blackhat-beta-slides - Garfinkel.pptx by AaronTevis


									Taking the Hype Out of
      Tal Garfinkel
What is Virtualization?
        Virtual Machine Monitor
• Thin layer of software that virtualizes the hardware
   – Exports a virtual machine abstraction that looks like the

                        App     App     App     App     App
   Guest OS
                         O     ti        O
                                               ti        O     ti
    Virtual               System          System          System
    Machine                   Virtual Machine Monitor (VMM)
        Virtual Machine Monitor
              p        y
• Software Compatibility
   – hardware compatible enough
• Low overheads/High performance
   – Near “raw” machine performance
   – Direct execution of CPU/MMU.
• Complete isolation
     Total d t i l ti between virtual machines
   – T t l data isolation b t  it l      hi
   – Use hardware protection.
• Encapsulation
   – Virtual hardware state are not tied to physical machines
   – Suspend/Resume, Rollback, Migrate, etc.
      Old idea from the 1960s
• IBM VM/370 – A VMM for IBM mainframe
  – Multiplex multiple OS environments on expensive
  – Desirable when few machine around
• Interest died out in the 1980s and 1990s.
  – Hardware got cheap
  – Compare Windows NT verses N DOS machines
            g g         y
• Interesting again today
  – Difference problems today – software management
  – VMM attributes still relevant
     Rapid Adoption Ensued
• Massive growth in enterprise market

  Also   l for
• Al popular f
  – Security
  – Test and Dev
  – Education
Are these the same technology?
Or these..
    What makes Virtual Machines
            Diff     ?
• Runs existing operating systems/applications
  – Still behaves like a normal machine (security,
    management, etc.)

• Encapsulates all machine state (can be copied,
  rolled-back, shared)
  – Also behaves like a file
                  The Problem

              g     y p       g
• VMs are organically replacing traditional
• Different usage models
   – Break existing security/management approaches

• Different functional properties
   – Break existing security mechanisms (e.g. access
     control crypto)

• Unfortunately, still viewed as normal machines
            The Rest of the Talk
•             g ,             p            y
     What changes, how this impacts security…
    1.   Rapid growth in # of machines
    2.   Increased diversity
    3.   Increased transience
    4.   Increased mobility
    5.   Lack of identity
    6.   Complex lifecycle (e.g. rollback, snapshots)

•    Safely supporting these new properties
    –    How can we re-structure systems to safely provide
         these features
What Changes with VMs
    Traditional Environments: Slow
              di bl       li
           predictable scaling


# of physical machines is ultimately limited by capital
equipment budget

•Long setup times
•Usage model is of few general purpose machines
           Virtual Environments:
               Rapid Scaling
               R id S li
•Rapid replication is possible…
  •# of VMs bounded only by available disk space

   •Copying, sharing, specialization

•Result: Management overload
  •Management rarely totally automated
  •Can greatly magnify catastrophe (e.g. worms)
Traditional Environments: Enforced
            h        i
• IT Department ideal
   – Common OS/Management software everywhere (e.g.
     WinXP service pack foo, latest patches, LANDesk),
   – Central admin control
   – Sounds nice e.g. patch management/account

• Difficult to maintain
   – Makes upgrades painful
   – Conflicts with users: just want to get stuff done
  Virtual Environments: Encourage
               Di    i
    pp            g
• Support wide range of uses
   – Ease upgrade cycle (multiple OS versions concurrently)
   – Different OS versions for testing
   – Task specific VMs (                        ),              p
                         (build environment/demo), VMs as a script
     (infrequent use/specialized)
   – Application specific OSes

• Kills traditional management infrastructure
   –   N versions of everything
   –                                       (patches…what
       Potentially outdated versions of OS (patches what patches?)
   –   Lack of admin control
   –   Infrequent use provides less incentive to break stuff with
     Traditional Environments:
    Relatively Stable     l i
    R l i l S bl population
• General assumptions
  – Machines almost always online
  – Relatively little churn

• Some exceptions
  – Laptops
  – Dual boot
  – Generally not the common case
    Virtual Environments: Highly
        Transient Population
        T     i   P   l i
• Machines frequently offline for extended

• Many used highly sporadically

     g        portion of p p
• Significant p                       y
                         population may be
Unpleasant Interactions with
     Malicious C d
     M li i     Code
I f ti Profile i T diti      l Environment
Infection P fil in Traditional E i       t

Infection Profile in Virtual Environment
  Virtual Environments: Increased
               M bili
• Traditional Environments
  – Mobility = Laptop (or someone switches
  – Most machines live in a place, with a person

• Virtual Environments are highly mobile
      py your VM over the network
  – Copy y
  – Put it on a USB key chain
            g             (e.g.              )
  – Hot migrate it around ( g Xen, VMware ESX)
             VMs on the Go
• Dynamic network topology
  – Hard on firewalls

• Expanded TCB – harder to answer
  important questions
  – Where has your VM been?
  – Do you know where your sensitive data is?

