Securing Your Cloud with Xen Projects Advanced Security Features - - PowerPoint PPT Presentation

securing your cloud with xen project s advanced security
SMART_READER_LITE
LIVE PREVIEW

Securing Your Cloud with Xen Projects Advanced Security Features - - PowerPoint PPT Presentation

Mar 16, 2024 221 likes •555 views

Introduction Network path Bootloader Device model Xen Conclusion Securing Your Cloud with Xen Projects Advanced Security Features Russell Pavlicek, Xen Project Evangelist CloudOpen North America 2013 Introduction Network path

slide-1
SLIDE 1

Introduction Network path Bootloader Device model Xen Conclusion

Securing Your Cloud with Xen Project’s Advanced Security Features

Russell Pavlicek, Xen Project Evangelist CloudOpen North America 2013

slide-2
SLIDE 2

Introduction Network path Bootloader Device model Xen Conclusion

Who is the Old, Fat Geek Up Front?

◮ Xen Project Evangelist ◮ Employed by Citrix, focused entirely on the Xen Project ◮ History with Open Source begins in 1997 ◮ Former columnist with Infoworld, Processor magazines ◮ Former panelist on The Linux Show webcast, repeat guest on

The Linux Link Tech Show

◮ Over 150 pieces published, plus one book on Open Source

development and several blogs

CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 2 / 32

slide-3
SLIDE 3

Introduction Network path Bootloader Device model Xen Conclusion

Introduction: Xen Project and Security

◮ Xen Project is an enterprise-grade Type I hypervisor ◮ Built for the Cloud before it was called the Cloud ◮ A number of advanced security features

◮ Driver Domains, Stub Domains, FLASK, and more

◮ Most of them are not (or cannot) be turned on by default ◮ Although they are simple to use, sometimes they can appear

to be complicated

CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 3 / 32

slide-4
SLIDE 4

Introduction Network path Bootloader Device model Xen Conclusion

Presentation Goals

◮ Introduce you to key Xen Project Security Tools ◮ Discuss some key Xen security features ◮ Get you started in the right direction toward securing your

Xen installation

CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 4 / 32

slide-5
SLIDE 5

Introduction Network path Bootloader Device model Xen Conclusion

Presentation Outline

◮ A few thoughts on the problem of securing the Cloud ◮ Overview of the Xen architecture ◮ Brief introduction to principles of security analysis ◮ Consider some attack surfaces and Xen features we can use to

mitigate them:

◮ Driver Domains ◮ PVgrub ◮ Stub Domains ◮ Paravirtualization (PV) mode vs Hardware Virtualization

(HVM) mode

◮ FLASK example policy CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 5 / 32

slide-6
SLIDE 6

Introduction Network path Bootloader Device model Xen Conclusion

The Cloud Security Conundrum

◮ Security: The 800 pound gorilla of the Cloud world

◮ Nothing generates more fear in specific, and FUD in general ◮ Probably the single greatest barrier to Cloud adoption ◮ Immediately behind it is the inability to get out of a 20th

century IT mindset (i.e., ”Change is Bad”)

◮ The good news: we don’t need to fear it – we just need to

solve it

CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 6 / 32

slide-7
SLIDE 7

Introduction Network path Bootloader Device model Xen Conclusion

Cloud Security: New Visibility to Old Problem

◮ Security has always been an issue ◮ Putting a truly secure system in the open does not reduce its

security, just increases the frequency of attack

◮ Unfortunately, system security behind the firewall has not

always been comprehensive

◮ Having solutions in Clouds forces us to solve the security

issues we should have already solved

◮ Security through obscurity is no longer sufficient

CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 7 / 32

slide-8
SLIDE 8

Introduction Network path Bootloader Device model Xen Conclusion

Security by Design, not by Wishful Thinking

◮ Security by Wishful Thinking is Officially Dead

◮ Merely hoping that your firewall holds off the marauding

hordes is NOT good enough

◮ Addressing security in one area while ignoring others is NOT

good enough

◮ Saying, ”We’ve never had a problem before” is NOT good

enough

◮ Comprehensive security starts with design

◮ It needs to planned and carefully thought through ◮ It needs to be implemented at multiple levels ◮ It needs components which are themselves securable CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 8 / 32

slide-9
SLIDE 9

Introduction Network path Bootloader Device model Xen Conclusion

Xen Project: Security by Design

◮ Xen Project was designed for Clouds before the term ”Cloud”

was coined in the industry

◮ Designers foresaw the day of an ”infrastructure for wide-area

distributed computing” which we now call ”the Cloud”

