improving xen security through disaggregation derek murraygrzegorz milossteven hand
TRANSCRIPT
![Page 1: Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand](https://reader036.vdocuments.mx/reader036/viewer/2022062322/5697bf781a28abf838c81d23/html5/thumbnails/1.jpg)
Improving Xen Security through Disaggregation
Derek Murray Grzegorz Milos
Steven Hand
![Page 2: Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand](https://reader036.vdocuments.mx/reader036/viewer/2022062322/5697bf781a28abf838c81d23/html5/thumbnails/2.jpg)
Outline
• The myth of the secure hypervisor• Trusted computing bases• Disaggregating Xen• Results• Future work
![Page 3: Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand](https://reader036.vdocuments.mx/reader036/viewer/2022062322/5697bf781a28abf838c81d23/html5/thumbnails/3.jpg)
Xen
• Small hypervisor– 100k lines of code
• Provides isolation between VMs
• “Trusting the virtual machine monitor is akin to trusting a real processor”
OS
XenHardware
VM
![Page 4: Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand](https://reader036.vdocuments.mx/reader036/viewer/2022062322/5697bf781a28abf838c81d23/html5/thumbnails/4.jpg)
Domain Zero
• Full Linux distribution
• User-space tools for VM management
• Privileged hypervisor interface– Map foreign memory– Set foreign VCPU
• Therefore must be trusted
VMDom0
XenHardware
![Page 5: Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand](https://reader036.vdocuments.mx/reader036/viewer/2022062322/5697bf781a28abf838c81d23/html5/thumbnails/5.jpg)
Threat Model
• Malicious software running as Dom0 root– Root exploit on Dom0– Untrusted administrator
• Want to protect security of other VMs– Confidentiality– Integrity
• Solution: disaggregation
![Page 6: Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand](https://reader036.vdocuments.mx/reader036/viewer/2022062322/5697bf781a28abf838c81d23/html5/thumbnails/6.jpg)
Trusted Computing Base
• “The set of components on which a subsystem depends”
• “The totality of protection mechanisms... responsible for enforcing a computer security policy”
• Anything that can directly invoke a privileged operation– And hence undermine security
![Page 7: Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand](https://reader036.vdocuments.mx/reader036/viewer/2022062322/5697bf781a28abf838c81d23/html5/thumbnails/7.jpg)
Call Graph
PD z
PD y
PD x
![Page 8: Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand](https://reader036.vdocuments.mx/reader036/viewer/2022062322/5697bf781a28abf838c81d23/html5/thumbnails/8.jpg)
Current Xen Control Stack
Build VM
Make hypercall
Map memory Set VCPU
Dom0 User
Dom0 Kernel
Hypervisor
![Page 9: Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand](https://reader036.vdocuments.mx/reader036/viewer/2022062322/5697bf781a28abf838c81d23/html5/thumbnails/9.jpg)
Minimise the TCB?
Build VM
Make hypercall
Map memory Set VCPU
Dom0 User
Dom0 Kernel
Hypervisor
![Page 10: Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand](https://reader036.vdocuments.mx/reader036/viewer/2022062322/5697bf781a28abf838c81d23/html5/thumbnails/10.jpg)
Smaller is not always better
Build VM
Make hypercall
Map memory Set VCPU
Dom0 User
DomB
Hypervisor
![Page 11: Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand](https://reader036.vdocuments.mx/reader036/viewer/2022062322/5697bf781a28abf838c81d23/html5/thumbnails/11.jpg)
Implementation
Xen
Dom0DomB
DomU
…
Xend
![Page 12: Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand](https://reader036.vdocuments.mx/reader036/viewer/2022062322/5697bf781a28abf838c81d23/html5/thumbnails/12.jpg)
Results
• Smaller, static TCB– No longer contains Dom0 userspace– Now only VMM, DomB and Dom0
kernel– With an I/O MMU, only VMM and
DomB
• Other VMs protected from Dom0 root
![Page 13: Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand](https://reader036.vdocuments.mx/reader036/viewer/2022062322/5697bf781a28abf838c81d23/html5/thumbnails/13.jpg)
Future Work
• Virtual TPM support• Automated techniques for
disaggregation• Metrics for trustworthiness
![Page 14: Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand](https://reader036.vdocuments.mx/reader036/viewer/2022062322/5697bf781a28abf838c81d23/html5/thumbnails/14.jpg)
Conclusions
• Virtualised TCB can be surprising• Smaller TCB is not always better• Choosing appropriate interfaces is
crucial
![Page 15: Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand](https://reader036.vdocuments.mx/reader036/viewer/2022062322/5697bf781a28abf838c81d23/html5/thumbnails/15.jpg)
Questions