Domain
‒ No longer allows a user to choose the kernel
‒ Best practice for anything in production
‒ Removes attacker avenue to domain builder
• Disadvantages
‒ Host administrator must keep up with kernel updates
‒ Guest admin can't pass kernel parameters or custom kernels
![Page 41: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/41.jpg)
41
Security Feature: PVgrub
![Page 42: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/42.jpg)
42
Security Feature: PVgrub
• What is PVgrub?
‒ MiniOS plus the Paravirtualized port of “grub” running in a guest context
‒ Paravirtualized equivalent of Hardware Virtualized combination of BIOS plus grub
![Page 43: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/43.jpg)
43
Result: PVgrub Compromised
Control Domain is no longer at risk
Vulnerability Analysis:
Now a successful exploit could yield:
Control of the attacked Guest Domain alone
![Page 44: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/44.jpg)
44
Basic HowTo: PVgrub
• Make sure that you have the PVgrub image‒ “pvgrub-$ARCH.gz”
‒ Normally lives in “/usr/lib/xen/boot”
‒ SUSE SLES: Currently need to build for yourself
‒ Included in Fedora Xen packages
‒ Debian-based: need to build yourself
• Use appropriate PVgrub as bootloader in guest configuration:‒ kernel="/usr/lib/xen/boot/pvgrub-x86_32.gz"
Detailed Info
http://wiki.xenproject.org/wiki/Pvgrub
![Page 45: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/45.jpg)
Attacking the Qemu Device Model
![Page 46: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/46.jpg)
46
Attack Surface: Device Model (Qemu)
![Page 47: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/47.jpg)
47
Attack Surface: Device Model (Qemu)
• What is Qemu?
‒ In other contexts, a virtualization provider
‒ In the Xen Project context, a provider of needed device models
• Where might an exploit focus?
‒ Bugs in NIC emulator parsing packets
‒ Bugs in emulation of virtual devices
![Page 48: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/48.jpg)
48
Result: Device Model Compromised
This could lead to the control of the whole system
Vulnerability Analysis:
What could a successful exploit yield?
Control Domain privileged user space
![Page 49: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/49.jpg)
49
Security Feature: Qemu Stub Domains
• What is a stub domain?
‒ Stub domain: a small “service'' domain running just one application
‒ Qemu stub domain: run each Qemu in its own domain
![Page 50: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/50.jpg)
50
Result: Stub Domain Compromised
You need to devise another attack entirely to do anything more significant
Vulnerability Analysis:
Now a successful exploit could yield:
Control only of the stub domain VM(which, if FLASK is employed, is a relatively small universe)
![Page 51: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/51.jpg)
51
Basic HowTo: Qemu Stub Domains
• Make sure that you have the ioemu image:‒ “ioemu-$ARCH.gz”
‒ Normally lives in “/usr/lib/xen/boot”
‒ SUSE SLES, currently need to build it yourself (SLES 12?)
‒ Included in Fedora Xen packages
‒ On Debian (and offshoots), you will need to build it yourself
• Specify stub domains in your guest configuration:
device_model_stubdomain_override = 1
http://wiki.xenproject.org/wiki/Device_Model_Stub_Domains
Detailed Info
![Page 52: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/52.jpg)
Attacking the Hypervisor Itself
![Page 53: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/53.jpg)
53
Attack Surface: Xen Hypervisor Itself
• Where might an exploit focus?‒ On Paravirtualized (PV) Guests:
‒ PV Hypercalls
‒ On full Hardware Virtualized (HVM) Guests:
‒ HVM hypercalls (Subset of PV hypercalls)
‒ Instruction emulation (MMIO, shadow pagetables)
‒ Emulated platform devices: APIC, HPET, PIT
‒ Nested virtualization
• Security practice: Use PV VMs whenever possible
![Page 54: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/54.jpg)
Using the Xen Security Module
![Page 55: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/55.jpg)
55
Security Feature: FLASK Policy
• What is FLASK?