◮ http://www.cl.cam.ac.uk/research

/srg/netos/xeno/publications.html

◮ Xen is designed to thwart attacks from many attack vectors,

using different defensive techniques

CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 9 / 32

slide-10
SLIDE 10

Introduction Network path Bootloader Device model Xen Conclusion

Xen Architecture: A Basic Picture

Xen Hypervisor Hardware

device model (qemu) toolstack dom 0

Hardware Drivers I/O Devices CPU Memory Paravirtualized (PV) Domain Fully Virtualized (HVM) Domain netback blkback netfront blkfront

CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 10 / 32

slide-11
SLIDE 11

Introduction Network path Bootloader Device model Xen Conclusion

Security Overview

◮ Threat Models:

◮ Attacker can access network ◮ Attacker controls one Guest VM

◮ Security considerations to evaluate:

◮ How much code is accessible? ◮ What is the interface like? (e.g., pointers vs scalars) ◮ Defense-in-depth

◮ Then combine security tactics to secure the installation

◮ There is no single ”magic bullet” ◮ Individual tactics reduce danger; combined tactics go even

farther

CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 11 / 32

slide-12
SLIDE 12

Introduction Network path Bootloader Device model Xen Conclusion

Example System, for our Discussion

◮ Hardware setup

◮ Two networks: one Control network, one Guest network ◮ IOMMU with interrupt remapping (AMD or Intel VT-d v2) to

allow for full Hardware Virtualization (HVM)

◮ Default configuration

◮ Network drivers in the Control Domain (aka ”Domain 0” or

just ”Dom0”)

◮ Paravirtualized (PV) guests using PyGrub (grub-like boot

utility within context of Guest Domain)

◮ Hardware Virtualized (HVM) guests using Qemu (as the device

model) running in the Control Domain

CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 12 / 32

slide-13
SLIDE 13

Introduction Network path Bootloader Device model Xen Conclusion

Attack surface: Network path

Xen Hypervisor Hardware

toolstack dom 0

NIC Driver Control NIC Rogue Domain netback netfront Guest NIC

bridge iptables

Domain netfront

◮ Where might an exploit focus?

◮ Bugs in hardware driver ◮ Bugs in bridging / filtering ◮ Bugs in netback (via the ring protocol) CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 13 / 32

slide-14
SLIDE 14

Introduction Network path Bootloader Device model Xen Conclusion

Attack surface: Network path

Xen Hypervisor Hardware

toolstack dom 0

NIC Driver Control NIC Rogue Domain netback netfront Guest NIC

bridge iptables

Domain netfront

◮ What could a successful exploit yield?

◮ Control of Domain 0 kernel ◮ Pretty much control of the whole system CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 14 / 32

slide-15
SLIDE 15

Introduction Network path Bootloader Device model Xen Conclusion

Security feature: Driver Domains

Xen Hypervisor Hardware

toolstack dom 0

NIC Driver Control NIC Rogue Domain netback netfront Guest NIC

bridge iptables

Domain netfront NIC Driver

Driver Domain

◮ What is a Driver Domain?

◮ Unprivileged VM which drives hardware, provides access to

guests

CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 15 / 32

slide-16
SLIDE 16

Introduction Network path Bootloader Device model Xen Conclusion

Security feature: Driver Domains

Xen Hypervisor Hardware

toolstack dom 0

NIC Driver Control NIC Rogue Domain netback netfront Guest NIC

bridge iptables

Domain netfront NIC Driver

Driver Domain

◮ Now a successful exploit could yield:

◮ Control of the Driver Domain (PV hypercall interface) ◮ Control of that guest’s network traffic ◮ Control of NIC ◮ An opportunity to attack netfront of other guests CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 16 / 32

slide-17
SLIDE 17

Introduction Network path Bootloader Device model Xen Conclusion

HowTo: Driver Domains

◮ Create a VM with appropriate drivers

◮ Use any distribution suitable as a Control Domain

◮ Install the Xen-related hotplug scripts

◮ Just installing the Xen tools in the VM is usually good enough

◮ Give the VM access to the physical NIC with PCI pass-through ◮ Configure the network topology in the Driver domain

