DOC PREVIEW
PSU CSE 543 - Lecture 25 Virtual machine security

This preview shows page 1-2-23-24 out of 24 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 24 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 24 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 24 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 24 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 24 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerCSE 543 - Computer SecurityLecture 25 - Virtual machine securityDecember 6, 2007URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/1CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerImplementation and Results•Experimental Platform•Exact specification of platform•Design may have more than implementation -- what did you implement?•How are key design features/mechanisms implemented?•Results•Summarize -- what do the results mean?•Specific experiments•We did X, saw Y•What do the experiments prove•What other experiments would you want to do based on these results?2CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerOperating System Quandary•Recall Saltzer-Schroeder•Q: What is the primary goal of system security?•OS enables multiple users/programs to share resources on a physical device•Access control policies of OS become complex•E.g., SELinux•What are we to do?3CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerVirtual Machines•Instead of using system software to enable sharing, use system software to enable isolation•Virtualization•“a technique for hiding the physical characteristics of computing resources from the way in which others systems, applications, and end users interact with those resources”•Virtual Machines•Single physical resource can appear as multiple logical resources4CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerVirtual Machine Architectures•Full system simulation•CPU can be simulated •Paravirtualization (Xen)•VM has a special API•Requires OS changes•Native virtualization (VMWare)•Simulate enough HW to run OS•OS is for same CPU•Application virtualization (JVM)•Application API5CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerVirtual Machine Types•Type I •Lowest layer of software is VMM•E.g., Xen, VAX VMM, etc.•Type II •Runs on a host operating system•E.g., VMWare, JVM, etc.•Q: What are the trust model issues with Type II compared to Type I?6CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerVM Security•Isolation of VM computing•Like a separate machine7VM VMVirtual Machine MonitorPhysical Device ControlsGuest OS Guest OSPartitioned ResourcesDeviceRequestsCSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerVAX VMM Security Kernel•A1 assured virtual machine system•Virtualization•Protect sensitive state•Sensitive instructions must be virtualized (i.e., require privilege)•Access to sensitive data must be virtualized (ditto)•Need to hide virtualization•Systems cannot see that they are being virtualized•I/O Processing•Need to share access to devices correctly•Special driver interface (all in VMM security kernel)•Self-virtualization: Run VMM as VM8CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerVM Security •Do VMs need to communicate or share resources?•How do they do it?9CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerVAX VMM Access Control•Subjects and objects •Coarse-grained access control possible •VMs are subjects•Disk partitions are objects•Lattice policies for secrecy and integrity•Bell-LaPadula for secrecy•Biba for integrity•Privileges for special operations•E.g., administrative operations•Discretionary access controls10CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerAside•Simple security property•Read-down only•S can read O if and only if S’s access class dominates (or equal) O•*(star)-security property•Write-up only•S can write to O if and only if O’s access class dominates (or equal) S•Basic Security Theorem•Every protection state satisfies simple and *-security properties•Bell-LaPadula meets this trivially•Q: Why is this?11CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerVAX VMM Challenges•Q: Why was the project cancelled?•Drivers? In VMM... New model...•Development languages/performance? Pascal?!•Usability? Where’s X?•Lack of customers?•Hardware changes?•Covert channel defenses? Fuzzy time...•Insanity?12CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerNetTop•Isolated networks of VMs•Alternative to “air gap” security13VM: Secret VM: PublicSELinux Host OSGuest OS’ Guest OS’VMWareMLSVM: Secret VM: PublicSELinux Host OSGuest OS’ Guest OS’VMWareMLSCSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerXen•Paravirtualized Hypervisor•Privileged VM14VM: DomU VM: DomUXen HypervisorGuest OS’ Guest OS’Partitioned ResourcesDeviceRequestsDom 0Host OS’DriversVM ServicesCSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerXen sHype•Controlled information flows among VMs15VM: DomU VM: DomUXen HypervisorGuest OS’ Guest OS’Partitioned ResourcesDeviceRequestsDom 0Host OS’DriversVM ServicesRefMonCSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerXen sHype Policies•Type Enforcement•Mandatory, access matrix policy associating subject labels with object labels and operations•A VM with a subject label L can perform an operation op on an object (e.g., VM, memory, file system) with object label M if the TE policy access matrix includes an entry for this•Chinese Wall •Conflict of interest restrictions•A subject L can access an object labeled M in conflict set C•If subject L has previously accessed an object labeled M•If subject L has not previously accessed an object of any label in conflict set C•Why are Type Enforcement and Chinese Wall used?16CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerJava Virtual Machine•Interpret Java bytecodes•Machine specification defined by bytecode•On all architectures, run same bytecodes•Write once, run anywhere•Can run multiple programs w/i JVM simultaneously•Different ‘classloaders’ can result in different protection domains•How do we enforce access control?17Page CSE543 Computer and Network Security - Fall 2007 - Professor JaegerJava Security Architecture•Java 1.0: Applets and Applications18Page CSE543 Computer and Network Security - Fall 2007 - Professor JaegerJava Security Architecture•Java 1.1: Signed code (trusted remote -- think Authenticode)•Java 1.2: Flexible access control, included in Java 219Page CSE543 Computer and Network Security


View Full Document

PSU CSE 543 - Lecture 25 Virtual machine security

Documents in this Course
Agenda

Agenda

14 pages

HYDRA

HYDRA

11 pages

PRIMA

PRIMA

15 pages

CLIMATE

CLIMATE

15 pages

Load more
Download Lecture 25 Virtual machine security
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Lecture 25 Virtual machine security and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Lecture 25 Virtual machine security 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?