Upload
the-linux-foundation
View
100.156
Download
0
Tags:
Embed Size (px)
Citation preview
Intro Network path Bootloader Device model Xen Conclusion
Securing your cloud with Xen’s advanced securityfeatures
George Dunlap
Edinburgh – 21-23 October, 2013
Intro Network path Bootloader Device model Xen Conclusion
Xen: an open-source, enterprise-grade, type Ihypervisor
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 2 / 33
Intro Network path Bootloader Device model Xen Conclusion
Built for the Cloud before it was called the Cloud
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 2 / 33
Intro Network path Bootloader Device model Xen Conclusion
Advanced security features
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 3 / 33
Intro Network path Bootloader Device model Xen Conclusion
Goal
I Tools to think about security in Xen
I Know some key security features of Xen
I Equipped with the knowledge to get them working
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 4 / 33
Intro Network path Bootloader Device model Xen Conclusion
Goal
I Tools to think about security in Xen
I Know some key security features of Xen
I Equipped with the knowledge to get them working
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 4 / 33
Intro Network path Bootloader Device model Xen Conclusion
Goal
I Tools to think about security in Xen
I Know some key security features of Xen
I Equipped with the knowledge to get them working
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 4 / 33
Intro Network path Bootloader Device model Xen Conclusion
Outline
I Overview of the Xen architecture
I Brief introduction to principles of security analysis
I Consider some attack surfacesI Xen features we can use to make them more secure
I Driver domainsI pvgrubI stub domainsI PV vs HVMI FLASK example policy
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
Intro Network path Bootloader Device model Xen Conclusion
Outline
I Overview of the Xen architecture
I Brief introduction to principles of security analysis
I Consider some attack surfacesI Xen features we can use to make them more secure
I Driver domainsI pvgrubI stub domainsI PV vs HVMI FLASK example policy
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
Intro Network path Bootloader Device model Xen Conclusion
Outline
I Overview of the Xen architecture
I Brief introduction to principles of security analysis
I Consider some attack surfaces
I Xen features we can use to make them more secure
I Driver domainsI pvgrubI stub domainsI PV vs HVMI FLASK example policy
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
Intro Network path Bootloader Device model Xen Conclusion
Outline
I Overview of the Xen architecture
I Brief introduction to principles of security analysis
I Consider some attack surfacesI Xen features we can use to make them more secure
I Driver domainsI pvgrubI stub domainsI PV vs HVMI FLASK example policy
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
Intro Network path Bootloader Device model Xen Conclusion
Outline
I Overview of the Xen architecture
I Brief introduction to principles of security analysis
I Consider some attack surfacesI Xen features we can use to make them more secure
I Driver domains
I pvgrubI stub domainsI PV vs HVMI FLASK example policy
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
Intro Network path Bootloader Device model Xen Conclusion
Outline
I Overview of the Xen architecture
I Brief introduction to principles of security analysis
I Consider some attack surfacesI Xen features we can use to make them more secure
I Driver domainsI pvgrub
I stub domainsI PV vs HVMI FLASK example policy
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
Intro Network path Bootloader Device model Xen Conclusion
Outline
I Overview of the Xen architecture
I Brief introduction to principles of security analysis
I Consider some attack surfacesI Xen features we can use to make them more secure
I Driver domainsI pvgrubI stub domains
I PV vs HVMI FLASK example policy
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
Intro Network path Bootloader Device model Xen Conclusion
Outline
I Overview of the Xen architecture
I Brief introduction to principles of security analysis
I Consider some attack surfacesI Xen features we can use to make them more secure
I Driver domainsI pvgrubI stub domainsI PV vs HVM
I FLASK example policy
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
Intro Network path Bootloader Device model Xen Conclusion
Outline
I Overview of the Xen architecture
I Brief introduction to principles of security analysis
I Consider some attack surfacesI Xen features we can use to make them more secure
I Driver domainsI pvgrubI stub domainsI PV vs HVMI FLASK example policy
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
Intro Network path Bootloader Device model Xen Conclusion
Xen Architecture
Xen Hypervisor
Hardware
device model(qemu)
toolstack
dom 0
HardwareDrivers
I/O Devices CPU Memory
Paravirtualized(PV)
Domain
Fully Virtualized
(HVM)Domainnetback
blkbacknetfrontblkfront
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 6 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security Overview
I Threat Model
I Attacker can access guest networkI Attacker controls one guest OS
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 7 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security Overview
I Threat ModelI Attacker can access guest network
I Attacker controls one guest OS
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 7 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security Overview
I Threat ModelI Attacker can access guest networkI Attacker controls one guest OS
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 7 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security Overview
I Security considerationsI How much code is accessible?
I What is the interface like?I Defense-in-depth
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 8 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security Overview
I Security considerationsI How much code is accessible?I What is the interface like?
I Defense-in-depth
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 8 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security Overview
I Security considerationsI How much code is accessible?I What is the interface like?
