Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Virtual Machine Security • Design of Secure Operating Systems • Summer 2012 • Presented By: MusaadAlzahrani
Outline • Introduction • Virtualization Benefits • Virtualization Architectures • Virtualization Techniques • Security Benefits • Security Vulnerabilities • Conclusion
Introduction • Virtualization is abstracting the hardware resources of a machine. • It enables running multiple operating systems on virtual machines on the same processing hardware. • Each virtual machine behaves like an independent machine. • Virtualization reduces the total number of physical machines and consolidates several virtual machines on a single physical machine.
Virtualization Benefits • Save hardware cost and footprint: virtualization provides the ability to take advantage of multiple operating systems on one physical PC. This allows us to buy less hardware and reduce overall system footprint. • Take advantage of operating system services:with virtualization it is possible to take advantage of the capabilities offered by different operating systems on just one set of hardware. • Make use of multicore processors: virtualization software can allow users to directly assign groups of processor cores to individual operating systems. For example, if a user wishes to use Linux and a real-time OS, more CPU and memory resources can be allocated to the real-time OS to optimize performance. • Test beta software and maintain the legacy applications: programmers can test new releases of software without the need for dedicated test machines. If beta software corrupts a given operating system, a parallel operating system running on the same computer can still be used for development. • Increase system security: virtualization reduces the need for multiple physical computers that operate at different security levels but are not fully utilized.
Virtualization Software • To virtualize a given computer, a piece of software called a virtual machine monitor (hypervisor) must be installed on host OS or physical hardware. • After this VMM software is installed, individual virtual machines VMs can be run on the same hardware. • Each virtual machine can run its own operating system (guest OS). • VMM manages guest OS and its interaction with host OS or physical hardware. • It performs process scheduling, memory management, I/O management, and network management operations.
Virtualization Architectures • There are two major virtualization architectures: hosted and bare-metal. • Hosted virtualization: VMM is installed on top of a host operating system such as Windows • Examples: Oracle VirtualBox, Microsoft Virtual PC and VMWare Workstation • Bare-metal virtualization: VMM is installed directly on hardware for more low-level access. • Examples: Microsoft Hyper-V, Oracle VM Server(Xen) and Amazon EC2(Xen)
Protection Rings • x86 CPUs provide a range of protection rings in which code can execute. • Ring 0 has the highest level privilege and is where the operating system kernel normally runs. • The hypervisor runs directly on the hardware of the host system in ring 0.
Virtualization Techniques • Traditional operating system sits directly above the hardware executing in the ring 0. • In virtualization there are three of the underlying techniques: Paravirtualization, Full Virtualization without Hardware Assist, and Full Virtualization with Hardware Assist.
Paravirtualization • Under paravirtualization, the kernel of the guest operating system is modified specifically to run on the hypervisor. • This involves replacing any privileged operations that will only run in ring 0 of the CPU with calls to the hypervisor (known as hypercalls) and the hypervisor in turn performs the task on behalf of the guest kernel. • This typically limits support to open source operating systems, such as Linux.
Full Virtualization without Hardware Assist • It provides support for unmodified guest operating systems such as Windows. • The term unmodified refers to operating system kernels which have not been modified to run on a hypervisor and, therefore, still execute privileged operations as though running in ring 0 of the CPU. • The hypervisor provides CPU emulation to handle and modify privileged and protected CPU operations made by unmodified guest operating system kernels. • This emulation process requires both time and system resources to operate, resulting in inferior performance levels when compared to those provided by paravirtualization.
Full Virtualization with Hardware Assist • Hardware virtualization leverages virtualization features built into the latest generations of CPUs from both Intel and AMD. • These technologies, known as Intel VT and AMD-V, provide extensions necessary to run unmodified guest virtual machines without the overheads inherent in full virtualization CPU emulation. • These new processors provide an additional privilege mode below ring 0 in which the hypervisor can operate essentially, leaving ring 0 available for unmodified guest operating systems.
Security Benefits • Abstraction • Hypervisor abstracts the hardware layer and each VM is allocated its own strictly bounded resources. • This layer of abstraction provides additional security. • Hypervisor is much simpler than traditional OS, So it is much easier to secure. • Since the attacker does not know details of the host environment, manipulating and compromising the machine is much more difficult.
Security Benefits.. • Isolation • The hypervisors segment physical resources into isolated entities and allow each guest OS to run independently. • Each VM encapsulates the guest OS and prevents a malicious guest OS from accessing resources it does not own. • An attack on one VM should not affect any of the other VMs on the server or the host OS.
