Scribd Logo
Upload

Welcome to Scribd!

  • Virtualization Security Features PDF

    Uploaded by

    Saurav Demta
    32 views16 pages
    virtualization

    Original Title

    Virtualization_Security_Features.pdf

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    virtualization

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    32 views16 pages

    Virtualization Security Features PDF

    Uploaded by

    Saurav Demta
    virtualization

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 16

    What security features are appropriate for virtualization technology?

    John McDermott NRL john.mcdermott@nrl.navy.mil

    Organization of this talk

    NRL

    Scope / meaning of virtualization Security features for virtualization


    technology (VT) per se

    Security features that make sense for


    complete products that include virtualization but ...

    should not be implemented by VT Security features that you might support


    with virtualization
    Virtualization Security Workshop ACSAC 24

    What is virtualization technology?

    NRL

    web-based open structured service-oriented object-oriented distributed


    Virtualization Security Workshop ACSAC 24

    virtual is the new good

    We restrict this talk to virtual machine monitors

    NRL

    Hypervisor/VMM - software that

    virtualizes complete hardware platforms

    to run operating systems Type I or Type II (more later) a virtualization product may include a
    VMM

    a product may include features not


    Virtualization Security Workshop

    implemented within the VMM per se

    ACSAC 24

    Robustness and threat model

    NRL

    Since security is never perfect, it should always be described in terms of threat model and robustness.

    Understanding these concepts can save you money.


    Virtualization Security Workshop ACSAC 24

    Threat model

    NRL

    (A well-formed threat model will always contain these components, though the terms used may be different.) A threat is some adverse action against the services, data, stakeholders, etc., protected by a security solution. Each threat is the goal of some threat actor.

    An abstract entity with, capabilities, initial knowledge, and initial access.


    ACSAC 24

    Virtualization Security Workshop

    Robustness I

    NRL

    Our understanding of security aws that may remain after a product is developed Robustness = strength of mechanism + assurance

    Strength of mechanism is about conceptual aws

    present even in perfect implementations e.g. Caesar cipher

    Assurance is about development practices and assurance measures taken to address aws that are not conceptual
    ACSAC 24

    Virtualization Security Workshop

    Robustness II

    NRL

    A low-strength / high-assurance solution can


    be broken through its conceptual aws

    A high-strength / low-assurance solution can


    be broken through its implementation aws

    Low/low can be broken either way High/high is expensive to defeat


    Virtualization Security Workshop ACSAC 24

    VMM Robustness I

    NRL

    One kind of VMM is a perfectly strong mechanism - no conceptual aws

    separation kernel (SK) - no sharing between guests a pure SK cannot be used as a cross-domain solution (David Bells computer security intermediate value theorem at ACSAC 21)

    Other kinds of VMMs can be a less than perfectly but otherwise arbitrarily strong mechanisms

    NPS trusted exemplar, NRL Xenon - allow sharing between guests can be used as a cross-domain solution
    ACSAC 24

    Virtualization Security Workshop

    VMM Robustness II

    NRL

    If a VMM is to have all of its guests connected to the same network ... ... then the VMM does not need to be any more robust than its guests ... ... because the guests can all be attacked via the common network.

    Virtualization Security Workshop

    ACSAC 24

    Sensitive instructions

    NRL

    sensitive instructions can affect processor mode, memory maps, DMA, interrupt handling ... i.e. VMM control privileged instructions cause a trap into the VMM code sensitive instructions should be a subset of privileged instructions guests should execute innocuous instructions directly dene Type I and Type II VMMs: how does the VMM get the trap?
    ACSAC 24

    Virtualization Security Workshop

    VMM security features: separation

    NRL

    program counter / ags registers cache descriptor tables main memory interrupts APCI boot rmware (e.g. BIOS) TPM
    ACSAC 24

    Virtualization Security Workshop

    VMM security features: sharing

    NRL

    simple network-based abstractions IP packets Ethernet frames high-level guest-based abstractions le systems windows disks desktops
    Virtualization Security Workshop ACSAC 24

    You are using virtualization to ... ?

    NRL

    Share hardware
    execution environments

    Remove (hide)

    undesirable hardware features desirable hardware features

    Add (virtualize)

    Virtualization Security Workshop

    ACSAC 24

    Product security features that should not be implemented in the VMM

    NRL

    most network security measurement, including TPM cryptographic features, including TPM intrusion detection identication or authentication RBAC More research is needed on how to
    implement these outside of the VMM
    Virtualization Security Workshop ACSAC 24

    Interesting security features that can be wellsupported by virtualization

    NRL

    Measurement Attack space reduction Multiple single-level information-ow


    security

    Virtualization Security Workshop

    ACSAC 24

    You might also like