I Defense-in-depth
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 8 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security Overview
I Security considerationsI How much code is accessible?I What is the interface like?I Defense-in-depth
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 8 / 33
Intro Network path Bootloader Device model Xen Conclusion
Example System
I Hardware setup
I Two networks: control network, guest networkI IOMMU with interrupt remapping (AMD or Intel VT-d v2)
I Default configuration
I Network drivers in dom0I PV guests with pygrubI HVM guests with qemu running in domain 0
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
Intro Network path Bootloader Device model Xen Conclusion
Example System
I Hardware setupI Two networks: control network, guest network
I IOMMU with interrupt remapping (AMD or Intel VT-d v2)
I Default configuration
I Network drivers in dom0I PV guests with pygrubI HVM guests with qemu running in domain 0
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
Intro Network path Bootloader Device model Xen Conclusion
Example System
I Hardware setupI Two networks: control network, guest networkI IOMMU with interrupt remapping (AMD or Intel VT-d v2)
I Default configuration
I Network drivers in dom0I PV guests with pygrubI HVM guests with qemu running in domain 0
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
Intro Network path Bootloader Device model Xen Conclusion
Example System
I Hardware setupI Two networks: control network, guest networkI IOMMU with interrupt remapping (AMD or Intel VT-d v2)
I Default configuration
I Network drivers in dom0I PV guests with pygrubI HVM guests with qemu running in domain 0
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
Intro Network path Bootloader Device model Xen Conclusion
Example System
I Hardware setupI Two networks: control network, guest networkI IOMMU with interrupt remapping (AMD or Intel VT-d v2)
I Default configurationI Network drivers in dom0
I PV guests with pygrubI HVM guests with qemu running in domain 0
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
Intro Network path Bootloader Device model Xen Conclusion
Example System
I Hardware setupI Two networks: control network, guest networkI IOMMU with interrupt remapping (AMD or Intel VT-d v2)
I Default configurationI Network drivers in dom0I PV guests with pygrub
I HVM guests with qemu running in domain 0
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
Intro Network path Bootloader Device model Xen Conclusion
Example System
I Hardware setupI Two networks: control network, guest networkI IOMMU with interrupt remapping (AMD or Intel VT-d v2)
I Default configurationI Network drivers in dom0I PV guests with pygrubI HVM guests with qemu running in domain 0
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Network path
Xen Hypervisor
Hardware
toolstackdom 0
NICDriver
Control NIC
RogueDomain
netback netfront
Guest NIC
bridgeiptables
Domain
netfront
I How to break in?
I Bugs in hardware driverI Bugs in bridging / filteringI Bugs in netback via the ring protocol
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 10 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Network path
Xen Hypervisor
Hardware
toolstackdom 0
NICDriver
Control NIC
RogueDomain
netback netfront
Guest NIC
bridgeiptables
Domain
netfront
I How to break in?I Bugs in hardware driver
I Bugs in bridging / filteringI Bugs in netback via the ring protocol
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 10 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Network path
Xen Hypervisor
Hardware
toolstackdom 0
NICDriver
Control NIC
RogueDomain
netback netfront
Guest NIC
bridgeiptables
Domain
netfront
I How to break in?I Bugs in hardware driverI Bugs in bridging / filtering
I Bugs in netback via the ring protocol
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 10 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Network path
Xen Hypervisor
Hardware
toolstackdom 0
NICDriver
Control NIC
RogueDomain
netback netfront
Guest NIC
bridgeiptables
Domain
netfront
I How to break in?I Bugs in hardware driverI Bugs in bridging / filteringI Bugs in netback via the ring protocol
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 10 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Network path
Xen Hypervisor
Hardware
toolstackdom 0
NICDriver
Control NIC
RogueDomain
netback netfront
Guest NIC
bridgeiptables
Domain
netfront
I What does it buy you?
I Control of domain 0 kernelI Pretty much control of the whole system
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 11 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Network path
Xen Hypervisor
Hardware
toolstackdom 0
NICDriver
Control NIC
RogueDomain
netback netfront
Guest NIC
bridgeiptables
Domain
netfront
I What does it buy you?I Control of domain 0 kernel
I Pretty much control of the whole system
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 11 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Network path
Xen Hypervisor
Hardware
toolstackdom 0
NICDriver
Control NIC
RogueDomain
netback netfront
Guest NIC
bridgeiptables
Domain
netfront
I What does it buy you?I Control of domain 0 kernelI Pretty much control of the whole system
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 11 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: Driver Domains
Xen Hypervisor
Hardware
toolstack
dom 0
NICDriver
Control NIC
RogueDomain
netback netfront
Guest NIC
bridgeiptables
Domain
netfront
NICDriver
Driver Domain
I What is it?
I Unprivileged VM which drives hardware, provides access toguests
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 12 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: Driver Domains
Xen Hypervisor
Hardware
toolstack
dom 0
NICDriver
Control NIC
RogueDomain
netback netfront
Guest NIC
bridgeiptables
Domain
netfront
NICDriver
Driver Domain
I What is it?I Unprivileged VM which drives hardware, provides access to
guests
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 12 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: Driver Domains
Xen Hypervisor
Hardware
toolstack
dom 0
NICDriver
Control NIC
RogueDomain
netback netfront
Guest NIC
bridgeiptables
Domain
netfront
NICDriver
Driver Domain
I Now an exploit buys you:
I Control of a PV VM (PV hypercall interface)I Guest network trafficI Control of NICI Opportunity to attack netfront of other guests
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 13 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: Driver Domains
Xen Hypervisor
Hardware
toolstack
dom 0
NICDriver
Control NIC
RogueDomain
netback netfront
Guest NIC
bridgeiptables
Domain
netfront
NICDriver
Driver Domain
I Now an exploit buys you:I Control of a PV VM (PV hypercall interface)
I Guest network trafficI Control of NICI Opportunity to attack netfront of other guests
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 13 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: Driver Domains
Xen Hypervisor
Hardware
toolstack
dom 0
NICDriver
Control NIC
RogueDomain
netback netfront
Guest NIC
bridgeiptables
Domain
netfront
NICDriver
Driver Domain
I Now an exploit buys you:I Control of a PV VM (PV hypercall interface)I Guest network traffic
I Control of NICI Opportunity to attack netfront of other guests
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 13 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: Driver Domains
