Security of Virtual Machines

Report
Virtual Machine Security
Design of Secure Operating Systems
Summer 2012
Presented By: Musaad Alzahrani
Outline
•
•
•
•
•
•
•
Introduction
Virtualization Benefits
Virtualization Architectures
Virtualization Techniques
Security Benefits
Security Vulnerabilities
Conclusion
Introduction
•
•
•
•
Virtualization is abstracting the hardware resources of a machine.
It enables running multiple operating systems on virtual machines on
the same processing hardware.
Each virtual machine behaves like an independent machine.
Virtualization reduces the total number of physical machines and
consolidates several virtual machines on a single physical machine.
•
Virtualization Benefits
Save hardware cost and footprint: virtualization provides the ability to take
advantage of multiple operating systems on one physical PC. This allows us to buy
less hardware and reduce overall system footprint.
•
Take advantage of operating system services: with virtualization it is
possible to take advantage of the capabilities offered by different operating systems
on just one set of hardware.
•
Make use of multicore processors: virtualization software can allow users
to directly assign groups of processor cores to individual operating systems. For
example, if a user wishes to use Linux and a real-time OS, more CPU and memory
resources can be allocated to the real-time OS to optimize performance.
•
Test beta software and maintain the legacy applications:
programmers can test new releases of software without the need for dedicated test
machines. If beta software corrupts a given operating system, a parallel operating
system running on the same computer can still be used for development.
•
Increase system security: virtualization reduces the need for multiple
physical computers that operate at different security levels but are not fully utilized.
Virtualization Software
•
•
•
•
•
To virtualize a given computer, a piece of software called a virtual
machine monitor (hypervisor) must be installed on host OS or
physical hardware.
After this VMM software is installed, individual virtual machines VMs
can be run on the same hardware.
Each virtual machine can run its own operating system (guest OS).
VMM manages guest OS and its interaction with host OS or physical
hardware.
It performs process scheduling, memory management, I/O
management, and network management operations.
Virtualization Architectures
•
•
•
•
•
There are two major virtualization architectures: hosted and bare-metal.
Hosted virtualization: VMM is installed on top of a host operating system such as
Windows
Examples: Oracle VirtualBox, Microsoft Virtual PC and VMWare Workstation
Bare-metal virtualization: VMM is installed directly on hardware for more low-level
access.
Examples: Microsoft Hyper-V, Oracle VM Server(Xen) and Amazon EC2(Xen)
Protection Rings
•
•
•
x86 CPUs provide a range of protection rings in which code can
execute.
Ring 0 has the highest level privilege and is where the operating
system kernel normally runs.
The hypervisor runs directly on the hardware of the host system in
ring 0.
Virtualization Techniques
•
•
Traditional operating system sits directly above the hardware
executing in the ring 0.
In virtualization there are three of the underlying techniques:
Paravirtualization, Full Virtualization without Hardware Assist, and
Full Virtualization with Hardware Assist.
Paravirtualization
•
•
•
Under paravirtualization, the kernel of the guest operating system is
modified specifically to run on the hypervisor.
This involves replacing any privileged operations that will only run in
ring 0 of the CPU with calls to the hypervisor (known as hypercalls)
and the hypervisor in turn performs the task on behalf of the guest
kernel.
This typically limits support to open source operating systems, such
as Linux.
Full Virtualization without Hardware Assist
•
•
•
•
It provides support for unmodified guest operating systems such as
Windows.
The term unmodified refers to operating system kernels which have
not been modified to run on a hypervisor and, therefore, still execute
privileged operations as though running in ring 0 of the CPU.
The hypervisor provides CPU emulation to handle and modify
privileged and protected CPU operations made by unmodified guest
operating system kernels.
This emulation process requires both time and system resources to
operate, resulting in inferior performance levels when compared to
those provided by paravirtualization.
Full Virtualization with Hardware Assist
•
•
•
Hardware virtualization leverages virtualization features built into the
latest generations of CPUs from both Intel and AMD.
These technologies, known as Intel VT and AMD-V, provide
extensions necessary to run unmodified guest virtual machines
without the overheads inherent in full virtualization CPU emulation.
These new processors provide an additional privilege mode below
ring 0 in which the hypervisor can operate essentially, leaving ring 0
available for unmodified guest operating systems.
Security Benefits

Abstraction
•
•
•
•
Hypervisor abstracts the hardware layer and each VM is allocated its own
strictly bounded resources.
This layer of abstraction provides additional security.
Hypervisor is much simpler than traditional OS, So it is much easier to
secure.
Since the attacker does not know details of the host environment,
manipulating and compromising the machine is much more difficult.
Security Benefits..

