xen security modules xsm
play

Xen Security Modules (XSM) George Coker National Information - PowerPoint PPT Presentation

Mar 25, 2023 •12 likes •342 views

Xen Security Modules (XSM) George Coker National Information Assurance Research Lab National Security Agency (NSA) gscoker@alpha.ncsc.mil National Information Assurance Research Lab 1 UNCLASSIFIED What is XSM? A generalized

  1. Xen Security Modules (XSM) George Coker National Information Assurance Research Lab National Security Agency (NSA) gscoker@alpha.ncsc.mil ■ National Information Assurance Research Lab ■ 1 UNCLASSIFIED

  2. What is XSM? ● A generalized security framework for Xen – Allows custom security functionality in modules – Creates general security interfaces for Xen – Removes security model specific code from Xen ■ National Information Assurance Research Lab ■ 2 UNCLASSIFIED

  3. Framework Interface Goals ● Capable of supporting known security models – hard to be "complete" ● Minimize impact on Xen ● Config enable/disable for Xen ■ National Information Assurance Research Lab ■ 3 UNCLASSIFIED

  4. Rational for XSM ● New usage models for Xen have different security goals ● Shouldn't “hardwire” security model – Xen should be capable of supporting many through configuration ● New security functionality without changes to Xen mechanisms ■ National Information Assurance Research Lab ■ 4 UNCLASSIFIED

  5. New Usage Models ● Decomposed dom0 – Removal of all-powerful dom0? ● Least privilege for each domain – e.g. separation of platform/hardware config and domain building privileges ● Security module could be created to define these new privileges? ■ National Information Assurance Research Lab ■ 5 UNCLASSIFIED

  6. New Usage Models (cont.) ● Resource partitions – How are resources partitioned and controlled? ● Ability to allow certain domains to control resource allocations – e.g. multiple domain builders ● Security module could be defined to control allocations? ■ National Information Assurance Research Lab ■ 6 UNCLASSIFIED

  7. New Usage Models (cont.) ● Protection of the platform from third party software – How are resources partitioned and controlled? ● e.g. device driver isolation ● e.g. sandboxing – Security module could be defined to mediate accesses across domains ■ National Information Assurance Research Lab ■ 7 UNCLASSIFIED

  8. New Usage Models (cont.) ● Protection for core platform security services – How to safely create platform wide services? ● e.g. media encryption ● e.g. IP-filtering/routing ● e.g. measurement & attestation – Security module could be defined to isolate, mediate access to, and guarantee invocation of services ■ National Information Assurance Research Lab ■ 8 UNCLASSIFIED

  9. XSM Security Benefits ● Encapsulation of security functionality – A well-defined security architecture is required for a well-defined TCB ● common criteria ● Extensible security functionality – e.g. trusted IVC ● security modules can enable security identification of communications channels or peers without changing the implementation of existing channel mechanisms (grants and events) ■ National Information Assurance Research Lab ■ 9 UNCLASSIFIED

  10. XSM Implementation ● Derived from Linux Security Modules (LSM) – Linux 2.6.13.4 ● Security function infrastructure – Derived from ACM – New security functionality ● Security module – Implements security hooks – Specific to a security model ■ National Information Assurance Research Lab ■ 10 UNCLASSIFIED

  11. XSM Today ● 57 hooks to date – 60% complete (estimate) – Target privileged hypercalls (initially) – Comprehensive hook placement ● attempts to anticipate new modules ■ National Information Assurance Research Lab ■ 11 UNCLASSIFIED

  12. XSM Specifics ● Early initialization – Prior to idle domain creation ● Early allocation/late deallocation of domain security structures – domain_create – domain_destroy ■ National Information Assurance Research Lab ■ 12 UNCLASSIFIED