Xen Hypervisor
Hardware
toolstack
dom 0
NICDriver
Control NIC
RogueDomain
netback netfront
Guest NIC
bridgeiptables
Domain
netfront
NICDriver
Driver Domain
I Now an exploit buys you:I Control of a PV VM (PV hypercall interface)I Guest network trafficI Control of NIC
I Opportunity to attack netfront of other guests
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 13 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: Driver Domains
Xen Hypervisor
Hardware
toolstack
dom 0
NICDriver
Control NIC
RogueDomain
netback netfront
Guest NIC
bridgeiptables
Domain
netfront
NICDriver
Driver Domain
I Now an exploit buys you:I Control of a PV VM (PV hypercall interface)I Guest network trafficI Control of NICI Opportunity to attack netfront of other guests
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 13 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: Driver Domains
I Create a VM with appropriate drivers
I Any distro supporting dom0 should do
I Install the xen-related hotplug scripts
I Just installing the xen tools in the VM is usually good enough
I Give the VM access to the physical NIC with PCI pass-throughI Configure the network topology in the driver domain
I Just like you would for dom0
I Configure the guest vif to use the new domain ID
I Add backend=domnet to vif declaration
vif = [ ’type=pv, bridge=xenbr0, backend=domnet’ ]
I http://wiki.xen.org/wiki/Driver Domain
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: Driver Domains
I Create a VM with appropriate driversI Any distro supporting dom0 should do
I Install the xen-related hotplug scripts
I Just installing the xen tools in the VM is usually good enough
I Give the VM access to the physical NIC with PCI pass-throughI Configure the network topology in the driver domain
I Just like you would for dom0
I Configure the guest vif to use the new domain ID
I Add backend=domnet to vif declaration
vif = [ ’type=pv, bridge=xenbr0, backend=domnet’ ]
I http://wiki.xen.org/wiki/Driver Domain
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: Driver Domains
I Create a VM with appropriate driversI Any distro supporting dom0 should do
I Install the xen-related hotplug scripts
I Just installing the xen tools in the VM is usually good enough
I Give the VM access to the physical NIC with PCI pass-throughI Configure the network topology in the driver domain
I Just like you would for dom0
I Configure the guest vif to use the new domain ID
I Add backend=domnet to vif declaration
vif = [ ’type=pv, bridge=xenbr0, backend=domnet’ ]
I http://wiki.xen.org/wiki/Driver Domain
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: Driver Domains
I Create a VM with appropriate driversI Any distro supporting dom0 should do
I Install the xen-related hotplug scriptsI Just installing the xen tools in the VM is usually good enough
I Give the VM access to the physical NIC with PCI pass-throughI Configure the network topology in the driver domain
I Just like you would for dom0
I Configure the guest vif to use the new domain ID
I Add backend=domnet to vif declaration
vif = [ ’type=pv, bridge=xenbr0, backend=domnet’ ]
I http://wiki.xen.org/wiki/Driver Domain
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: Driver Domains
I Create a VM with appropriate driversI Any distro supporting dom0 should do
I Install the xen-related hotplug scriptsI Just installing the xen tools in the VM is usually good enough
I Give the VM access to the physical NIC with PCI pass-through
I Configure the network topology in the driver domain
I Just like you would for dom0
I Configure the guest vif to use the new domain ID
I Add backend=domnet to vif declaration
vif = [ ’type=pv, bridge=xenbr0, backend=domnet’ ]
I http://wiki.xen.org/wiki/Driver Domain
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: Driver Domains
I Create a VM with appropriate driversI Any distro supporting dom0 should do
I Install the xen-related hotplug scriptsI Just installing the xen tools in the VM is usually good enough
I Give the VM access to the physical NIC with PCI pass-throughI Configure the network topology in the driver domain
I Just like you would for dom0
I Configure the guest vif to use the new domain ID
I Add backend=domnet to vif declaration
vif = [ ’type=pv, bridge=xenbr0, backend=domnet’ ]
I http://wiki.xen.org/wiki/Driver Domain
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: Driver Domains
I Create a VM with appropriate driversI Any distro supporting dom0 should do
I Install the xen-related hotplug scriptsI Just installing the xen tools in the VM is usually good enough
I Give the VM access to the physical NIC with PCI pass-throughI Configure the network topology in the driver domain
I Just like you would for dom0
I Configure the guest vif to use the new domain ID
I Add backend=domnet to vif declaration
vif = [ ’type=pv, bridge=xenbr0, backend=domnet’ ]
I http://wiki.xen.org/wiki/Driver Domain
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: Driver Domains
I Create a VM with appropriate driversI Any distro supporting dom0 should do
I Install the xen-related hotplug scriptsI Just installing the xen tools in the VM is usually good enough
I Give the VM access to the physical NIC with PCI pass-throughI Configure the network topology in the driver domain
I Just like you would for dom0
I Configure the guest vif to use the new domain ID
I Add backend=domnet to vif declaration
vif = [ ’type=pv, bridge=xenbr0, backend=domnet’ ]
I http://wiki.xen.org/wiki/Driver Domain
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: Driver Domains
I Create a VM with appropriate driversI Any distro supporting dom0 should do
I Install the xen-related hotplug scriptsI Just installing the xen tools in the VM is usually good enough
I Give the VM access to the physical NIC with PCI pass-throughI Configure the network topology in the driver domain
I Just like you would for dom0
I Configure the guest vif to use the new domain IDI Add backend=domnet to vif declaration
vif = [ ’type=pv, bridge=xenbr0, backend=domnet’ ]
I http://wiki.xen.org/wiki/Driver Domain
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: Driver Domains
I Create a VM with appropriate driversI Any distro supporting dom0 should do
I Install the xen-related hotplug scriptsI Just installing the xen tools in the VM is usually good enough
I Give the VM access to the physical NIC with PCI pass-throughI Configure the network topology in the driver domain
I Just like you would for dom0
I Configure the guest vif to use the new domain IDI Add backend=domnet to vif declaration
vif = [ ’type=pv, bridge=xenbr0, backend=domnet’ ]
I http://wiki.xen.org/wiki/Driver Domain
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: Driver Domains
I Create a VM with appropriate driversI Any distro supporting dom0 should do
I Install the xen-related hotplug scriptsI Just installing the xen tools in the VM is usually good enough
I Give the VM access to the physical NIC with PCI pass-throughI Configure the network topology in the driver domain
I Just like you would for dom0
I Configure the guest vif to use the new domain IDI Add backend=domnet to vif declaration
vif = [ ’type=pv, bridge=xenbr0, backend=domnet’ ]
I http://wiki.xen.org/wiki/Driver Domain
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Pygrub
Xen Hypervisor
toolstackdom 0
Paravirtualized(PV)
Domain
domainbuilder
pygrub
guestdisk
I What is it?