Security Benefits.. • State restore • VMs are able to restore to a previous state. • The contents of the virtual disk for each VM are usually stored as a file on the host. • Most VMs take a snapshot of the contents of the virtual disk when changes are made or on a time interval. • When VM is compromised, the hypervisor can remove that VM or restore it to a state prior to attack.
Security Benefits.. • Transience • VMs can be started remotely. • This allows them to be turned on and made available only when needed. • Minimizing how much time a given computer is online is the best deterrent against malicious attacks, since an offline server cannot be accessed.
Security Benefits.. • External monitoring • Since VMs run on a subset of hardware resources, it is possible observe VM resource usage and detect malicious software from outside the VM. • VMs can be monitored by an authorized dedicated VM that can view software activity. • The hypervisor can give the dedicated VM permission to view resources allocated to the monitored VM.
Security Vulnerabilities • VM sprawl • The biggest vulnerability of virtualization is due to the ease in which users can create many VMs in a short time. • It becomes very difficult to secure, monitor, and maintain each VM. • Traditional security methods need to be applied to each VM since the guest OS accesses the network directly. • A compromised VM is a potential entry point for attackers to the hypervisor and host. • VM sprawl wastes resources and creates more entry points for attackers.
Security Vulnerabilities.. • State restore • Even though the ability of a VM to restore to a previous state is often considered a security benefit to protect against data loss, returning to an unpatched or compromised state is a great danger. • A VM may get a security patch, but if for some reason the user needs to rollback to a previous state, then the guest OS is no longer patched. • Another concern is returning to a compromised state. • A machine may detect a virus and remove it from the system. If a user returns to a state prior to virus removal, the virus may exist on the system.
Security Vulnerabilities.. • Mobility • Virtual machines are not physical, which means their theft can take place without physical theft of the host machine. • The contents of the virtual disk for each VM are stored as a file by most hypervisors, which allows VMs to be copied and run from other physical machines. • Attackers can copy the VM over the network or to a portable storage media and access data on their own machine without physically stealing a hard drive.
Security Vulnerabilities.. • Hypervisor intrusion • The hypervisor is a program, running on the host, so if it is compromised, all VMs it controls and the host itself are accessible to the attacker. • If the host OS is not securely protected, the attacker could corrupt or externally modify guest OS while the VM is offline. • Hypervisor modification • It does not matter how secure the original hypervisor is if it can be externally modified to use the attacker’s software. • One attack of this form is known as Virtual Machine Based Root Kits (VMBR). • In this attack, the hypervisor’s system calls to the host OS are changed to run malicious code.
Security Vulnerabilities.. • Communication • Attackers can use one VM to access or control other VMs on the same hypervisor. • A malicious VM can potentially access other VMs through shared memory, network connections, and other shared resources. • For example, if a malicious VM determines where another VM’s allocated memory lies, then it could read or write to that location and interfere with the other’s operation.
Security Vulnerabilities.. • Denial of service • An improperly configured hypervisor can allow a single VM to consume all resources, thus starving any other VM running on the same physical machine.
Conclusion • Virtualization allows multiple OS installations to share the same hardware resources. • The hypervisor manages these resources and to create the virtual environment for each guest OS. • When virtualizing a machine, either hosted or bare-metal virtualization can be used. • At a low level, these architectures depend on techniques such as paravirtualization, full virtualization without hardware assist, and full virtualization with hardware assist to accomplish virtualization.
Conclusion.. • The hypervisor provides an additional layer of abstraction from physical hardware. • This abstraction encapsulates malicious attacks and allows external monitoring for malicious attacks on a VM. • Virtualization itself is not inherently unsecured; it is a new technology that potentially has new vulnerabilities and requires restructuring of manual security processes.
References • On state of the art in virtual machine security: Qian Chen; Mehrotra, R.; Dubeyy, A.; Abdelwahed, S.; Rowland, K. Southeastcon, 2012 Proceedings of IEEE Digital Object Identifier: 10.1109/SECon.2012.6196905, Publication Year: 2012, Page(s): 1 - 6 • http://www.cse.wustl.edu/~jain/cse571-09/ftp/vmsec/index.html • http://www.ni.com/white-paper/8708/en • http://www.ni.com/white-paper/8709/en • http://itechthoughts.wordpress.com/tag/paravirtualization/