1 / 29

Virtually Secure Oded Horovitz VMware R&D CanSecWest March, 2008

Virtually Secure Oded Horovitz VMware R&D CanSecWest March, 2008. Talk Overview. Setup Virtualization 101 Talk Focus VM Introspection Capabilities Sample Use Cases (and demos) ‏ Magics Retrospective Security Misc & QA. Virtualization 101. Key Terms VMM Hypervisor Hosted Bare Metal.

pisces
Download Presentation

Virtually Secure Oded Horovitz VMware R&D CanSecWest March, 2008

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Virtually SecureOded HorovitzVMware R&DCanSecWestMarch, 2008

  2. Talk Overview Setup Virtualization 101 Talk Focus VM Introspection Capabilities Sample Use Cases (and demos)‏ Magics Retrospective Security Misc & QA

  3. Virtualization 101 Key Terms VMM Hypervisor Hosted Bare Metal Setup App App ... Management Interfaces OS Device Virtualization Device Virtualization Virtual Machine Monitor (VMM)‏ ... Hypervisor / Kernel Hardware Network Storage CPU

  4. Talk Focus Virtualization Based Capabilities Better than physical Hypervisor as a Base of Trust Security as an infrastructure service Also Important But not Today Secure Virtualization Infrastructure Secure & Manageable Platform Physical Equivalent Security Support existing tools and agents Prevent security coverage loss when P2V Setup

  5. Security Agent – common agents Introspection Anti Spam Anti Phishing AV Firewall Browser File System Mail Server Network Stack HIPS ? OS Hypervisor

  6. Physical Security - Shortcomings Code Packing AV see packed file Unpacking method is unknown No opportunity for detection Introspection Mal ware packer pack Rewrite self Un packer Packed malware Mal ware Mal ware Write file Instantiate AV File System Loader CPU Read file exec file

  7. Physical Security - shortcoming Vulnerabilities Buggy service is exploited New code is injected File system never sees the new code (unless it is paged out..)‏ Existing solutions Program shepherding ASLR NX No good coverage for kernels Introspection exploit Buggy code CPU execute

  8. Physical Security - shortcoming OS coverage Agent is depended on its host (instantiated by host)‏ A window of opportunity exist to subvert system Solution - Boot into alternate OS and scan? Introspection OS drivers Boot Loader reset Platform BIOS apps Devices code AV

  9. CPU events Privileged instruction Exceptions Interrupts I/O Arbitrary Instruction op-code Instruction breakpoint Control flow VM Introspection HV unfriendly

  10. VM Introspection Memory event Granular CPU read / write Granular device read / write Linear addressing Page granularity Physical addressing HV unfriendly High overhead CPU Device Read / write / “execute” Read / write Memory

  11. VM Introspection – VMware initiatives VM Debugging • GDB like interface • Designed for human user • Agent is on the network • Capabilities • Examine CPU, memory • Single step • invisible breakpoints • Page table walker • Some symbol information support

  12. VM Introspection – VMware Initiatives VProbes • dtrace like goals • Designed for human user / analysis tools • Agent runs within the hypervisor • Specialized scripting VM • Capabilities • Dynamic probing point installation • Inline execution with the hypervisor • Access to VM state • Access to hypervisor state

  13. VM Introspection - VMware Initiatives Security API’s • Designed for security productization • Agent runs within a VM • Capabilities • Memory access events • Selected CPU events • VM lifecycle events • Access to VM memory & CPU state • Page Table walker

  14. Security APIs (VMsafe)‏ Goals Better than physical Exploit hypervisor interposition to place new security agent Provide security coverage for the VM kernel (and applications)‏ Hypervisor as a Base of Trust Divide responsibilities between the hypervisor and in-VM agent The hypervisor covers the VM kernel, the rest is done from within the VM Insure in-VM security agent execution and correctness Security as an infrastructure service “Agent less” security services for VMs Flexible OS independent solutions Introspection

  15. Verify-Before-Execute Flow Introspection VM Security Agent “Hypervisor” Power On Query VM VM Information Install Triggers Page access event Query CPU & Memory state CPU State & Memory Pages Install / Remove Triggers Power Off

