1 / 39

Virtualization and Security Architecture Boundaries

Virtualization and Security Architecture Boundaries. <Introduction>. What Is Virtualization?.

jplumb
Download Presentation

Virtualization and Security Architecture Boundaries

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Virtualization and SecurityArchitecture Boundaries

  2. <Introduction>

  3. What Is Virtualization? “Virtualization is a framework or methodology of dividing the resources of a computer into multiple execution environments, by applying one or more concepts or technologies such as hardware and software partitioning, time-sharing, partial or complete machine simulation, emulation, quality of service, and many others.” http://www.kernelthread.com/publications/virtualization/

  4. What Is Virtualization? “Virtualization is a framework or methodology of dividing the resources of a computer into multiple execution environments, by applying one or more concepts or technologies such as hardware and software partitioning, time-sharing, partial or complete machine simulation, emulation, quality of service, and many others.” http://www.kernelthread.com/publications/virtualization/ Abstraction of OS from HARDWARE

  5. Virtualization Is Important Specifics vary by organization but there are always opportunities that can't be ignored

  6. Virtualization Affects Architecture Changes how security boundaries are enforced

  7. Security Boundaries? You do... Classify data and systems Partition data and systems of different classifications Right? http://www.flickr.com/photos/benimoto/2913950616/

  8. Physical Boundaries

  9. Virtual Boundaries (Isolation)

  10. OS-Enforced Boundaries User accounts File-system permissions

  11. Drawing The Line No right answer, it depends on what boundaries you trust your virtual infrastructure to enforce One wrong answer is to abandon defense in depth and rely solely on virtual boundaries Your answer must balance risk and opportunity in a way that is right for your organization

  12. </Introduction>

  13. <Terminology>

  14. Beyond VMWare: A Taxonomy Hardware Partitioning Expensive, no x86 hardware Isolation tightly coupled to hardware capabilities Inflexible, often static resource assignment Examples: IBM LPARS, Sun Dynamic System Domains High-strength guest isolation

  15. Beyond VMWare: A Taxonomy Software Partitioning Inexpensive, available on x86 Isolation provided by software VMM Flexible and dynamic resource sharing Examples: VMWare, Xen, KVM Medium-strength guest isolation

  16. Beyond VMWare: A Taxonomy Single-Kernel Partitioning Inexpensive, available on x86 Isolation provided by single shared kernel Automatic resource sharing Examples: Chroot jails, BSD jails, Sun Zones/Containers Low-strength guest isolation

  17. Attacking Virtualized Environments Jailbreaks and Escapes Only possible in virtualized environments Exploit device virtualization code or legitimate communication infrastructure (like VMWare tools) Success results in ability to execute code on the host, or to read/write memory which is not allocated to the guest

  18. Attacking Virtualized Environments Jailbreaks and Escapes Tavis Ormandy performed fuzzing of I/O devices and program instruction streams, found crash bugs in every virtualization platform tested Escape vulnerability for ESX announced on 4/10/2009 in CVE-2009-1244, Immunity weaponized it for Workstation

  19. Attacking Virtualized Environments Migration Attacks Only possible in virtualized environments Exploit weak or missing confidentiality and integrity controls on guest migration facilities Success results in compromise of guest being migrated or disclosure of information

  20. Attacking Virtualized Environments Migration Attacks Xensploit can trojan guests in transit during VMWare and Xen live migrations, developed at University of Michigan Successfully stripped requirement for authentiction from a live sshd process

  21. Attacking Virtualized Environments Client Side Attacks Not unique in virtualized environments Exploit common desktop software like browsers, plugins, media players, etc Success results in ability to execute code on the workstation, payloads leveraging Virtual Infrastructure Client or API could have a very large scope

  22. Attacking Virtualized Environments Network Service Attacks Not unique or different in virtualized environments Exploit a listening service Success typically results in ability to execute code on the guest or host running the service

  23. Attacking Virtualized Environments Encryption Attacks Easier in virtualized environments Attackers leverage side-channel attacks, replay attacks, and key-sniffing during live-migration Success results in unauthorized decryption

  24. </Terminology>

  25. <Best Practices>

  26. Classify Classify Classify... Data according to risk of a breach of CIAA Guests according to the data they handle Hosts according to the guests that run on them Networks according to the hosts they connect Storage according to the data in houses

  27. Who Do You Trust?

  28. Harden Virtual Infrastructure VMWare Security Hardening Whitepaper Center for Internet Security ESX Server Benchmark Tripwire Configcheck

  29. Harden Virtual Infrastructure • Remove unnecessary virtual hardware from guests • Disable copy/paste, mouse-takeover, file-sharing • Send logs to a non-virtual remote host • Reject MAC changes and forged transmissions • Do not create a “Default Port Group” • Use signed certs for Virtual Infrastructure clients

  30. Segregate Insecure Networks Management Vmotion Storage

  31. Watch VMSafe Out-of-band enforcement + host-awareness Has performance/capacity implications Provides... Process/Memory inspection Network traffic Inspection Storage inspection

  32. </Best Practices>

  33. <Challenges>

  34. Network Proliferation

  35. Insecure Storage and VMotion If attacker accesses a backend network, game over Management network has improved VMotion and storage not on product roadmaps

  36. Open Questions Enforcing boundaries within virtual infrastructure Resiliency against compromised hosts Security sensors and monitoring Changing organizational responsibilities and reduced checks and balances

  37. </Challenges>

  38. Wrapping Up Not all gloomy, virtualization provides security opportunities as well ESX has had escape vulnerabilities announced, just not weaponized into exploits Insecure backend protocols make meaningful boundaries within a virtualization environment difficult or impossible

  39. References Taxonomy http://www.softpanorama.org/VM/index.shtml Attacks http://searchsecurity.bitpipe.com/detail/RES/1213273947_134.html www.eecs.umich.edu/techreports/cse/2007/CSE-TR-539-07.pdf http://taviso.decsystem.org/virtsec.pdf Hardening http://www.vmware.com/security/resources/configcheck.html http://www.cisecurity.org/bench_vm.html iase.disa.mil/stigs/draft-stigs/Virtual-Computing-STIG-V1R01.doc More Info http://download3.vmware.com/vmworld/2005/sln138.pdf

More Related