Hypervisors and Next Generation VirtualizationOverviewOriginsDetails: Native HypervisorDetails: Hosted HypervisorDetails: x86 ArchitectureDetails: x86 VirtualizationDetails: OS ParavirtualizationTypical UsageDark side: VM rootkitDarker Still: Blue PillTypical RootkitSlide 13Slide 14Slide 15Slide 16Slide 17Hypervisor RootkitSlide 19Slide 20Slide 21Slide 22In Better HandsReferencesQuestionsHypervisors and Next Generation VirtualizationWilliam StricklandCOT4810 Spring 2008February 7, 2008OverviewOriginsDetailsTypical UsageDark SideDarker StillIn Better HandsOriginsHypervisor also known as Virtual Machine Monitor.Software emulating hardware to operating systems.First developed for Servers and Mainframes by IBM.Due to plentiful hardware not widely used, but fundamental method of virtualization.Details: Native HypervisorHypervisor directly on top of hardware.Emulates hardware to operating systems.Difficult to implement.Details: Hosted HypervisorRuns under host operating system.Easier to implement.Less efficient.Details: x86 Architecture Instruction levels (rings) 0 to 3.Operating Systems use lowest ring (ring 0).Hardware does not support virtualization.Details: x86 Virtualization Support traditionally from layers of software to emulate privileged commands.Recent additions by AMD and Intel provide Virtualization support of hypervisors. Hypervisor code runs below operating systems and assumes control of hardware.Details: OS ParavirtualizationOperating system to be virtualized is modified with hypervisor awareness.Avoids using commands that must be emulated, thus improving performance.Simplifies Hypervisor design and implementation.Typical UsageMachine Consolidation - More machines in one, for mutually exclusive function. Sandboxing – performing dangerous actions in contained environment. Whole System Mobility – moving whole system around.Dark side: VM rootkitWhole OS can be under command of software entity.ConcernsCross platform.No way to breach VM.LimitationsOn typical x86 hardware, hard to put an incumbent operating system into VM.Can detect if running in VM.Darker Still: Blue PillNew hardware support of hypervisors allows machine to be subverted much more easily.ConcernsAct as stealthier rootkit. Hypervisor invisible to rest of system.LimitationsLimited targets.Can be detected, probably.Typical RootkitTypical RootkitTypical RootkitTypical RootkitTypical RootkitTypical RootkitHypervisor RootkitHypervisor RootkitHypervisor RootkitHypervisor RootkitHypervisor RootkitIn Better HandsEnforce Kernel protection; stop kernel hooking.Prevent rootkits (including hypervisor based).Better security implementation allowing more isolation of critical systems.References“Blue Pill” August 24, 2006. Podcast. “Security Now!.” grc.com. 27 August 2006. <https://www.grc.com/securitynow.htm>.Dorman, Andy. "Intel VT vs. AMD Pacifica." IT Architect Nov 2005: 51-57.Greene, Jay. "Microsoft Revives Virtualization Push." Business Week Online 23 Jan 2008: 28.Marshall, David, Wade A. Reynolds, and Dave McCrory. Advanced Server Virtualization. Boca Raton, FL: Auerbach Publications, 2006.Popek, Gerald J., and Robert P. Goldberg. "Formal requirements for virtualizable third generation architectures." Communications of the ACM 17.7(1974): 412-421.Rosenblum, Mendel, and Tal Garfinkel. "Virtual Machine Monitors: Current Technology and Future Trends." Computer 38.5(2005): 39-47.Vaas, Lisa. "Blue Pill at Black Hat." eWeek 13 June 2007: 10.Whitaker, Andrew, et al. Gribble."Rethinking the Design of Virtual Machine Monitors." Computer 38.5(2005): 57-62.QuestionsAt what ring does the kernel of a 32-bit x86 operating system run?True or false, paravirtualization can run improve performance of an unmodified operating
View Full Document
Unlocking...