  13. XSM Specifics (cont.) ● No excepted event channels – evtchn_init – evtchn_bind_interdomain ● Will not support stacking – Security module behavior cannot be predicted under stacking and may violate the goals of the security module while meeting few or none of the goals of the user – Stacking should be a property of the security module. ■ National Information Assurance Research Lab ■ 13 UNCLASSIFIED

  14. XSM Modules ● Registered and linked in at boot ● Modules may register a security hypercall ● Modules may register a policy magic number to identify and load a policy from boot ■ National Information Assurance Research Lab ■ 14 UNCLASSIFIED

  15. Existing XSM Modules ● Dummy (XSM default) ● ACM/sHype (IBM) ● Flask (NSA) ■ National Information Assurance Research Lab ■ 15 UNCLASSIFIED

  16. XSM Hooks ● What are the hooks doing? – Interpose on code path – Allocation/setting of security structures – Platform security initialization ■ National Information Assurance Research Lab ■ 16 UNCLASSIFIED

  17. Hook Placement Philosophy ● Positioned at key locations – Identified by analysis ● Availability of security relevant objects ● Safety of hook location in code path ● General benefit to security ● Comprehensive placement – Localized in code path ● Balance between hook placement and maintenance ■ National Information Assurance Research Lab ■ 17 UNCLASSIFIED

  18. Hook Placement Philosophy (cont.) – Minimize impact to Xen code paths ● Leverage existing exit/error paths wherever possible – Rely on calling function to hold references to objects ● Safer for Xen if security modules do not hold references to Xen objects ■ National Information Assurance Research Lab ■ 18 UNCLASSIFIED

  19. Current Hook Locations ● dom0_ops.c ● domain.c ● grant_table.c ● event_channel.c ● setup.c ● mm.c ■ National Information Assurance Research Lab ■ 19 UNCLASSIFIED

  20. First Class Security Objects ● Generic security pointers on Xen first class objects – e.g. struct domain & struct evtchn – Allocation/access via hook functions ● Only if required by module ● Modules may hold security labels on other platform resources that Xen does not manage – e.g. physical interrupts ■ National Information Assurance Research Lab ■ 20 UNCLASSIFIED

  21. Performance ● Are more checks more expensive? – Small constant XSM overhead per hook – Premise "basic" call/return is a minimal overhead – Extra overhead for hooks is module specific ● Presently no "observed" degradation – Further investigation required ■ National Information Assurance Research Lab ■ 21 UNCLASSIFIED

  22. ACM Module ● How will it affect sHype/ACM ? – sHype/ACM will plug into XSM hooks – Changes are transparent to sHype management / use – sHype/ACM will support a single policy (CHWALL/STE) ■ National Information Assurance Research Lab ■ 22 UNCLASSIFIED

  23. ACM Module Implementation ● Little modification required to turn into XSM module – modifications in Xen code only! – no change to user-space tool chain ● TODO: Nativization cleanups – Better use of hook references – Remove refactored functionality ■ National Information Assurance Research Lab ■ 23 UNCLASSIFIED

  24. Flask Module ● Xen nativization of Flask security code – Linux 2.6.13.4 ● Capabilities – RBAC/TE – MLS/MCS ● Security server optimized for small memory footprint – Memory footprint comes from number of types, not number of permissions or hooks used ■ National Information Assurance Research Lab ■ 24 UNCLASSIFIED

  25. Flask Policy ● Uses existing SELinux policy language – Common policy generation and analysis toolchain ● Xen policy is less complex than Linux – Fewer security controls ■ National Information Assurance Research Lab ■ 25 UNCLASSIFIED

  26. How does Flask use XSM? ● Event Channels – Fine-grain allocation of physical interrupts (example) ● Grant Tables – Fine-grain sharing between domains (example) ● Dom0 Operations – Fine-grain allocation of io resources (example) ● MMU – Fine-grain control of foreign mappings (example) ■ National Information Assurance Research Lab ■ 26 UNCLASSIFIED

