performant security hardening
play

Performant Security Hardening Steve Rutherford - PowerPoint PPT Presentation

Feb 04, 2024 •451 likes •884 views

Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles Virtualization Security Team 1 Preface This talk is x86 and KVM centric 2 Outline Background Current Hardening Split Irqchip, PIT Prototype Hardening

  1. Performant Security Hardening Steve Rutherford (srutherford@google.com) Google’s Virtualization Security Team 1

  2. Preface This talk is x86 and KVM centric 2

  3. Outline Background Current Hardening Split Irqchip, PIT Prototype Hardening Instruction Emulator 3

  4. Threat Model Untrusted Users with Code Execution in VM ○ E.g. Google Compute Engine Guest triggerable bugs are the biggest concern: ○ Guest Triggerable DoS of Host (e.g. x2APIC fallthrough: CVE-2016-4440) ○ Guest Escape into Host (e.g. PUSHA emulation: CVE-2014-0049) ○ Information Leaks to Guest (e.g. MSR 0x2F8: CVE-2016-3713) There have been 41 guest triggerable CVEs since 2009 4

  5. Historical Security Strategy Code auditing and fuzz testing Fairly successful Found about 15 CVEs in KVM 5

  6. Goal Reduce KVM’s Guest Accessible Attack Surface … without impacting performance. 6

  7. Guest Accessible Attack Surface Any privileged code with an interface accessible to the guest Ways of estimating: Lines of code Pages of specification # of Historical CVEs 7

  8. Attack Surface Reduction Reduce the amount of guest accessible attack surface Reduce the privilege of guest accessible attack surface 8

  9. Why Put Code in Userspace? Lower Privilege: Syscall boundary between userspace and kernel Exploit Mitigations and Sandboxing are more easily deployed in userspace (ASLR, AppArmor, seccomp-bpf, …) 9

  10. Why Not Put Code in Userspace? Performance. Userspace devices require KVM Exits Higher Latency Lower Throughput 10

  11. What can be moved to Userspace? Code that’s complex, slow, and rarely used , but necessary. Legacy Devices e.g. PIC, PIT, I/OAPIC “Edge-Case” Handlers e.g. Instruction Emulator, MSR handling 11

  12. Outline Background Current Hardening Split Irqchip, PIT Prototype Hardening Instruction Emulator 12

  13. What’s the Irqchip? KVM uses the term irqchip to refer to the interrupt controllers i.e. the PIC, I/OAPIC and APIC for x86 KVM has supports both userspace and kernel irqchips The kernel irqchip provides a significant perf boost over userspace irqchip 13

  14. Split Irqchip Take the best of Userspace and Kernel Irqchips The PIC and I/OAPIC aren’t used often by modern VMs … … but the APIC is. So move the PIC and I/OAPIC up to userspace , and add necessary API to communicate between userspace and the in-kernel APIC 14

  15. P rogrammable I nterrupt C ontroller Interrupt controller that maps directly from GSI to interrupt Can’t live without it Necessary for real mode interrupts (16-bit) during early boot Allows legacy devices like the RTC and the PIT to send interrupts Masked early in boot and replaced by the I/OAPIC 15

  16. Why worry about the PIC? Medium attack surface ~1% of x86 KVM (by LoC), 24 page spec Complex API Tons of modes: AutoEOI vs EOI, Auto vs specific rotate… Non-trivial amount of unspecified behavior 16

  17. Why not keep the PIC in KVM? Rarely Used Indefinitely masked during boot of every common OS Slow Already requires VMEXITs and instruction emulation 17

  18. Necessary Interface Send local interrupts from userspace Updated existing kvm_vcpu ioctl KVM_INTERRUPT Added support for userspace interrupt windows with in-kernel APIC Hijack fields normally used by userspace irqchip 18

  19. I/OAPIC Global Interrupt Controller: Configurable mapping from level and edge-triggered GSIs to APIC interrupts. T.L.D.R.: PIC for Multicore Necessary for any non-MSI-supporting (INTx) device (PIT, RTC, …) Devices using MSIs bypass the I/OAPIC 19

  20. Why worry about the I/OAPIC? CVE-2013-1798 Arbitrary Read “Guarded” by an Assert CVE-2014-0155 Denial of Service via invalid Redirect Table Entry Complexity >1% of x86 KVM (810 LoC), 20 page spec 20