◮ Just like you would for the Control Domain

◮ Configure the guest Virtual Network Interface (vif) to use the

new domain ID

◮ Add backend=domnet to vif declaration

vif = [ ’type=pv, bridge=xenbr0, backend=domnet’ ]

◮ http://wiki.xenproject.org/wiki/Driver Domain

CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 17 / 32

slide-18
SLIDE 18

Introduction Network path Bootloader Device model Xen Conclusion

Attack surface: PyGrub

Xen Hypervisor

toolstack dom 0

Paravirtualized (PV) Domain

domain builder pygrub

guest disk

◮ What is PyGrub?

◮ grub implementation for PV guests ◮ Python program running in Control Domain ◮ Reads guest filesystem, parses grub.conf, shows menu ◮ Passes resulting kernel image to domain builder CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 18 / 32

slide-19
SLIDE 19

Introduction Network path Bootloader Device model Xen Conclusion

Attack surface: PyGrub

Xen Hypervisor

toolstack dom 0

Paravirtualized (PV) Domain

domain builder pygrub

guest disk

◮ Where might an exploit focus?

◮ Bugs in file system parser ◮ Bugs in menu parser ◮ Bugs in domain builder CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 19 / 32

slide-20
SLIDE 20

Introduction Network path Bootloader Device model Xen Conclusion

Attack surface: PyGrub

Xen Hypervisor

toolstack dom 0

Paravirtualized (PV) Domain

domain builder pygrub

guest disk

kernel

◮ What could a successful exploit yield?

◮ Control of Domain 0 user space ◮ Pretty much control of the whole system CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 20 / 32

slide-21
SLIDE 21

Introduction Network path Bootloader Device model Xen Conclusion

Security practice: Fixed kernels

Xen Hypervisor

toolstack dom 0

Paravirtualized (PV) Domain

domain builder kernel image

guest disk

◮ What is a fixed kernel?

◮ Passing a known-good kernel from Control Domain

◮ Removes attacker avenue to domain builder

CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 21 / 32

slide-22
SLIDE 22

Introduction Network path Bootloader Device model Xen Conclusion

Security practice: Fixed kernels

Xen Hypervisor

toolstack dom 0

Paravirtualized (PV) Domain

domain builder kernel image

guest disk

◮ Disadvantages

◮ Host admin must keep up with kernel updates ◮ Guest admin can’t pass kernel parameters, custom kernels, CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 22 / 32

slide-23
SLIDE 23

Introduction Network path Bootloader Device model Xen Conclusion

Security feature: PVgrub

Xen Hypervisor

toolstack dom 0 domain builder

guest disk

MiniOS pvgrub

◮ What is PVgrub?

◮ MiniOS + PV port of grub running in a guest context ◮ PV equivalent of HVM “BIOS + grub”

◮ Now a successful exploit could yield:

◮ Control of the attacked guest domain alone CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 23 / 32

slide-24
SLIDE 24

Introduction Network path Bootloader Device model Xen Conclusion

HowTo: PVgrub

◮ Make sure that you have the PVgrub image

◮ pvgrub-$ARCH.gz ◮ Normally lives in /usr/lib/xen/boot ◮ Included in Fedora Xen packages ◮ Debian-based: need to build yourself

◮ Use appropriate PVgrub as bootloader in guest configuration

kernel="/usr/lib/xen/boot/pvgrub-x86_32.gz"

◮ http://wiki.xenproject.org/wiki/Pvgrub

CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 24 / 32

slide-25
SLIDE 25

Introduction Network path Bootloader Device model Xen Conclusion

Attack surface: Device model (Qemu)

◮ Where might an exploit focus?

◮ Bugs in NIC emulator parsing packets ◮ Bugs in emulation of virtual devices

◮ What could a successful exploit yield?

◮ Control Domain privileged userspace ◮ Pretty much control of the whole system CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 25 / 32

slide-26
SLIDE 26

Introduction Network path Bootloader Device model Xen Conclusion

Security feature: Qemu stub domains

◮ What is a stub domain?

