View
40
Download
0
Category
Preview:
DESCRIPTION
Eliminating the Hypervisor Attack Surface for a More Secure Cloud. Jakub Szefer , Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人:張逸文. Outline. Introduction Virtualization vulnerabilities Threat model NoHype system architecture Prototype design - PowerPoint PPT Presentation
Citation preview
Eliminating the Hypervisor Attack Surface for a More Secure Cloud
Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton UniversityCCS October, 2011 報告人:張逸文
2
Outline Introduction Virtualization vulnerabilities Threat model NoHype system architecture Prototype design Security analysis Related work Conclusion
3
Introduction( 1/2) Web services & Cloud infrastructure
providers Multi-tenancy → SECURITY Virtualization software Previous approaches NoHype system
eliminating the hypervisor attack surface altogether
4
Introduction( 2/2) NoHyper
Retain the ability to run and manage VMs in the same way
Achieve with today’s commodity hardwarePrevent attacks
ContributionsEliminating the hypervisor attack surfaceRealizing on today’s commodity hardwareA prototype implementation and system evaluation
5
Virtualization vulnerabilities( 1/2) Hypervisor
A program allows multiple OSs to share a single hardware host
Roles of virtualization software Roles of hypervisor
Processor coresMemoryI / O devicesInterrupts and Timers
6
Virtualization vulnerabilities( 2/2) Attack Surface
Interaction between guest VM & hypervisorVM exit○ the VM’s code is interrupted and the hypervisor’s
code begins to execute to handle some event○ How often this happens?
VM sends info. to hypervisor so the hypervisor can handle the event
7
Threat model NoHype
Avoiding attacks from malicious guest VMs when VM exit happens
Eliminating the need for interactionAssumptions○ Guest OS’s security○ Cloud management software
8
NoHype system architecture( 1/3) Pre-allocating memory and cores
Hypervisor dynamically manages the memory and processor cores’ resources
Dedicating number of cores to the specific VMGuest VM can use the local APIC directlyPre-allocating memoryHardware paging mechanisms
9
NoHype system architecture( 2/3) Using only virtualized I/O devices
Dedicating I/O devices to the guest VMVirtualized NIC, storage, graphics card
Short-circuiting the system discoveryAllowing the guest OS boot normallyModifying guest OS to cache system configuration dataTemporary hypervisorNo customer code executes while any underlying
virtualization software is present
10
NoHype system architecture( 3/3) Avoiding indirection
Hypervisor performs indirections that map the virtual view to real hardware
Guest VM directly accesses the processor ID
11
Prototype design( 1/5) VM creation
customer’s request → cloud management software → system software → create VM
Xen○ Pre-setting EPT(Extended Page Tables)○ Physical function driver for NIC○ pinning a VM to a set of cores○ allocating the virtualized NIC
12
Prototype design( 2/5) Guest VM bootup
Xen’s inclusion of bootloader, hvmloderDescoverying devices○ Temporary hypervisor○ Modified QEMU to return “no device” for all but a
network card○ Interrupt:Modified Xen & Linux choose the
same configurable vector
13
Prototype design( 3/5)Discovering processor capabilities○ The clock frequency --- software virtualized HPET○ The core identifier --- pass the actual identifier○ Processor’s features --- implementation CPUID
Hypervisor disengagementGuest OS kernel moduleHypercall with an unused hypercall number○ Hypervisor disengagement○ Sending an IPI to other cores of the VM
14
Prototype design( 4/5)① Remove the VM from several lists② Guest’s full control of the individual core③ Initialize the local APIC registersExecution control is transferred to the user’s
code Guest execution and shutdown
Modify the guest Linux kernelShutdown by itself or by VMCS
15
Prototype design( 5/5) Raw performance evaluation
1% performance improvement
16
Security analysis( 1/2) Remaining hypervisor attack surface
Interaction between the cloud manager and the system manager future work
Temporary hypervisor & modified guest OS kernel
Trusted Computing Base VM to VM attack surface
Sending IPIs to other guest VMs
17
Security analysis( 2/2) Isolation between VMs
Pre-setting EPT to assign physical pages to a VM
performance VMs mapping physical infrastructures
Infrastructure mapping attacks
18
Related work Minimizing the hypervisor
TrustVisor:Efficient TCB reduction and attestation New processor architectures
Introduction to the new mainframe:z/VM basics Hardening the hypervisor
HyperSafe:A lightweight approach to provide lifetime hypervisor control-flow integrity
Direct access to hardware
19
Conclusion Design, implementation and evaluation of a
working NoHype system on today’s commodity hardware
Removing the attack surface 1% faster run time
20
21
22
23
24
25
Recommended