I grub implementation for PV guestsI Python program running in domain 0I Reads guest FS, parses grub.conf, presents menuI Passes resulting kernel image to domain builder
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 15 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Pygrub
Xen Hypervisor
toolstackdom 0
Paravirtualized(PV)
Domain
domainbuilder
pygrub
guestdisk
I What is it?I grub implementation for PV guests
I Python program running in domain 0I Reads guest FS, parses grub.conf, presents menuI Passes resulting kernel image to domain builder
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 15 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Pygrub
Xen Hypervisor
toolstackdom 0
Paravirtualized(PV)
Domain
domainbuilder
pygrub
guestdisk
I What is it?I grub implementation for PV guestsI Python program running in domain 0
I Reads guest FS, parses grub.conf, presents menuI Passes resulting kernel image to domain builder
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 15 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Pygrub
Xen Hypervisor
toolstackdom 0
Paravirtualized(PV)
Domain
domainbuilder
pygrub
guestdisk
I What is it?I grub implementation for PV guestsI Python program running in domain 0I Reads guest FS, parses grub.conf, presents menu
I Passes resulting kernel image to domain builder
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 15 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Pygrub
Xen Hypervisor
toolstackdom 0
Paravirtualized(PV)
Domain
domainbuilder
pygrub
guestdisk
I What is it?I grub implementation for PV guestsI Python program running in domain 0I Reads guest FS, parses grub.conf, presents menuI Passes resulting kernel image to domain builder
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 15 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Pygrub
Xen Hypervisor
toolstackdom 0
Paravirtualized(PV)
Domain
domainbuilder
pygrub
guestdisk
I How to break in?
I Bugs in file system parserI Bugs in menu parserI Bugs in kernel / initrd image parsers
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 16 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Pygrub
Xen Hypervisor
toolstackdom 0
Paravirtualized(PV)
Domain
domainbuilder
pygrub
guestdisk
I How to break in?I Bugs in file system parser
I Bugs in menu parserI Bugs in kernel / initrd image parsers
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 16 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Pygrub
Xen Hypervisor
toolstackdom 0
Paravirtualized(PV)
Domain
domainbuilder
pygrub
guestdisk
I How to break in?I Bugs in file system parserI Bugs in menu parser
I Bugs in kernel / initrd image parsers
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 16 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Pygrub
Xen Hypervisor
toolstackdom 0
Paravirtualized(PV)
Domain
domainbuilder
pygrub
guestdisk
I How to break in?I Bugs in file system parserI Bugs in menu parserI Bugs in kernel / initrd image parsers
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 16 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Pygrub
Xen Hypervisor
toolstackdom 0
Paravirtualized(PV)
Domain
domainbuilder
pygrub
guestdisk
kernel
I What does it buy you?
I Control of domain 0 user spaceI Pretty much control of the whole system
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 17 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Pygrub
Xen Hypervisor
toolstackdom 0
Paravirtualized(PV)
Domain
domainbuilder
pygrub
guestdisk
kernel
I What does it buy you?I Control of domain 0 user space
I Pretty much control of the whole system
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 17 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Pygrub
Xen Hypervisor
toolstackdom 0
Paravirtualized(PV)
Domain
domainbuilder
pygrub
guestdisk
kernel
I What does it buy you?I Control of domain 0 user spaceI Pretty much control of the whole system
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 17 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security practice: Fixed kernels
Xen Hypervisor
toolstackdom 0
Paravirtualized(PV)
Domain
domainbuilder
kernelimage
guestdisk
I What is it?
I Passing a known-good kernel from domain 0
I Removes attacker avenue to domain builder
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 18 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security practice: Fixed kernels
Xen Hypervisor
toolstackdom 0
Paravirtualized(PV)
Domain
domainbuilder
kernelimage
guestdisk
I What is it?I Passing a known-good kernel from domain 0
I Removes attacker avenue to domain builder
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 18 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security practice: Fixed kernels
Xen Hypervisor
toolstackdom 0
Paravirtualized(PV)
Domain
domainbuilder
kernelimage
guestdisk
I What is it?I Passing a known-good kernel from domain 0
I Removes attacker avenue to domain builder
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 18 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security practice: Fixed kernels
Xen Hypervisor
toolstackdom 0
Paravirtualized(PV)
Domain
domainbuilder
kernelimage
guestdisk
I Disadvantages
I Host admin must keep up with kernel updatesI Guest admin can’t pass kernel parameters, custom kernels,
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 19 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security practice: Fixed kernels
Xen Hypervisor
toolstackdom 0
Paravirtualized(PV)
Domain
domainbuilder
kernelimage
guestdisk
I DisadvantagesI Host admin must keep up with kernel updates
I Guest admin can’t pass kernel parameters, custom kernels,
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 19 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security practice: Fixed kernels
Xen Hypervisor
toolstackdom 0
Paravirtualized(PV)
Domain
domainbuilder
kernelimage
guestdisk
I DisadvantagesI Host admin must keep up with kernel updatesI Guest admin can’t pass kernel parameters, custom kernels,
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 19 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: pvgrub
Xen Hypervisor
toolstackdom 0
domainbuilder
guestdisk
MiniOS
pvgrub
I What is it?