  16. Sample Introspection Agents Verify-Before-Execute Utilize memory introspection to validate all executing pages Flow Trace all pages for execution access On execution detection Trace for page modification Verify if page contain malware Remove execution trace On modification detection Trace for execution Remove modification trace NX NX NX NX NX NX NX NX NX NX / NW NX / NW Is bad? NW NW / NX NX

  17. Security APIs – Use cases VM Kernel coverage Detect infection in early boot process Device opt ROM attacks Boot loader Boot records OS image Detect code injection due to kernel vulnerabilities Detect self modifying code in kernel Lock kernel after initialization Introspection

  18. Case Study - Microsoft Patch Guard Goal Prevent patching of (x64 based) kernels Force ISV to behave nicely Prevent Root-kits ?? Implementation Obfuscated Invocation Obfuscated Persistence Evolving (Thanks to the awesome work from uninformed.org)‏ What's The Problem? Circumventable Complicated Only for x64 based Windows Systems Introspection

  19. Kernel Security Demo “MyPatchGuard” Secure & Isolated Agent Inline enforcement using memory write triggers. Protect Windows XP guest syscalls table Simple. Introspection

  20. Security APIs – Use cases cont’ Watch dog services Liveness check for in-VM security agent Detect agent presence Verify agent periodic execution Protect agent code and static data Introspection

  21. TPM vs. Introspection TPM Root of trust rely on hardware Passive device Platform and software stack decide what to measure Need software update to change measurement coverage Can not detect compromise in software stack since verification Introspection VM Introspection • Root of trust rely on hypervisor • Introspection agent have the initiative • Security vendor / policy dictate what to measure • Coverage is content, and can change independently of VM • Designed to continuously scan VMs and to detect compromise

  22. VMsafe – Network Introspection Capabilities Place an inline network agent on any VM virtual nic Allow reading, injecting, modifying, and dropping packets. Benefits Efficiently monitor inter-VM network communication Integrated support for live migration. Virtualization only applications Correlate VM internals with network policy. (using CPU/ Memory inspections one can learn OS version, patch level, configuration etc)‏ Build a trusted distributed firewall. Introspection

  23. Talk Overview Setup Virtualization 101 Talk Focus VM Introspection Capabilities Sample Use Cases (and demos)‏ Magics Retrospective Security Misc & QA

  24. Retrospective Security Motivation Detect whether you have been attacked in the past Detect if you might be still compromised by a past attack Method VMware Record & Replay allow for a deterministic replay of VM using recorded logs Potentially the recordings have captured an attack The security API’s are detached from the recorded VM (unlike in-VM agent) and can attach to a replay session Magics

  25. Retrospective Security Demo What is it good for? Run more aggressive policies that will not be acceptable in production environments Discover 0days used to exploit your system Learn how the malware / attacker have navigated your system Use data tainting technique to detect any side effects that still exist on your system Possibly clean the finding from last step on your production VM. Learn about the scope of the damage done to your system, i.e. what is the extent of data leakage Magics

  26. Security vs. Hardware Virtualization 1st Generation – SVM, VT-X VMM no longer need to run the VM kernel under binary translation Security Trade off – Code Breakpoint, Guest code patching (while translating), Control flow visibility 2nd Generation – NPT, EPT VMM no longer need to have software based MMU Security Trade off – Tracking LA->PA mapping is becoming expensive, resulting with inability to operate on linear addresses. 3rd Generation – IO MMU, VT-D VMM can assign physical devices to VMs without worry of VM escape or hypervisor corruption Security Trade off – Interposition on the pass-thru device is eliminated Misc

  27. Some New Problems To Solve VM Escape Though impossible by design, the hypervisor can still have implementation vulnerabilities * As more trust is placed in the hypervisor the more motivation there will be to find VM escapes VM escape provide a new “hyper escalation” that never existed before. Misc

  28. Some New Problems To Solve New attacks to consider VMs as malware A malicious VM with the proper isolation configuration can exploit the host system using writable shared folder In a similar way, a VM that is not firewalled properly can easily access the host network or any device reachable by the host network Moral of the story – Handle suspicious VMs with care. Misc

  29. Conclusion Questions? Contact odedh@vmware.com

More Related