  27. Event Channels (example) static int flask_evtchn_pirq(struct domain *d, struct evtchn *chn, int pirq) { u32 newsid; rc = avc_has_perm(newsid, psid, SECCLASS_EVENT, u32 psid; EVENT__BIND, NULL); int rc; if (rc) struct domain_security_struct *dsec; return rc; struct evtchn_security_struct *esec; esec->sid = newsid; dsec = d->ssid; esec = chn->ssid; return rc; } rc = security_pirq_sid(pirq, &psid); if (rc) return rc; rc = security_transition_sid(dsec->sid, psid, SECCLASS_EVENT, &newsid); if (rc) { printk("%s: security_transition_sid failed, rc=%d (pirq=%d)\n", __FUNCTION__, -rc, pirq); return rc; } rc = avc_has_perm(dsec->sid, newsid, SECCLASS_EVENT, EVENT__CREATE, NULL); if (rc) return rc; ■ National Information Assurance Research Lab ■ 27 UNCLASSIFIED

  28. Grant Tables (example) static int flask_grant_mapref(struct domain *d1, struct domain *d2, uint32_t flags) { u32 perms = GRANT__MAP_READ; if (flags & GTF_writing) perms |= GRANT__MAP_WRITE; return domain_has_perm(d1, d2, SECCLASS_GRANT, perms); } ■ National Information Assurance Research Lab ■ 28 UNCLASSIFIED

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Linux Security Modules Trent

872 views • 30 slides
Hardware Security Smartcards and other TamperResistant Modules Markus G. Kuhn Computer

Hardware Security Smartcards and other TamperResistant Modules Markus G. Kuhn Computer

Hardware Security Smartcards and other TamperResistant Modules Markus G. Kuhn Computer Laboratory http://www.cl.cam.ac.uk/~mgk25/ Applications of Tamper Resistant Modules Security of cryptographic applications is based on secure

564 views • 23 slides
Hardware Security Modules (HSMs) Benefits and Challenges ICANN 50, London, UK 25 June 2014

Hardware Security Modules (HSMs) Benefits and Challenges ICANN 50, London, UK 25 June 2014

Hardware Security Modules (HSMs) Benefits and Challenges ICANN 50, London, UK 25 June 2014 richard.lamb@icann.org Hardware Security Modules Cool but what are you protecting? This works fine in many cases ..but this may be the real problem No

255 views • 12 slides
Security Operation Center Concepts and Implementation renaud.bidou@intexxia.com > SOC Modules

Security Operation Center Concepts and Implementation renaud.bidou@intexxia.com > SOC Modules

Security Operation Center Concepts and Implementation renaud.bidou@intexxia.com > SOC Modules > Global Architecture > Collection & Storage > Correlation > SOC Modules R Box R Box reaction and reporting + A Box K Box A Box

673 views • 13 slides
Hardware Security Modules What they are and why it's likely that you've (indirectly) used one

Hardware Security Modules What they are and why it's likely that you've (indirectly) used one

Hardware Security Modules What they are and why it's likely that you've (indirectly) used one today Insert Your Name Insert Your Title Insert Date RWC 2015 Paul Hampton 8 th January 2015 What Am I Going to Talk About? What Is A Where Will

746 views • 30 slides
Attacking a co-hosted VM A hacker, a hammer and two memory modules 1 Who we are (1) Mehdi

Attacking a co-hosted VM A hacker, a hammer and two memory modules 1 Who we are (1) Mehdi

Attacking a co-hosted VM A hacker, a hammer and two memory modules 1 Who we are (1) Mehdi Talbi Security researcher at Stormshield haka-security project. Past life: academia (phd, postdoc, ) Main research topics: advanced

1.61k views • 94 slides
The DragonBeam Framework: Hardware-Protected Security Modules for In-Place Intrusion Detection

The DragonBeam Framework: Hardware-Protected Security Modules for In-Place Intrusion Detection