I MiniOS + pv port of grub running in a guest contextI PV equivalent of HVM “BIOS + grub”
I Now an exploit buys you:
I Control of your own VM
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 20 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: pvgrub
Xen Hypervisor
toolstackdom 0
domainbuilder
guestdisk
MiniOS
pvgrub
I What is it?I MiniOS + pv port of grub running in a guest context
I PV equivalent of HVM “BIOS + grub”I Now an exploit buys you:
I Control of your own VM
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 20 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: pvgrub
Xen Hypervisor
toolstackdom 0
domainbuilder
guestdisk
MiniOS
pvgrub
I What is it?I MiniOS + pv port of grub running in a guest contextI PV equivalent of HVM “BIOS + grub”
I Now an exploit buys you:
I Control of your own VM
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 20 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: pvgrub
Xen Hypervisor
toolstackdom 0
domainbuilder
guestdisk
MiniOS
pvgrub
I What is it?I MiniOS + pv port of grub running in a guest contextI PV equivalent of HVM “BIOS + grub”
I Now an exploit buys you:
I Control of your own VM
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 20 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: pvgrub
Xen Hypervisor
toolstackdom 0
domainbuilder
guestdisk
MiniOS
pvgrub
I What is it?I MiniOS + pv port of grub running in a guest contextI PV equivalent of HVM “BIOS + grub”
I Now an exploit buys you:I Control of your own VM
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 20 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: pvgrub
I Make sure that you have the pvgrub image
I pvgrub-$ARCH.gzI Normally lives in /usr/lib/xen/bootI Included in Fedora Xen packagesI Debian-based: need to build yourself
I Use appropriate pvgrub as kernel in guest config
kernel=”/usr/lib/xen/boot/pvgrub-x86 32.gz”
I http://wiki.xen.org/wiki/Pvgrub
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: pvgrub
I Make sure that you have the pvgrub imageI pvgrub-$ARCH.gz
I Normally lives in /usr/lib/xen/bootI Included in Fedora Xen packagesI Debian-based: need to build yourself
I Use appropriate pvgrub as kernel in guest config
kernel=”/usr/lib/xen/boot/pvgrub-x86 32.gz”
I http://wiki.xen.org/wiki/Pvgrub
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: pvgrub
I Make sure that you have the pvgrub imageI pvgrub-$ARCH.gzI Normally lives in /usr/lib/xen/boot
I Included in Fedora Xen packagesI Debian-based: need to build yourself
I Use appropriate pvgrub as kernel in guest config
kernel=”/usr/lib/xen/boot/pvgrub-x86 32.gz”
I http://wiki.xen.org/wiki/Pvgrub
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: pvgrub
I Make sure that you have the pvgrub imageI pvgrub-$ARCH.gzI Normally lives in /usr/lib/xen/bootI Included in Fedora Xen packages
I Debian-based: need to build yourself
I Use appropriate pvgrub as kernel in guest config
kernel=”/usr/lib/xen/boot/pvgrub-x86 32.gz”
I http://wiki.xen.org/wiki/Pvgrub
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: pvgrub
I Make sure that you have the pvgrub imageI pvgrub-$ARCH.gzI Normally lives in /usr/lib/xen/bootI Included in Fedora Xen packagesI Debian-based: need to build yourself
I Use appropriate pvgrub as kernel in guest config
kernel=”/usr/lib/xen/boot/pvgrub-x86 32.gz”
I http://wiki.xen.org/wiki/Pvgrub
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: pvgrub
I Make sure that you have the pvgrub imageI pvgrub-$ARCH.gzI Normally lives in /usr/lib/xen/bootI Included in Fedora Xen packagesI Debian-based: need to build yourself
I Use appropriate pvgrub as kernel in guest config
kernel=”/usr/lib/xen/boot/pvgrub-x86 32.gz”
I http://wiki.xen.org/wiki/Pvgrub
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: pvgrub
I Make sure that you have the pvgrub imageI pvgrub-$ARCH.gzI Normally lives in /usr/lib/xen/bootI Included in Fedora Xen packagesI Debian-based: need to build yourself
I Use appropriate pvgrub as kernel in guest config
kernel=”/usr/lib/xen/boot/pvgrub-x86 32.gz”
I http://wiki.xen.org/wiki/Pvgrub
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: pvgrub
I Make sure that you have the pvgrub imageI pvgrub-$ARCH.gzI Normally lives in /usr/lib/xen/bootI Included in Fedora Xen packagesI Debian-based: need to build yourself
I Use appropriate pvgrub as kernel in guest config
kernel=”/usr/lib/xen/boot/pvgrub-x86 32.gz”
I http://wiki.xen.org/wiki/Pvgrub
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Device model (qemu)
Xen Hypervisor
device model(qemu)
toolstack
dom 0
HardwareDrivers
Fully Virtualized
(HVM)Domain
I How to break in?
I Bugs in NIC emulator parsing packetsI Bugs in emulation of virtual devices
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 22 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Device model (qemu)
Xen Hypervisor
device model(qemu)
toolstack
dom 0
HardwareDrivers
Fully Virtualized
(HVM)Domain
I How to break in?I Bugs in NIC emulator parsing packets
I Bugs in emulation of virtual devices
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 22 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Device model (qemu)
Xen Hypervisor
device model(qemu)
toolstack
dom 0
HardwareDrivers
Fully Virtualized
(HVM)Domain
I How to break in?I Bugs in NIC emulator parsing packetsI Bugs in emulation of virtual devices
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 22 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Device model (qemu)
Xen Hypervisor
device model(qemu)
toolstack
dom 0
HardwareDrivers
Fully Virtualized
(HVM)Domain
I What does it buy you?
I Domain 0 privileged userspaceI Pretty much control of the whole system
I Not hypothetical
I Three exploitable bugs found in qemu last 2 years
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 23 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Device model (qemu)
Xen Hypervisor
device model(qemu)
toolstack
dom 0
HardwareDrivers
Fully Virtualized
(HVM)Domain
I What does it buy you?I Domain 0 privileged userspace
I Pretty much control of the whole systemI Not hypothetical
I Three exploitable bugs found in qemu last 2 years
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 23 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Device model (qemu)
Xen Hypervisor
device model(qemu)
toolstack
dom 0
HardwareDrivers
Fully Virtualized
(HVM)Domain
I What does it buy you?I Domain 0 privileged userspaceI Pretty much control of the whole system
I Not hypothetical
I Three exploitable bugs found in qemu last 2 years
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 23 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Device model (qemu)
Xen Hypervisor
device model(qemu)
toolstack
dom 0
HardwareDrivers
Fully Virtualized
(HVM)Domain
I What does it buy you?I Domain 0 privileged userspaceI Pretty much control of the whole system
I Not hypothetical
I Three exploitable bugs found in qemu last 2 years
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 23 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack surface: Device model (qemu)
Xen Hypervisor
device model(qemu)
toolstack
dom 0
HardwareDrivers
Fully Virtualized
(HVM)Domain
I What does it buy you?I Domain 0 privileged userspaceI Pretty much control of the whole system
I Not hypotheticalI Three exploitable bugs found in qemu last 2 years
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 23 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: qemu stub domains
Xen Hypervisor
toolstack
dom 0
HardwareDrivers
Fully Virtualized
(HVM)Domain
device model
Stub Domain
minios
I What is it?