‒ Xen Security Module (XSM): Xen equivalent of LSM
‒ FLASK: FLux Advanced Security Kernel
‒ Framework for XSM developed by NSA
‒ Xen equivalent of SELinux
‒ Uses same concepts and tools as SELinux
‒ Allows a policy to restrict hypercalls
![Page 56: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/56.jpg)
56
Security Feature: FLASK Policy
• What can FLASK do?‒ Basic: Restricts hypercalls to those needed by a particular
guest
‒ Advanced: Allows more fine-grained granting of privileges
• FLASK example policy‒ This contains example roles for the Control Domain (dom0),
User/Guest Domain(domU), stub domains, driver domains, etc.
‒ Make sure you TEST the example policy in your environment BEFORE putting it into production!
NOTE: As an example policy, it is not as rigorously tested as other parts of Xen during release; make sure it is suitable for you
![Page 57: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/57.jpg)
57
Basic HowTo: FLASK Example Policy
• Build Xen with XSM enabled
• Build the example policy
• Add the appropriate label to guest config files:‒ “seclabel=[foo]”
‒ “stubdom_label=[foo]”
http://wiki.xenproject.org/wiki/Xen_Security_Modules_:_XSM-FLASK
Detailed Info
![Page 58: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/58.jpg)
ARM-Specific Security Features
![Page 59: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/59.jpg)
59
ARM SOCARM SOC
Xen + ARM = A Perfect Match
ARM Architecture Features for Virtualization ARM Architecture Features for Virtualization
Hypervisor mode : EL2
Kernel mode : EL1
User mode : EL0
GICv2
GICv2GTGT
2 stageMMU
2 stageMMU
I/O
Device Tree describes …
Hypercall Interface HVCHypercall Interface HVC
![Page 60: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/60.jpg)
60
ARM SOCARM SOC ARM Architecture Features for Virtualization ARM Architecture Features for Virtualization
EL2
EL1
EL0
GICv2
GICv2GTGT
2 stageMMU
2 stageMMU
I/O
Device Tree describes …
HVCHVC
Xen + ARM = A Perfect Match
Xen HypervisorXen Hypervisor
![Page 61: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/61.jpg)
61
ARM SOCARM SOC ARM Architecture Features for Virtualization ARM Architecture Features for Virtualization
EL2
EL1
EL0
GICv2
GICv2GTGT
2 stageMMU
2 stageMMU
I/O
Device Tree describes …
HVCHVC
Xen + ARM = A Perfect Match
Xen HypervisorXen Hypervisor
Any Xen Guest VM (including Dom0)Any Xen Guest VM (including Dom0)
KernelKernel
User SpaceUser Space
HVCHVC
![Page 62: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/62.jpg)
62
ARM SOCARM SOC ARM Architecture Features for Virtualization ARM Architecture Features for Virtualization
EL2
EL1
EL0
GICv2
GICv2GTGT
2 stageMMU
2 stageMMU
I/O
Device Tree describes …
HVCHVC
Xen + ARM = A Perfect Match
Xen HypervisorXen Hypervisor
Dom0only
Dom0only
Any Xen Guest VM (including Dom0)Any Xen Guest VM (including Dom0)
KernelKernel
User SpaceUser Space
I/O
PVback
PV frontI/O
HVCHVC
![Page 63: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/63.jpg)
63
ARM: Right Solution for Security
• Stays in ARM Hypervisor Mode
‒ The ARM architecture has separate Hypervisor and Kernel modes
‒ Because Xen's architecture maps so well to the ARM architecture, Xen never has to use Kernel mode
‒ Other hypervisors have to flip back and forth between modes
‒ If a hypervisor has to enter Kernel mode, it loses the security of running in a privileged mode, isolated from the rest of the system
‒ This is a non-issue with the Xen Hypervisor on ARM
• Does not need to use device emulation
‒ No emulation means a smaller attack surface for bad guys
![Page 64: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/64.jpg)
64
For More Information...
Thanks to George Dunlap for supplying much of the information presented here, and Stefano Stabellini for
ARM information
Check out our blog: http://blog.xenproject.org/
Contact me at [email protected]
Detailed Info
http://wiki.xenproject.org/wiki/Securing_Xen
Thank You!
![Page 65: Securing your Cloud with Xen - SUSECon 2013](https://reader033.vdocuments.net/reader033/viewer/2022052900/555a3f88d8b42ae1398b4dbd/html5/thumbnails/65.jpg)