The DragonBeam Framework: Hardware-Protected Security Modules for In-Place Intrusion Detection Man-Ki Yoon, Mihai Christodorescu, Lui Sha, Sibin Mohan University of Illinois at Urbana-Champaign Qualcomm Research Silicon Valley June 6, 2016

928 views • 46 slides
http://www.cl.cam.ac.uk/~mgk25/sc99-tamper[-slides].pdf Classes of Attacks on Security Modules

http://www.cl.cam.ac.uk/~mgk25/sc99-tamper[-slides].pdf Classes of Attacks on Security Modules

Design Principles for Tamper-Resistant Smartcard Processors Oliver Kmmerling Markus G. Kuhn ADSR Computer Laboratory http://www.cl.cam.ac.uk/~mgk25/sc99-tamper[-slides].pdf Classes of Attacks on Security Modules Microprobing Open the

465 views • 22 slides
Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod

Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod

Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod Ganapathy vg@cs.wisc.edu University of Wisconsin, Madison Joint work with Trent Jaeger Somesh Jha tjaeger@cse.psu.edu jha@cs.wisc.edu Pennsylvania

604 views • 41 slides
Modern Systems: Security October 8, 2012 Background: Trusted Platform Modules What is a TPM?

Modern Systems: Security October 8, 2012 Background: Trusted Platform Modules What is a TPM?

Modern Systems: Security October 8, 2012 Background: Trusted Platform Modules What is a TPM? 16 Platform Configuration Registers (PCRs) Random Number Generator (RNG) Endorsement Key (EK) burned in hardware What can it do?

575 views • 33 slides
How does LuK come to life? LuK consists of a collection of modules you only link in the modules

How does LuK come to life? LuK consists of a collection of modules you only link in the modules

slide 1 gaius How does LuK come to life? LuK consists of a collection of modules you only link in the modules actually required the mixture of the modules required for the lab exercises may be different each lab exercise has a file: init

492 views • 24 slides
Modules Modules A module is a collection of functions that we can use to do more powerful things

Modules Modules A module is a collection of functions that we can use to do more powerful things

Modules Modules A module is a collection of functions that we can use to do more powerful things with our Python programs. Lots of modules exist, written by other developers. You can use a module without needing to understand what it is doing

165 views • 14 slides
Trusted Platform Modules and Hardware-based Security Andreas Nilsson Masters Student at Nada,

Trusted Platform Modules and Hardware-based Security Andreas Nilsson Masters Student at Nada,

Trusted Platform Modules and Hardware-based Security Andreas Nilsson Masters Student at Nada, KTH Pointsec Mobile Technologies TPM Introduction Microcontroller affixed to the motherboard. Cryptographic functions like key storage

834 views • 35 slides
1 Some overlap with all modules particularly modules 3, 6 and 7. LDF/plan making evidence

1 Some overlap with all modules particularly modules 3, 6 and 7. LDF/plan making evidence

1 Some overlap with all modules particularly modules 3, 6 and 7. LDF/plan making evidence base and Implementation of the Yorkshire and Humber renewable and Low Carbon Energy Study, 2011 Introduction to climate change policy and context

1.04k views • 77 slides
Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James

Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James

Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201 AGENDA > Background on OSGi > Security per OSGI spec > Security beyond OSGI spec Background on OSGi > Why use

950 views • 56 slides
Secure upgrade of hardware security modules in bank networks Riccardo Focardi 1 Flaminia Luccio

Secure upgrade of hardware security modules in bank networks Riccardo Focardi 1 Flaminia Luccio

Secure upgrade of hardware security modules in bank networks Riccardo Focardi 1 Flaminia Luccio 1 1 Universit` a Ca Foscari di Venezia, Italy { focardi,luccio } @dsi.unive.it ARSPA-WITS10 Paphos, Cyprus March 27-28, 2010 Work

1.25k views • 69 slides
Network Flow-based Simultaneous Retiming and Slack Budgeting for Low Power Design Bei Yu 1 Sheqin