I Stub domain: a small “service” domain running just oneapplication
I qemu stub domain: run each qemu in its own domain
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 24 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: qemu stub domains
Xen Hypervisor
toolstack
dom 0
HardwareDrivers
Fully Virtualized
(HVM)Domain
device model
Stub Domain
minios
I What is it?I Stub domain: a small “service” domain running just one
application
I qemu stub domain: run each qemu in its own domain
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 24 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: qemu stub domains
Xen Hypervisor
toolstack
dom 0
HardwareDrivers
Fully Virtualized
(HVM)Domain
device model
Stub Domain
minios
I What is it?I Stub domain: a small “service” domain running just one
applicationI qemu stub domain: run each qemu in its own domain
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 24 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: qemu stub domains
Xen Hypervisor
toolstack
dom 0
HardwareDrivers
Fully Virtualized
(HVM)Domain
device model
Stub Domain
minios
I Now an exploit buys you:
I Control of the stubom VMI Access to PV interfaces
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 25 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: qemu stub domains
Xen Hypervisor
toolstack
dom 0
HardwareDrivers
Fully Virtualized
(HVM)Domain
device model
Stub Domain
minios
I Now an exploit buys you:I Control of the stubom VM
I Access to PV interfaces
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 25 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: qemu stub domains
Xen Hypervisor
toolstack
dom 0
HardwareDrivers
Fully Virtualized
(HVM)Domain
device model
Stub Domain
minios
I Now an exploit buys you:I Control of the stubom VMI Access to PV interfaces
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 25 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: qemu stub domains
I Make sure that you have the stubdom image:
I ioemu-$ARCH.gzI Normally lives in /usr/lib/xen/bootI Included in Fedora Xen packagesI Debian-based: need to build yourself
I Specify stub domains in your guest config
device model stubdomain override = 1
I http://wiki.xen.org/wiki/Device Model Stub Domains
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: qemu stub domains
I Make sure that you have the stubdom image:I ioemu-$ARCH.gz
I Normally lives in /usr/lib/xen/bootI Included in Fedora Xen packagesI Debian-based: need to build yourself
I Specify stub domains in your guest config
device model stubdomain override = 1
I http://wiki.xen.org/wiki/Device Model Stub Domains
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: qemu stub domains
I Make sure that you have the stubdom image:I ioemu-$ARCH.gzI Normally lives in /usr/lib/xen/boot
I Included in Fedora Xen packagesI Debian-based: need to build yourself
I Specify stub domains in your guest config
device model stubdomain override = 1
I http://wiki.xen.org/wiki/Device Model Stub Domains
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: qemu stub domains
I Make sure that you have the stubdom image:I ioemu-$ARCH.gzI Normally lives in /usr/lib/xen/bootI Included in Fedora Xen packages
I Debian-based: need to build yourself
I Specify stub domains in your guest config
device model stubdomain override = 1
I http://wiki.xen.org/wiki/Device Model Stub Domains
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: qemu stub domains
I Make sure that you have the stubdom image:I ioemu-$ARCH.gzI Normally lives in /usr/lib/xen/bootI Included in Fedora Xen packagesI Debian-based: need to build yourself
I Specify stub domains in your guest config
device model stubdomain override = 1
I http://wiki.xen.org/wiki/Device Model Stub Domains
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: qemu stub domains
I Make sure that you have the stubdom image:I ioemu-$ARCH.gzI Normally lives in /usr/lib/xen/bootI Included in Fedora Xen packagesI Debian-based: need to build yourself
I Specify stub domains in your guest config
device model stubdomain override = 1
I http://wiki.xen.org/wiki/Device Model Stub Domains
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: qemu stub domains
I Make sure that you have the stubdom image:I ioemu-$ARCH.gzI Normally lives in /usr/lib/xen/bootI Included in Fedora Xen packagesI Debian-based: need to build yourself
I Specify stub domains in your guest config
device model stubdomain override = 1
I http://wiki.xen.org/wiki/Device Model Stub Domains
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: qemu stub domains
I Make sure that you have the stubdom image:I ioemu-$ARCH.gzI Normally lives in /usr/lib/xen/bootI Included in Fedora Xen packagesI Debian-based: need to build yourself
I Specify stub domains in your guest config
device model stubdomain override = 1
I http://wiki.xen.org/wiki/Device Model Stub Domains
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack Surface: Xen
I HVM guests
I HVM hypercalls (Subset of PV hypercalls)I Instruction emulation (MMIO, shadow pagetables)I Emulated platform devices: APIC, HPET, PITI Nested virtualization
I PV guests
I PV HypercallsI Shared address space
I Survey of security updates looks statistically similar
I Security practice: If you can’t use stub domains, use PV VMs
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack Surface: Xen
I HVM guestsI HVM hypercalls (Subset of PV hypercalls)
I Instruction emulation (MMIO, shadow pagetables)I Emulated platform devices: APIC, HPET, PITI Nested virtualization
I PV guests
I PV HypercallsI Shared address space
I Survey of security updates looks statistically similar
I Security practice: If you can’t use stub domains, use PV VMs
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack Surface: Xen
I HVM guestsI HVM hypercalls (Subset of PV hypercalls)I Instruction emulation (MMIO, shadow pagetables)
I Emulated platform devices: APIC, HPET, PITI Nested virtualization
I PV guests
I PV HypercallsI Shared address space
I Survey of security updates looks statistically similar
I Security practice: If you can’t use stub domains, use PV VMs
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack Surface: Xen
I HVM guestsI HVM hypercalls (Subset of PV hypercalls)I Instruction emulation (MMIO, shadow pagetables)I Emulated platform devices: APIC, HPET, PIT
I Nested virtualization
I PV guests
I PV HypercallsI Shared address space
I Survey of security updates looks statistically similar
I Security practice: If you can’t use stub domains, use PV VMs
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack Surface: Xen
I HVM guestsI HVM hypercalls (Subset of PV hypercalls)I Instruction emulation (MMIO, shadow pagetables)I Emulated platform devices: APIC, HPET, PITI Nested virtualization