Isolation
•
•
•
The hypervisors segment physical resources into isolated entities and allow
each guest OS to run independently.
Each VM encapsulates the guest OS and prevents a malicious guest OS from
accessing resources it does not own.
An attack on one VM should not affect any of the other VMs on the server or the
host OS.
Security Benefits..

State restore
•
•
•
•
VMs are able to restore to a previous state.
The contents of the virtual disk for each VM are usually stored as a file on the
host.
Most VMs take a snapshot of the contents of the virtual disk when changes are
made or on a time interval.
When VM is compromised, the hypervisor can remove that VM or restore it to a
state prior to attack.
Security Benefits..

Transience
•
•
•
VMs can be started remotely.
This allows them to be turned on and made available only when needed.
Minimizing how much time a given computer is online is the best deterrent
against malicious attacks, since an offline server cannot be accessed.
Security Benefits..

External monitoring
•
•
•
Since VMs run on a subset of hardware resources, it is possible observe VM
resource usage and detect malicious software from outside the VM.
VMs can be monitored by an authorized dedicated VM that can view software
activity.
The hypervisor can give the dedicated VM permission to view resources
allocated to the monitored VM.
Security Vulnerabilities

VM sprawl
•
•
•
•
•
The biggest vulnerability of virtualization is due to the ease in which users can
create many VMs in a short time.
It becomes very difficult to secure, monitor, and maintain each VM.
Traditional security methods need to be applied to each VM since the guest OS
accesses the network directly.
A compromised VM is a potential entry point for attackers to the hypervisor and
host.
VM sprawl wastes resources and creates more entry points for attackers.
Security Vulnerabilities..

State restore
•
•
•
•
Even though the ability of a VM to restore to a previous state is often considered
a security benefit to protect against data loss, returning to an unpatched or
compromised state is a great danger.
A VM may get a security patch, but if for some reason the user needs to rollback
to a previous state, then the guest OS is no longer patched.
Another concern is returning to a compromised state.
A machine may detect a virus and remove it from the system. If a user returns to
a state prior to virus removal, the virus may exist on the system.
Security Vulnerabilities..

Mobility
•
•
•
Virtual machines are not physical, which means their theft can take place
without physical theft of the host machine.
The contents of the virtual disk for each VM are stored as a file by most
hypervisors, which allows VMs to be copied and run from other physical
machines.
Attackers can copy the VM over the network or to a portable storage media and
access data on their own machine without physically stealing a hard drive.
Security Vulnerabilities..

Hypervisor intrusion
•
•

The hypervisor is a program, running on the host, so if it is compromised, all
VMs it controls and the host itself are accessible to the attacker.
If the host OS is not securely protected, the attacker could corrupt or
externally modify guest OS while the VM is offline.
Hypervisor modification
•
•
•
It does not matter how secure the original hypervisor is if it can be externally
modified to use the attacker’s software.
One attack of this form is known as Virtual Machine Based Root Kits
(VMBR).
In this attack, the hypervisor’s system calls to the host OS are changed to
run malicious code.
Security Vulnerabilities..

Communication
•
•
•
Attackers can use one VM to access or control other VMs on the same
hypervisor.
A malicious VM can potentially access other VMs through shared memory,
network connections, and other shared resources.
For example, if a malicious VM determines where another VM’s allocated
memory lies, then it could read or write to that location and interfere with the
other’s operation.
Security Vulnerabilities..

Denial of service
•
An improperly configured hypervisor can allow a single VM to consume all
resources, thus starving any other VM running on the same physical machine.
Conclusion
•
•
•
•
Virtualization allows multiple OS installations to share the same
hardware resources.
The hypervisor manages these resources and to create the virtual
environment for each guest OS.
When virtualizing a machine, either hosted or bare-metal virtualization
can be used.
At a low level, these architectures depend on techniques such as
paravirtualization, full virtualization without hardware assist, and full
virtualization with hardware assist to accomplish virtualization.
Conclusion..
•
•
•
The hypervisor provides an additional layer of abstraction from
physical hardware.
This abstraction encapsulates malicious attacks and allows external
monitoring for malicious attacks on a VM.
Virtualization itself is not inherently unsecured; it is a new technology
that potentially has new vulnerabilities and requires restructuring of
manual security processes.
References
•
•
•
•
•
On state of the art in virtual machine security: Qian Chen; Mehrotra,
R.; Dubeyy, A.; Abdelwahed, S.; Rowland, K. Southeastcon, 2012
Proceedings of IEEE Digital Object Identifier:
10.1109/SECon.2012.6196905, Publication Year: 2012, Page(s): 1 - 6
http://www.cse.wustl.edu/~jain/cse571-09/ftp/vmsec/index.html
http://www.ni.com/white-paper/8708/en
http://www.ni.com/white-paper/8709/en
http://itechthoughts.wordpress.com/tag/paravirtualization/
Thank you for listening
Questions?

similar documents