Secure & flexible monitoring of virtual machine

Secure & flexible monitoring

of virtual machine

University of Mazandran Science & Tecnology

By : Esmaill Khanlarpour

[email protected]

January 07 2010

Outline:

VMM & Types

Secure & Flexible Monitoring of Virtual Machines

Xen Hypervisor

Xen Architecture

Prolegomenon

Requirements

Introduction

Memory Introspection

2 / 30

Outline (contd.):

XenAccess Monitoring Library

XenAccess Virtual Memory Introspection

Conclusion


3 / 30

Is a piece of software/hardware platform-virtualization software that allows multiple operating systems to run on a

host computer concurrently.

VMM (or Hypervisor):

The VM management ,memory partitioning, cpu scheduling

...


4 / 30

Type 1 (bare-metal) hypervisors are software systems that

VMM types :

run directly on the host's hardware.

control the hardware control and to monitor guest operating-systems.

Examples include

VMware ESX Server , Xen , Oracle VM Server ,..


5 / 30

VMM types (contd.) :

HWW

VMM

Type1 Architecture

Application

OS

Application

OS


6/ 30

Type 2 (or hosted) hypervisors are software applications running within a conventional operating-system environment.


Examples include

VMware Server (formerly known as GSX), VMware Workstation,....


7 / 30


HWW

VMM

Application

OS

Host os

Type2 Architecture


8/ 30

Xen is a virtual-machine monitor for x86, x86-64,

Itanium and PowerPC 970 architectures

Xen Hypervisor :

The University of Cambridge Computer Laboratory

developed the first versions of Xen for linux .

As of 2009 the Xen community develops and maintains

Xen as free software .


9 / 30

Xen Hypervisor (contd.):

licensed under the GNU General Public License (GPL2).

Xen has traditionally used a paravirtualized approach to

implement virtualization.

Xen uses a split domain architecture , meaning that guest

OSes are kept in unprivileged domains(domU).

Type 1 of VMM types.


10 / 30

Xen Hypervisor (contd.):

Other Domain In Xen is Domain 0 (Dom0)

Xen Hypervisor

HWW

DOM0 DOM U DOM U


11 / 30

boots automatically when the hypervisor boots

Domain 0 (dom0) :

interact with the other virtual machines

receives special management privileges and direct

access to all physical hardware by defaul

Modified versions of Linux, NetBSD and Solaris can run as

the Dom0


12/ 30

Domain 0 (contd.):

All Xen virtualization environments require Domain 0 to be running before any other virtual machines can be started


13 / 30

Domain User (DomU):

EXCEPT Dom0,All paravirtualized virtual machines running on a Xen hypervisor, are referred to as DomU PV Guests

Unmodified versions of Microsoft Windows and other

proprietary operating systems can also run as guests if

the CPU supports x86 virtualization

such CPUs include Intel VT and AMD-V.


14 / 30

Xen Architecture :


15 / 30

Memory Introspection:

Memory introspection is the process of viewing the memory of one virtual machine from a different virtual machine.

What makes memory introspection difficult is the semantic gap between the two virtual machines.

This Technique most used in intrusions detection .

Example : state of a system call


16 / 30

Introduction :

Monitoring application

No architecture

Example : Task manager

Monitoring app in VM

Monitoring app is ≠ VMM


17 / 30

Create a Architecture:

Bryan D.payne & his friends

Bryan D.payne is a Ph.D. Candidate in the College of

Computing at the Georgia Institute of Technology

Start a Project in Georgia Tech Information Security

Center (GTISC) that was called XenAccess architecture .


18 / 30

Requirements:

1. No superfluous modifications to the VMM.

They designed the XenAccess architecture based on six

high-level requirements.

In general sense ,these requirements can be seen as typical good programming guidelines,or good security guidelines.

2. No modifications to the VM or the target OS.


19 / 30

Requirements (contd.):

3. Small performance impact.

4. Rapid development of new monitors.

5. Ability to monitor any data on target OS.

6. Target OS cannot tamper with monitors.


20 / 30

XenAccess Monitoring Library:

XenAccess is a library that simplifies the process of memory introspection for virtual machines running on the Xen hypervisor.

With XenAccess, your software can run in one virtual machine and access the memory space of other virtual machines.

The primary goal for the XenAccess architecture is to

satisfy the six requirements stated in the Requirements.


21 / 30

XenAccess Monitoring Library (contd.):

Xen Access is implemented in C language as a shared library with 1935 source lines of code(SLOC).

The two primary monitoring functionalities in XenAccess

Are virtual memory introspection and virtual disk Monitoring .


22/ 30


XenAccess & Requirements

Satisfy property 1 with : Chose Xen as a virtualization solution because it is a Type I VMM (Introspection VMM)


23 / 30


Satisfy property 2 with : with Xen Infrastructure they able to design the monitoring architecture to work without Changes to the target OS.

Satisfy property 3 with :

with examine the xenAccess.


24 / 30



with the XenAccess’s API (application program interface).


they desire an architecture that can monitor any data on the target OS.


25 / 30



They placed the monitors in a different VM than the target OS. Xen provides sufficient isolation between VMs for this

to be a viable solution.


26 / 30

XenAccess Monitoring Functionalities:

Virtual Memory introspection

Virtual Disk Monitoring


27 / 30

Virtual Memory introspection:


28 / 30

XenAccess Memory introspection

Virtual Memory Introspection (contd.):

An application that monitors for changes in the system call table

Example include :

An application that monitors the integrity of an installed

LKM (Linux Kernel Modules )


29 / 30

conclusion :

VMM & Type

Xen Hypervisor

Memory introspection

XenAccess Monitoring Library


30 / 30

Reference :

[2] Xen introduction. http://wiki.xensource.com/xenwiki/XenIntro,last accessed an 2009/12/22

[3] Xen Hypervisor . http://en.wikipedia.org/wiki/Hypervisor,last accessed an 2009/12/15

[4] Xen Domain . http://wiki.xensource.com/xenwiki/Dom0,last accessed an 2010/01/02

[1] BD Payne, M Carbone, and W Lee. “Secure and Flexible Monitoring of Virtual Machines”. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC 2007), December 2007.


Reference:

[5] Xen Domain . http://wiki.xensource.com/xenwiki/DomU,last accessed an 2010/01/02

[6] Xen Architecture. http://wiki.xensource.com/xenwiki/XenArchitecture,last accessed an 2009/12/15


Questions


Documents

Secure & flexible monitoring of virtual machine