• Easy data theft
        Whose VM is this again?
• Lack of traditional identify
    – Office number, port-number, MAC address?

• Lack of ownership
    – Who owns this machine that is attacking the network?

•   Lack of ownership history
    – Who made what changes

• Physical ownership does not imply VM ownership
    – Can’t just go around shutting down ports
Virtual Environments: Complex
           Lif    l

  Software lifecycle on normal platforms is (mostly)linear...
  S ft     lif    l          l l tf      i (    tl )li

On virtual platforms its more tree like due to snapshots, rollback, etc.
 And its charming implications for
• Many protection mechanisms dislike being
  rolled back
                    (e.g.         rules,
  – Access controls (e g firewall rules file
  – User accounts
  – Patches
    Implications for Crypto are Even
              Less Pl
              L    Pleasant
•   Many protocols assume a given
    transaction has not been seen before.

•   Unfortunately, we can’t rollback an
    attackers memory

Trivial Example:
    One-time passwords (e.g. S/Key),
    attacker can easily replay old passwords
           More Crypto Fun
•   Many protocols rely on the use of ``fresh’’
       d        b
    random numbers f k                        these
                      for keys or nonces, if th
    values are not fresh, the protocol is vulnerable

This could:
•   Break a stream cipher (if R is the session key)
•   Allow TCP hijacking (if R is the initial sequence
•   Leak the secret signing key in DSS (if R is used to
    generate signatures)
•   Other bad things™(see paper for details)
Towards more secure virtual
 Provide a ubiquitous management

• Treat VMs as more than just a collection of bits

• Do VM access control, mobility control, etc. at
  this layer

• Run services along side VMs in separate
                      (backup, firewall, anti-virus,
  protections domains (backup firewall anti virus
  Big Theme: Move security and
                    f h
   management out of the VM
• Separate management and use
  – Allow Delegation of management
  – Users want functionality, not to play sys-

• Support VM management offline
  – e.g. periodic security scanning/patching of
    offline VMs
  – Management sandbox
  Aim for Guest OS independence
                   p                p
• Fire wall, backup, anti-virus, help-desk, etc. can
  all run along side guests
• Patching can sometimes be replaced by
  vulnerability specific filters

• Eliminates redundant infrastructure

  Support richer set operating systems
• S        i h             i
   – out of date software
   – Specialized OSes
      Lifecycle independence
• Some stuff can be moved out of VM
  – Guest OS independent stuff can be built roll back

• Other stuff just needs to be re-engineered
  – Replace ZKPK based signatures (DSS) with safe
    equivalents (e.g. RSA)
    Instrument applications to refresh randomness on
  –I t         t   li ti     t   f h      d
  – Virtualized source of randomness
Wrapping up
          Recent Approaches
                            y      (     ,
• Virtualization Aware Filesystems (Pfaff,
  Garfinkel, Rosenblum 06)
  – Replace virtual disks with file system
    Provide      like    i i
  – P id VM lik versioning semantics    ti
  – Fine grain control over rollback, persistence, sharing,
  – Benefits for ease of management
• “Extreme Paravirtualization” (Pfaff & Rosenblum
     in b i i )
  -- i submission)
  – Run network stack and FS in separate VM
                 modularity security,
  – Benefits for modularity, security performance
     Similar problems in existing
                l f
• Examples:
  – hibernation and suspend/resume
  – Windows restore
  – Mobility in laptops
  Laptops are a notorious problem already
• L t             t i        bl    l d
• USB drives the new problem child
• VMs can exhaserbate these issues
                               y     g
• Virtual machines can radically change how
  computers are used
  – From a usage/management perspective
    For     t     d    li ti
  – F guest OS and applications

• We can t simply drop VMs into existing
  environments without adverse consequences

• Serious attention is needed to understand how
  these changes will impact security

To top