◮ Stub domain: a small “service” domain running just one

application

◮ Qemu stub domain: run each Qemu in its own domain

◮ What could a successful exploit yield?

◮ Control only of the stub domain VM (which, if FLASK is

employed, is a relatively small universe)

◮ You need to devise another attack entirely to do anything

more significant

CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 26 / 32

slide-27
SLIDE 27

Introduction Network path Bootloader Device model Xen Conclusion

HowTo: Qemu stub domains

◮ Make sure that you have the PVgrub image:

◮ ioemu-$ARCH.gz ◮ Normally lives in /usr/lib/xen/boot ◮ Included in Fedora Xen packages ◮ On Debian (and offshoots), you will need to build it yourself

◮ Specify stub domains in your guest config

device_model_stubdomain_override = 1

◮ http://wiki.xenproject.org/wiki/Device Model Stub Domains

CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 27 / 32

slide-28
SLIDE 28

Introduction Network path Bootloader Device model Xen Conclusion

Attack Surface: Xen Hypervisor itself

◮ Where might an exploit focus?

◮ On Paravirtualized (PV) Guests: ◮ PV Hypercalls ◮ On full Hardware Virtualized (HVM) Guests: ◮ HVM hypercalls (Subset of PV hypercalls) ◮ Instruction emulation (MMIO, shadow pagetables) ◮ Emulated platform devices: APIC, HPET, PIT ◮ Nested virtualization

◮ Security practice: Use PV VMs whenever possible

CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 28 / 32

slide-29
SLIDE 29

Introduction Network path Bootloader Device model Xen Conclusion

Security feature: FLASK example policy

◮ What is FLASK?

◮ Xen Security Module (XSM): Xen equivalent of LSM ◮ FLASK: Framework for XSM developed by NSA ◮ Xen equivalent of SELinux ◮ Uses same concepts and tools as SELinux ◮ Allows a policy to restrict hypercalls

◮ What can FLASK do?

◮ Basic: Restricts hypercalls to those needed by a particular

guest

◮ Advanced: Allows more fine-grained granting of privileges

◮ FLASK example policy

◮ This contains example roles for the Control Domain (dom0),

User/Guest Domain(domU), stub domains, driver domains, etc.

CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 29 / 32

slide-30
SLIDE 30

Introduction Network path Bootloader Device model Xen Conclusion

HowTo: Use the example FLASK policy

◮ Build Xen with XSM enabled ◮ Build the example policy ◮ Add the appropriate label to guest config files

◮ seclabel=[foo] ◮ stubdom label=[foo]

◮ Make sure you TEST the example policy in your environment

BEFORE putting it into production!

◮ NOTE: As an example policy, it is not as rigorously tested as

  • ther parts of Xen during release, and it may not be suitable

as-is if you are doing unusual things

◮ http://wiki.xenproject.org/wiki

/Xen Security Modules : XSM-FLASK

CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 30 / 32

slide-31
SLIDE 31

Introduction Network path Bootloader Device model Xen Conclusion

ARM: Right solution for security

◮ Stays in ARM Hypervisor Mode

◮ The ARM architecture has separate Hypervisor and Kernel

modes

◮ Because Xen’s architecture maps so well to the ARM

architecture, Xen never has to use Kernel mode

◮ Other hypervisors have to flip back and forth between modes ◮ If a hypervisor has to enter Kernel mode, it loses the security

  • f running in a privileged mode, isolated from the rest of the

system

◮ This is a non-issue with the Xen Hypervisor on ARM

◮ Does not need to use device emulation

◮ No emulation means a smaller attack surface for bad guys CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 31 / 32

slide-32
SLIDE 32

Introduction Network path Bootloader Device model Xen Conclusion

For More Information...

Details at http://wiki.xenproject.org/wiki/Securing Xen Thanks to George Dunlap for supplying much of the information presented here, and Stefano Stabellini for ARM information Check out our blog: http://blog.xenproject.org/ Contact me at russell.pavlicek@xenproject.org ——————————– Thank You!

CloudOpen North America 2013 Securing Your Cloud with Xen Project’s Advanced Security Features 32 / 32