I PV guests
I PV HypercallsI Shared address space
I Survey of security updates looks statistically similar
I Security practice: If you can’t use stub domains, use PV VMs
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack Surface: Xen
I HVM guestsI HVM hypercalls (Subset of PV hypercalls)I Instruction emulation (MMIO, shadow pagetables)I Emulated platform devices: APIC, HPET, PITI Nested virtualization
I PV guests
I PV HypercallsI Shared address space
I Survey of security updates looks statistically similar
I Security practice: If you can’t use stub domains, use PV VMs
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack Surface: Xen
I HVM guestsI HVM hypercalls (Subset of PV hypercalls)I Instruction emulation (MMIO, shadow pagetables)I Emulated platform devices: APIC, HPET, PITI Nested virtualization
I PV guestsI PV Hypercalls
I Shared address space
I Survey of security updates looks statistically similar
I Security practice: If you can’t use stub domains, use PV VMs
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack Surface: Xen
I HVM guestsI HVM hypercalls (Subset of PV hypercalls)I Instruction emulation (MMIO, shadow pagetables)I Emulated platform devices: APIC, HPET, PITI Nested virtualization
I PV guestsI PV HypercallsI Shared address space
I Survey of security updates looks statistically similar
I Security practice: If you can’t use stub domains, use PV VMs
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack Surface: Xen
I HVM guestsI HVM hypercalls (Subset of PV hypercalls)I Instruction emulation (MMIO, shadow pagetables)I Emulated platform devices: APIC, HPET, PITI Nested virtualization
I PV guestsI PV HypercallsI Shared address space
I Survey of security updates looks statistically similar
I Security practice: If you can’t use stub domains, use PV VMs
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
Intro Network path Bootloader Device model Xen Conclusion
Attack Surface: Xen
I HVM guestsI HVM hypercalls (Subset of PV hypercalls)I Instruction emulation (MMIO, shadow pagetables)I Emulated platform devices: APIC, HPET, PITI Nested virtualization
I PV guestsI PV HypercallsI Shared address space
I Survey of security updates looks statistically similar
I Security practice: If you can’t use stub domains, use PV VMs
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: FLASK example policy
I What is FLASK?
I Xen Security Module (XSM): Xen equivalent of LSMI FLASK: Framework for XSM developed by NSAI Xen Equivalent of SELinuxI Uses same concepts, tools as SELinuxI Allows a policy to restrict hypercalls
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 28 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: FLASK example policy
I What is FLASK?I Xen Security Module (XSM): Xen equivalent of LSM
I FLASK: Framework for XSM developed by NSAI Xen Equivalent of SELinuxI Uses same concepts, tools as SELinuxI Allows a policy to restrict hypercalls
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 28 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: FLASK example policy
I What is FLASK?I Xen Security Module (XSM): Xen equivalent of LSMI FLASK: Framework for XSM developed by NSA
I Xen Equivalent of SELinuxI Uses same concepts, tools as SELinuxI Allows a policy to restrict hypercalls
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 28 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: FLASK example policy
I What is FLASK?I Xen Security Module (XSM): Xen equivalent of LSMI FLASK: Framework for XSM developed by NSAI Xen Equivalent of SELinux
I Uses same concepts, tools as SELinuxI Allows a policy to restrict hypercalls
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 28 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: FLASK example policy
I What is FLASK?I Xen Security Module (XSM): Xen equivalent of LSMI FLASK: Framework for XSM developed by NSAI Xen Equivalent of SELinuxI Uses same concepts, tools as SELinux
I Allows a policy to restrict hypercalls
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 28 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: FLASK example policy
I What is FLASK?I Xen Security Module (XSM): Xen equivalent of LSMI FLASK: Framework for XSM developed by NSAI Xen Equivalent of SELinuxI Uses same concepts, tools as SELinuxI Allows a policy to restrict hypercalls
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 28 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: FLASK example policy
I What can FLASK do?
I Basic: Restricts hypercalls to those needed by a particularguest
I Advanced: Allows more fine-grained granting of privilegesI FLASK example policy
I This contains example roles for dom0, domU, stub domains,driver domains, &c
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 29 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: FLASK example policy
I What can FLASK do?I Basic: Restricts hypercalls to those needed by a particular
guest
I Advanced: Allows more fine-grained granting of privilegesI FLASK example policy
I This contains example roles for dom0, domU, stub domains,driver domains, &c
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 29 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: FLASK example policy
I What can FLASK do?I Basic: Restricts hypercalls to those needed by a particular
guestI Advanced: Allows more fine-grained granting of privileges
I FLASK example policy
I This contains example roles for dom0, domU, stub domains,driver domains, &c
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 29 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: FLASK example policy
I What can FLASK do?I Basic: Restricts hypercalls to those needed by a particular
guestI Advanced: Allows more fine-grained granting of privileges
I FLASK example policy
I This contains example roles for dom0, domU, stub domains,driver domains, &c
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 29 / 33
Intro Network path Bootloader Device model Xen Conclusion
Security feature: FLASK example policy
I What can FLASK do?I Basic: Restricts hypercalls to those needed by a particular
guestI Advanced: Allows more fine-grained granting of privileges
I FLASK example policyI This contains example roles for dom0, domU, stub domains,
driver domains, &c
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 29 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: Use the example FLASK policy
I Build Xen with XSM enabled
I Build the example policyI Add the appropriate label to guest config files
I seclabel=[foo]I stubdom label=[foo]
I http://wiki.xen.org/wiki/Xen Security Modules : XSM-FLASK
I WARNING: In 4.3, the example policy not extensively tested.Use with care!