Network Flow-based Simultaneous Retiming and Slack Budgeting for Low Power Design Bei Yu 1 Sheqin

Outline Network Flow-based Simultaneous Retiming and Slack Budgeting for Low Power Design Bei Yu 1 Sheqin Dong 1 Yuchun Ma 1 Tao Lin 1 Yu Wang 1 Song Chen 2 Satoshi GOTO 2 1 Department of Computer Science & Technology Tsinghua University,

527 views • 21 slides
Intra-Vehicular Wireless Sensor Networks Sinem Coleri Ergen (joint with Yalcin Sadi, C. Umit Bas)

Intra-Vehicular Wireless Sensor Networks Sinem Coleri Ergen (joint with Yalcin Sadi, C. Umit Bas)

Intra-Vehicular Wireless Sensor Networks Sinem Coleri Ergen (joint with Yalcin Sadi, C. Umit Bas) Wireless Networks Laboratory, Electrical and Electronics Engineering, Koc University Outline Motivation for Intra-Vehicular Wireless Sensor

322 views • 19 slides
Scalable Transparent ARguments-of-Knowledge Michael Riabzev Department of Computer Science,

Scalable Transparent ARguments-of-Knowledge Michael Riabzev Department of Computer Science,

Our result Features A peak under the hood Summary Scalable Transparent ARguments-of-Knowledge Michael Riabzev Department of Computer Science, Technion DIMACS Workshop on Outsourcing Computation Securely Joint work with Eli Ben-Sasson, Iddo

599 views • 32 slides
INTERVEHICULAR COMMUNICATION SYSTEMS Daniel Lpez Garca Zakaria Kasmi Institut fr

INTERVEHICULAR COMMUNICATION SYSTEMS Daniel Lpez Garca Zakaria Kasmi Institut fr

INTERVEHICULAR COMMUNICATION SYSTEMS Daniel Lpez Garca Zakaria Kasmi Institut fr Informatik Takustrasse 9 14195 Berlin 1 Outline Introduction Requirements Topology OSI layers -MAC/PHY -Network Vehicular Colision Warning

376 views • 19 slides
3D RECONSTRUCTION Reconstruction method Reconstruction from images Reconstruction from video

3D RECONSTRUCTION Reconstruction method Reconstruction from images Reconstruction from video

3D RECONSTRUCTION Reconstruction method Reconstruction from images Reconstruction from video Using Kinect Raw Depth Image Infrared laser projector Monochrome CMOS sensor Demo Kinect Raw data Real-time Reconstruction Pipeline Measurement

508 views • 34 slides
How to maintain the star formation of the Milky Way Galaxy? On the value of single dish

How to maintain the star formation of the Milky Way Galaxy? On the value of single dish

How to maintain the star formation of the Milky Way Galaxy? On the value of single dish full-sky surveys Jrgen Kerp 1 , Benjamin Winkel 2 , Peter Kalberla 1 and the EBHIS team 1 Argelander-Institut fr Astronomie, Universitt Bonn 2

641 views • 60 slides
Problem for Problems for Discrete Transistor Amplifiers ECE 65, Winter2013, F. Najmabadi

Problem for Problems for Discrete Transistor Amplifiers ECE 65, Winter2013, F. Najmabadi

Problem for Problems for Discrete Transistor Amplifiers ECE 65, Winter2013, F. Najmabadi Exercise 1: Find the amplifier parameters of the circuit below. (Si BJT with = 200, V A = 150 V, ignore Early effect in bias calculations). When R sig

1.01k views • 51 slides
What What can can we we learn learn from from present present- -day day HVCs HVCs about

What What can can we we learn learn from from present present- -day day HVCs HVCs about

04.10.2017 What What can can we we learn learn from from present present- -day day HVCs HVCs about about cold cold- -gas gas accretion accretion of of galaxies galaxies Gerhard Hensler Gerhard Hensler Dept Dept. . of of

359 views • 15 slides

More recommend