  21. Why not keep the I/OAPIC in KVM? Performance degradation for INTx Level-triggered EOIs now go to userspace Performance degradation for I/OAPIC reads and writes VMEXITs for the I/OAPIC are now also KVM_EXITs … But performance sensitive devices are likely using MSI/MSIx already 21

  22. Necessary Interface Send Interrupts to APICs Available via kernel GSI routing table and kvm_set_irq Added EOI KVM exit Made the EOI Exit Bitmap configurable by userspace Via configurable range in GSI routing table 22

  23. P rogrammable I nterval T imer Fixed frequency timer with multiple counters Commonly used to calibrate other timers/counters 23

  24. Why worry about the PIT? CVE-2015-3214 PIT Out of Bound memory access Other CVEs 3x Denial of Service Complexity >1% of x86 KVM (804 LoC), 21 page spec 24

  25. Why not keep it in the kernel? Rarely Used Typically only used during boot Slow Reads and writes already require VMEXITs and instruction emulation 25

  26. Current Hardening Results Moves 4-5% of KVM into userspace and the sources of 6/41 guest triggerable CVEs since 2009 Negligible performance impact for Modern VMs 26

  27. Disk Random Read kIOPs (Modern/MSIx) 27

  28. How Modern is a Modern VM? Performance critical devices (e.g. disk, network) need MSI support Necessary to skip the I/OAPIC Guest should not read/write to I/OAPIC or PIT frequently 28

  29. Disk Random Read kIOPs (Legacy/INTx) 29

  30. Try It Out Split Irqchip and userspace PIT supported by x86 QEMU v2.6 and up via -machine kernel_irqchip=split Needs >= 4.4 Linux Kernel 30

  31. Outline Background Current Hardening Split Irqchip, PIT Prototype Hardening Instruction Emulator 31

  32. Instruction Emulator Emulates x86 instructions with x86, when the CPU can’t virtualize. Most commonly reads and writes to emulated I/O 32

  33. Why worry about the Instruction Emulator? Converts arbitrary bytes into an instruction… … then emulates that instruction Tons of Instructions PUSHA, POP, SYSCALL, MOV, CMPXCHG8B… 5500 Lines of Code (and growing) 11 CVEs since 2009 33

  34. Why not keep the emulator in the kernel? With Split Irqchip almost all MMIO devices are now in userspace APIC is an exception, but APICv skips emulation 34

  35. Userspace Instruction Emulation Interface Needs guest register access Already available, but could be accelerated using kvm_sync_regs New KVM exit type KVM_EXIT_EMULATION_NEEDED Must be able to communicate with any kernel MMIO/PIO device Need ability to read/write to APIC => new IOCTL 35

  36. Disk Random Read kIOPs (Modern/MSIx) 36

  37. How Modern is a Modern VM? Host CPU needs APICv (>= Ivybridge) For APIC Access VMEXITS In addition to Split Irqchip Requirements 37

  38. Disk Random Read kIOPs (Legacy/INTx) 38

  39. Attack Surface Reduction Summary Removed the sources of 17/41 the Guest Triggerable CVES Removed >7500 LoC from KVM (~15% of x86 KVM) Negligible perf impact for modern VMs 39

  40. Future Work Finalize interface for Userspace Instruction Emulation Add Userspace Instruction Emulation Support to QEMU Add Userspace MSR Handling to KVM and QEMU Test Performance on QEMU (Prior performance testing done with Google’s userspace VMM) 40

  41. Questions? 41

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen 3 Linux security Areas Core Resources Services Environment System Hardening Boot Process Accounting Database Forensics Containers

821 views • 34 slides
Hardening PHP - Some basic security measures. Antonio Bonifati

Hardening PHP - Some basic security measures. Antonio Bonifati

Hardening PHP - Some basic security measures. Antonio Bonifati <http://ninuzzo.freehostia.com> ABSTRACT A summary of the most important PHP settings aimed at improving security of PHP web servers. Whenever you have to harden a PHP

615 views • 5 slides
Hardening Application Security using Intel SGX Max Plauth, Frederik T eschke, Daniel Richter,

Hardening Application Security using Intel SGX Max Plauth, Frederik T eschke, Daniel Richter,

Hardening Application Security using Intel SGX Max Plauth, Frederik T eschke, Daniel Richter, and Andreas Polze Operating Systems & Middleware Group Hasso Plattner Institute at University of Potsdam, Germany Motivation data security:

423 views • 31 slides
Linux IoT Botnet Wars and the Lack of Security Hardening Drew Moseley Solutions Architect

Linux IoT Botnet Wars and the Lack of Security Hardening Drew Moseley Solutions Architect

Linux IoT Botnet Wars and the Lack of Security Hardening Drew Moseley Solutions Architect Mender.io Session overview Case-studies of 3 botnets Mirai (August 2016) Hajime (October 2016) BrickerBot (March 2017) Common security

902 views • 28 slides
Linux system hardening thanks to systemd Timothe Ravier French Network and Information Security

Linux system hardening thanks to systemd Timothe Ravier French Network and Information Security

Linux system hardening thanks to systemd Timothe Ravier French Network and Information Security Agency (ANSSI) RMLL 2017 Goal of this talk Goal of this talk Increase the security of standard Linux distributions Use security features

382 views • 37 slides
Security AutoSecure Router HardeningAutomagically The process of turning off unnecessary

Security AutoSecure Router HardeningAutomagically The process of turning off unnecessary

Security AutoSecure Router HardeningAutomagically The process of turning off unnecessary services is called hardening a router to prevent attacks or exploits. The basic steps of router hardening are: 1) Administratively shut down

102 views • 8 slides
Hardening WordPress (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot

Hardening WordPress (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot

Hardening WordPress (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot gray inc. @dotgray Sunday, March 15, 15 Resources Codex.WordPress.org / Hardening_WordPress Blog.Sucuri.net / WordPress Security WPSecure.net /

608 views • 32 slides
Linux Kernel Security & Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux

Linux Kernel Security & Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux

Linux Kernel Security & Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux Kernel Widespread Deployed on: powerful (high performance compute clusters) sensitive (bank, gov. systems, ..) safety critical

995 views • 29 slides
Performant Multiplatform Kotlin Serialization Eric Cochran KotlinConf October 5, 2018 Performant

Performant Multiplatform Kotlin Serialization Eric Cochran KotlinConf October 5, 2018 Performant

Performant Multiplatform Kotlin Serialization Eric Cochran KotlinConf October 5, 2018 Performant Multiplatform Kotlin Serialization 0.8 Why? Get Started buildscript { repositories { maven { url 'https://kotlin.bintray.com/kotlinx' } }

758 views • 38 slides
Linux Hardening Locking Down Linux To Increase Security Michael Boelen michael.boelen@cisofy.com

Linux Hardening Locking Down Linux To Increase Security Michael Boelen michael.boelen@cisofy.com

Linux Hardening Locking Down Linux To Increase Security Michael Boelen michael.boelen@cisofy.com s-Hertogenbosch, 1 March 2016 Meetup: Den Bosch Linux User Group Goals 1. Learn what to protect 2. Know some strategies 3. Learn tooling Focus

912 views • 60 slides
Chrome OS Hardening http://outflux.net/slides/2012/bsides-pdx/chromeos.pdf Security B-Sides PDX

Chrome OS Hardening http://outflux.net/slides/2012/bsides-pdx/chromeos.pdf Security B-Sides PDX

Chrome OS Hardening http://outflux.net/slides/2012/bsides-pdx/chromeos.pdf Security B-Sides PDX 2012 Kees Cook <keescook@google.com> (pronounced "Case") Overview Overview Identifying the threat model not the

974 views • 50 slides
MSP Commercial Repayment Center Contractor Transition Performant Recovery, Inc. NGHP ORM Town

MSP Commercial Repayment Center Contractor Transition Performant Recovery, Inc. NGHP ORM Town

MSP Commercial Repayment Center Contractor Transition Performant Recovery, Inc. NGHP ORM Town Hall Presentation January 18, 2018 Presentation Goals Provide the CRC stakeholder community with a clear understanding of who Performant is, and

801 views • 14 slides
MSP Commercial Repayment Center Contractor Transition Performant Recovery, Inc. GHP Town Hall

MSP Commercial Repayment Center Contractor Transition Performant Recovery, Inc. GHP Town Hall

MSP Commercial Repayment Center Contractor Transition Performant Recovery, Inc. GHP Town Hall Presentation January 17, 2018 Presentation Goals Provide the CRC stakeholder community with a clear understanding of who Performant is, and its

505 views • 14 slides
Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public

Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public

Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public Service Commission May 4, 2007 Mark A. Jamison, PURC Director Leadership in Infrastructure Policy Leadership in Infrastructure Policy

487 views • 45 slides
Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by 'hijacking' the multi-VT flow during synthesis flow during synthesis Roland Weigand February 04, 2013 Design Automation Conference User Track European

394 views • 17 slides
Securing your in-ear fitness coach: Challenges in hardening next generation wearables Kavya

Securing your in-ear fitness coach: Challenges in hardening next generation wearables Kavya

Securing your in-ear fitness coach: Challenges in hardening next generation wearables Kavya Racharla Sumanth Naropanth Who are we? Kavya Racharla Security Research Manager Sports Group, Intel Oracle & Qualcomm

826 views • 48 slides
Optimal Predition Ma rk ets with Optimal Pla y ers Lea rn Optimally fo r Log Loss

Optimal Predition Ma rk ets with Optimal Pla y ers Lea rn Optimally fo r Log Loss

Optimal Predition Ma rk ets with Optimal Pla y ers Lea rn Optimally fo r Log Loss John Langfo rd With Alina Beygelzimer and David P enno k Predition Ma rk ets Lea rn Optimally John Langfo rd With Alina

196 views • 7 slides
It , -1,7 W - wa AIK - - - - - . = 0.75 . WITT = Est . LRTT ) . der ( RTT ) - Timeout

It , -1,7 W - wa AIK - - - - - . = 0.75 . WITT = Est . LRTT ) . der ( RTT ) - Timeout

TCP continued October 8 : Topics : Fast recovery finish up - state diagram Tcp - TCP Packets to Bytes : . - TCP timers ( single ) for -1/0 AIM 'D - Rough throughput - It , -1,7 W - wa AIK - - - - - . = 0.75 .

300 views • 5 slides
radare2 workshop Freshly graduated I dont know Windows 1 whoami Julien (jvoisin)

radare2 workshop Freshly graduated I dont know Windows 1 whoami Julien (jvoisin)

October 22, 2015 Writing a crack for hack.lu 2015 radare2 workshop Freshly graduated I dont know Windows 1 whoami Julien (jvoisin) Voisin French 2 Piracy is bad, mkay. disclaimer 3 what is this? 4 and what is this?

572 views • 30 slides
The Somali Pirates Case Jesus Rios IBM T.J. Watson Research Centre, USA and David Rios Insua ,

The Somali Pirates Case Jesus Rios IBM T.J. Watson Research Centre, USA and David Rios Insua ,

2 nd Maritime Risk Symposium Adversarial Risk Analysis: The Somali Pirates Case Jesus Rios IBM T.J. Watson Research Centre, USA and David Rios Insua , Royal Academy of Sciences, Spain Juan Carlos Sevillano , Complutense University, Spain

458 views • 26 slides
Complete Derandomization of Identity Testing of Read-Once Formulas Daniel Minahan Ilya Volkovich

Complete Derandomization of Identity Testing of Read-Once Formulas Daniel Minahan Ilya Volkovich

Introduction Previous Results Our Model Read-Once Polynomials Our Results Complete Derandomization of Identity Testing of Read-Once Formulas Daniel Minahan Ilya Volkovich University of Michigan Presented by: Ramprasad Saptharishi

1.1k views • 92 slides
Hi-Lumi LHC/LARP Conductor and Cable Internal Review Past and Present Manufacture and

Hi-Lumi LHC/LARP Conductor and Cable Internal Review Past and Present Manufacture and

Hi-Lumi LHC/LARP Conductor and Cable Internal Review Past and Present Manufacture and Performance of PIT and RRP 132/169 A. Ballarino, CERN A. Ballarino, L. Oberli, B. Bordini, D. Richter and L. Bottura Conductor specification and

502 views • 21 slides
t sr Pt r ts

t sr Pt r ts

t sr Pt r ts s s rt s s s rts

379 views • 6 slides
Quantile regression: Basics and recent advances J. M.C. Santos Silva University of Surrey 2019

Quantile regression: Basics and recent advances J. M.C. Santos Silva University of Surrey 2019

Quantile regression: Basics and recent advances J. M.C. Santos Silva University of Surrey 2019 UK Stata Conference 06/09/19 1 1. Summary Quantile regression (Koenker and Bassett, 1978) is increasingly used by practitioners but it is still

544 views • 25 slides

More recommend