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: Use the example FLASK policy
I Build Xen with XSM enabled
I Build the example policy
I Add the appropriate label to guest config files
I seclabel=[foo]I stubdom label=[foo]
I http://wiki.xen.org/wiki/Xen Security Modules : XSM-FLASK
I WARNING: In 4.3, the example policy not extensively tested.Use with care!
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: Use the example FLASK policy
I Build Xen with XSM enabled
I Build the example policyI Add the appropriate label to guest config files
I seclabel=[foo]I stubdom label=[foo]
I http://wiki.xen.org/wiki/Xen Security Modules : XSM-FLASK
I WARNING: In 4.3, the example policy not extensively tested.Use with care!
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: Use the example FLASK policy
I Build Xen with XSM enabled
I Build the example policyI Add the appropriate label to guest config files
I seclabel=[foo]
I stubdom label=[foo]
I http://wiki.xen.org/wiki/Xen Security Modules : XSM-FLASK
I WARNING: In 4.3, the example policy not extensively tested.Use with care!
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: Use the example FLASK policy
I Build Xen with XSM enabled
I Build the example policyI Add the appropriate label to guest config files
I seclabel=[foo]I stubdom label=[foo]
I http://wiki.xen.org/wiki/Xen Security Modules : XSM-FLASK
I WARNING: In 4.3, the example policy not extensively tested.Use with care!
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: Use the example FLASK policy
I Build Xen with XSM enabled
I Build the example policyI Add the appropriate label to guest config files
I seclabel=[foo]I stubdom label=[foo]
I http://wiki.xen.org/wiki/Xen Security Modules : XSM-FLASK
I WARNING: In 4.3, the example policy not extensively tested.Use with care!
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
Intro Network path Bootloader Device model Xen Conclusion
HowTo: Use the example FLASK policy
I Build Xen with XSM enabled
I Build the example policyI Add the appropriate label to guest config files
I seclabel=[foo]I stubdom label=[foo]
I http://wiki.xen.org/wiki/Xen Security Modules : XSM-FLASK
I WARNING: In 4.3, the example policy not extensively tested.Use with care!
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
Intro Network path Bootloader Device model Xen Conclusion
Outline
I Overview of the Xen architecture
I Brief introduction to principles of security analysis
I Consider some attack surfacesI Xen features we can use to make them more secure
I Driver domainsI pvgrubI stub domainsI PV vs HVMI FLASK example policy
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
Intro Network path Bootloader Device model Xen Conclusion
Outline
I Overview of the Xen architecture
I Brief introduction to principles of security analysis
I Consider some attack surfacesI Xen features we can use to make them more secure
I Driver domainsI pvgrubI stub domainsI PV vs HVMI FLASK example policy
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
Intro Network path Bootloader Device model Xen Conclusion
Outline
I Overview of the Xen architecture
I Brief introduction to principles of security analysis
I Consider some attack surfaces
I Xen features we can use to make them more secure
I Driver domainsI pvgrubI stub domainsI PV vs HVMI FLASK example policy
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
Intro Network path Bootloader Device model Xen Conclusion
Outline
I Overview of the Xen architecture
I Brief introduction to principles of security analysis
I Consider some attack surfacesI Xen features we can use to make them more secure
I Driver domainsI pvgrubI stub domainsI PV vs HVMI FLASK example policy
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
Intro Network path Bootloader Device model Xen Conclusion
Outline
I Overview of the Xen architecture
I Brief introduction to principles of security analysis
I Consider some attack surfacesI Xen features we can use to make them more secure
I Driver domains
I pvgrubI stub domainsI PV vs HVMI FLASK example policy
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
Intro Network path Bootloader Device model Xen Conclusion
Outline
I Overview of the Xen architecture
I Brief introduction to principles of security analysis
I Consider some attack surfacesI Xen features we can use to make them more secure
I Driver domainsI pvgrub
I stub domainsI PV vs HVMI FLASK example policy
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
Intro Network path Bootloader Device model Xen Conclusion
Outline
I Overview of the Xen architecture
I Brief introduction to principles of security analysis
I Consider some attack surfacesI Xen features we can use to make them more secure
I Driver domainsI pvgrubI stub domains
I PV vs HVMI FLASK example policy
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
Intro Network path Bootloader Device model Xen Conclusion
Outline
I Overview of the Xen architecture
I Brief introduction to principles of security analysis
I Consider some attack surfacesI Xen features we can use to make them more secure
I Driver domainsI pvgrubI stub domainsI PV vs HVM
I FLASK example policy
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
Intro Network path Bootloader Device model Xen Conclusion
Outline
I Overview of the Xen architecture
I Brief introduction to principles of security analysis
I Consider some attack surfacesI Xen features we can use to make them more secure
I Driver domainsI pvgrubI stub domainsI PV vs HVMI FLASK example policy
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
Intro Network path Bootloader Device model Xen Conclusion
Goal
I Tools to think about security in Xen
I Know some key security features of Xen
I Equipped with the knowledge to get them working
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 32 / 33
Intro Network path Bootloader Device model Xen Conclusion
Goal
I Tools to think about security in Xen
I Know some key security features of Xen
I Equipped with the knowledge to get them working
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 32 / 33
Intro Network path Bootloader Device model Xen Conclusion
Goal
I Tools to think about security in Xen
I Know some key security features of Xen
I Equipped with the knowledge to get them working
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 32 / 33
Intro Network path Bootloader Device model Xen Conclusion
Questions
Questions?
More info at http://wiki.xen.org/wiki/Securing XenCheck out our blog: http://blog.xen.org/
Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 33 / 33