virtualization and cloud security
DESCRIPTION
Virtualization and Cloud Security. Huzur Saran IIT Delhi. Typical Cloud. Cloud API. m1. m2. m3. m4. m5. m1. m2. m3. m4. m5. m1. m2. m3. m4. m5. hypervisor. hypervisor. hypervisor. hw. hw. hw. m1. m2. m3. m4. m5. m1. m2. m3. m4. m5. hypervisor. hypervisor. hw. - PowerPoint PPT PresentationTRANSCRIPT
-
Virtualization and Cloud SecurityHuzur SaranIIT Delhi
-
Typical Cloudhwhypervisorm1m2m3m4m5hwhypervisorm1m2m3m4m5hwhypervisorm1m2m3m4m5hwhypervisorm1m2m3m4m5hwhypervisorm1m2m3m4m5hwhypervisorm1m2m3m4m5hwhypervisorm1m2m3m4m5hwhypervisorm1m2m3m4m5Cloud API
-
Typical Server Virtualization DeploymentHardwareHypervisorAppOSOSOS
Win 2003
Win 2008
Redhat
UbuntuAppAppAppAppAppAppAppAppAppAppAppAppAppAppAppAppAppAppAppAppAppAppAppManagement
-
Typical VDI DeploymentHardwareEnterprise HypervisorOSOSOSOSOSOSThin clientThin clientThin clientThin clientThin clientThin clientdesktopdesktopdesktopdesktopdesktopdesktop
-
Security IssuesHypervisor is the underlying component of all these architectures. It is a new layer which needs to be protectedScale of deployments Just the sheer scale of deployments make this a security nightmare. Imagine 150 machines running a simultaneous scheduled AV scan on the same physical host. Chokes IO/Disk bandwidth.Isolation - Machines of a company and its competitor could be running on the same physical machine. Insufficient isolation could lead to disasterNew APIs to access Virtualization/Cloud services. Bugs in these could lead to compromise of entire infrastructure.
-
Sample Hypervisor Security IssuesCVE-2007-4496, CVE-2007-4497 ESX3.01, guest operating system can cause buffer overflow and arbitrary code execution in the hostCVE-2007-0948 Virtual PC Heap overflow which could cause arbitrary privilege escalationCVE-2007-4993 Xen 3.0.3 User can escape to domain0 via grub.conf and pygrub
-
Security Issues Why?Hypervisors are written by humans. They have bugs typically buffer overflowsHypervisor are complex Xen is about 300K source lines of codeComplete isolation is hard Most systems dont have IOMMUs which make it possible to DMA to arbitrary physical memoryCompromised Domain0 on Xen pretty much means a hosed hypervisor. Domain0 runs commodity OSs which could have bugs.
-
Security Issues Why?DMA is a big problem on non IOMMU based systems:Xen can setup DMADom0 can setup DMADriver domains can setup DMAThe range of physical addresses is not verifiedIOMMU based systems can restrict the range of addresses but they are not present in commodity hardwareThere are some techniques to even bypass IOMMU checks
-
Security SolutionsTrusted hypervisorHyperguard Phoenix Technologies A hypervisor integrity scanner in SMM.Deepwatch Intel project Virtualization rootkit scannerDomain 0 Hardening Various security solutions to white-list and harden Dom0
-
Security OpportunitiesNew breed of security products is now possible to protect guest OSs from being hijackedHypervisor based security suites cannot be detected by malware running in the guestHypervisors allow introspection of very early boot sequences of the guest, thereby making possible an entire need breed of BIOS rootkit and kernel rootkit scanners
-
Security OpportunitiesAPIs like VMSAFE from VMWare allow introspection of interesting system events in the guestsThese events can then be processed on a dedicated security applianceThese events include CPU state monitoring, page faults, memory/register accesses, File-system events, network events etc.
-
Early Trends Consolidate common security functions to security applianceHardwareEnterprise HypervisorOSAVFWHardwareEnterprise HypervisorOSAVFWOSAVFWOSAVFWOSAVFWOSAVFWOSOSOSOSOSOSAntivirusFirewallAV ShimFW Shim
Security Appliance Manager
-
Security is hard at all levelsA prisoner was wrongly released after a fax was received from a grocery store stating that the Kentucky Supreme Court had demanded his release: http://www.cnn.com/2007/US/04/21/wrongly.freed.ap/index.html
-
Security principlesOpen design:you need all the help you can getEconomy of mechanism: fewer things to get rightMinimize secrets: secrets dont remain secretFail-safe defaults: most users wont change themLeast privilege: limit the damage of an accidentSeparation of privilege: dangerous operation should require multiple principalsComplete mediation: check every operation
-
Sample Security Issueshttp://taviso.decsystem.org/virtsec.pdf - Paper detailing several bugs in Virtual PC, Xen, Vmware, Parallels and BOCHS.http://www.theregister.co.uk/2009/10/09/amazon_cloud_bitbucket_ddos_aftermath/ - UDP flood based DDoS against Amazon EC2Argument handling bugs in FLASK (Xen)
-
Example: A specially crafted poke to I/O port 0x1004, results in an out-of-bounds write to an attacker controlled location. By interacting with the power management subsystem in specific ways, a write to an arbitrary location can be performed upon restarting a suspended virtual machine.VMware PIIX4 ACPI PM OOB Writesection .textglobal _start_start: mov eax, 110 mov ebx, 3 int 0x80a mov ax, 0x6c81 mov dx, 0x1004 out dx, ax xor ebx, ebx xor eax, eax inc eax int 0x80a. iopl()
***