Computer Security: Virtual Machine Security - Lecture 25, Study notes of Computer Science

A set of lecture notes from a computer and network security course at penn state university, focusing on virtual machine security. The notes cover topics such as virtual machine architectures, types, and security, as well as specific security mechanisms like access control and chinese wall. The professor, jaeger, also discusses challenges and threats related to virtual machines.

Typology: Study notes

Pre 2010

Uploaded on 09/24/2009

koofers-user-jy0-1
koofers-user-jy0-1 🇺🇸

9 documents

1 / 24

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger
CSE 543 - Computer Security
Lecture 25 - Virtual machine security
December 6, 2007
URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/
1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18

Partial preview of the text

Download Computer Security: Virtual Machine Security - Lecture 25 and more Study notes Computer Science in PDF only on Docsity!

CSE 543 - Computer Security

Lecture 25 - Virtual machine security

December 6, 2007

URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/

Implementation and Results

Experimental Platform

Exact specification of platform

Design may have more than implementation -- what did you implement?

How are key design features/mechanisms implemented?

Results

Summarize -- what do the results mean?

Specific experiments

• We did X, saw Y

What do the experiments prove

What other experiments would you want to do based on these results?

Virtual Machines

Instead of using system software to enable sharing, use system software to enable isolation

Virtualization

• “a technique for hiding the physical

characteristics of computing resources from the way in which others systems, applications, and end users interact with those resources”

Virtual Machines

Single physical resource can appear as multiple logical resources

Virtual Machine Architectures

Full system simulation

CPU can be simulated

Paravirtualization (Xen)

VM has a special API

Requires OS changes

Native virtualization (VMWare)

Simulate enough HW to run OS

OS is for same CPU

Application virtualization (JVM)

Application API

VM Security

Isolation of VM computing

Like a separate machine VM VM Virtual Machine Monitor Physical Device Controls Guest OS Guest OS Partitioned Resources Device Requests

VAX VMM Security Kernel

A1 assured virtual machine system

Virtualization

Protect sensitive state

• Sensitive instructions must be virtualized (i.e., require privilege)

• Access to sensitive data must be virtualized (ditto)

Need to hide virtualization

• Systems cannot see that they are being virtualized

I/O Processing

• Need to share access to devices correctly

• Special driver interface (all in VMM security kernel)

Self-virtualization: Run VMM as VM

VAX VMM Access Control

Subjects and objects

Coarse-grained access control possible

• VMs are subjects

• Disk partitions are objects

Lattice policies for secrecy and integrity

Bell-LaPadula for secrecy

Biba for integrity

Privileges for special operations

E.g., administrative operations

Discretionary access controls

Aside

Simple security property

Read-down only

S can read O if and only if S’s access class dominates (or equal) O

_(star)-security property_*

Write-up only

S can write to O if and only if O’s access class dominates (or equal) S

Basic Security Theorem

Every protection state satisfies simple and *-security properties

Bell-LaPadula meets this trivially

NetTop

Isolated networks of VMs

Alternative to “air gap” security VM: Secret VM: Public SELinux Host OS Guest OS’ Guest OS’ VMWare MLS VM: Secret VM: Public SELinux Host OS Guest OS’ Guest OS’ VMWare MLS

Xen

Paravirtualized Hypervisor

Privileged VM VM: DomU VM: DomU Xen Hypervisor Guest OS’ Guest OS’ Partitioned Resources Device Dom 0 Requests Host OS’ Drivers VM Services

Xen sHype Policies

  • Type Enforcement

Mandatory, access matrix policy associating subject labels with object labels and operations

A VM with a subject label L can perform an operation op on an object (e.g., VM, memory, file system) with object label M if the TE policy access matrix includes an entry for this

  • Chinese Wall

Conflict of interest restrictions

A subject L can access an object labeled M in conflict set C

  • If subject^ L^ has previously accessed an object labeled^ M
  • If subject^ L^ has not previously accessed an object of any label in conflict set C
  • Why are Type Enforcement and Chinese Wall used?

Java Virtual Machine

Interpret Java bytecodes

Machine specification defined by bytecode

On all architectures, run same bytecodes

• Write once, run anywhere

Can run multiple programs w/i JVM simultaneously

Different ‘classloaders’ can result in different protection domains

How do we enforce access control?

CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page Java Security Architecture

  • Java 1.1: Signed code (trusted remote -- think Authenticode)
  • Java 1.2: Flexible access control, included in Java 2 19

CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page Stack Inspection

  • Authorize based on protection domains on the stack
    • Union of all sources
      • All must have permission 20