Virtualization and Cloud Security

1
Virtualization and Cloud Security

• Huzur Saran
• IIT Delhi

2
Typical Cloud
Cloud API
m1
m2
m3
m4
m5
m1
m2
m3
m4
m5
m1
m2
m3
m4
m5
hypervisor
hypervisor
hypervisor
hw
hw
hw
m1
m2
m3
m4
m5
m1
m2
m3
m4
m5
hypervisor
hypervisor
hw
m1
m2
m3
m4
m5
hw
m1
m2
m3
m4
m5
hypervisor
m1
m2
m3
m4
m5
hypervisor
hw
hw
hypervisor
hw
3
Typical Server Virtualization Deployment
Ubuntu
Win 2003
Win 2008
Redhat
App
App
App
App
App
App
App
App
App
App
App
App
Management
App
App
App
App
App
App
App
App
App
App
App
App
OS
OS
OS
OS
Hypervisor
Hardware
4
Typical VDI Deployment
desktop
desktop
desktop
desktop
desktop
desktop
Dom0
OS
OS
OS
OS
OS
OS
Enterprise Hypervisor
Hardware
Thin client
Thin client
Thin client
Thin client
Thin client
Thin client
5
Security Issues

• Hypervisor is the underlying component of all
  these architectures. It is a new layer which
  needs to be protected
• Scale of deployments Just the sheer scale of
  deployments make this a security nightmare.
  Imagine 150 machines running a simultaneous
  scheduled AV scan on the same physical host.
  Chokes IO/Disk bandwidth.
• Isolation - Machines of a company and its
  competitor could be running on the same physical
  machine. Insufficient isolation could lead to
  disaster
• New APIs to access Virtualization/Cloud
  services. Bugs in these could lead to compromise
  of entire infrastructure.

6
Sample Hypervisor Security Issues

• CVE-2007-4496, CVE-2007-4497 ESX3.01, guest
  operating system can cause buffer overflow and
  arbitrary code execution in the host
• CVE-2007-0948 Virtual PC Heap overflow which
  could cause arbitrary privilege escalation
• CVE-2007-4993 Xen 3.0.3 User can escape to
  domain0 via grub.conf and pygrub

7
Security Issues Why?

• Hypervisors are written by humans. They have bugs
  typically buffer overflows
• Hypervisor are complex Xen is about 300K source
  lines of code
• Complete isolation is hard Most systems dont
  have IOMMUs which make it possible to DMA to
  arbitrary physical memory
• Compromised Domain0 on Xen pretty much means a
  hosed hypervisor. Domain0 runs commodity OSs
  which could have bugs.

8
Security Issues Why?

• DMA is a big problem on non IOMMU based systems
• Xen can setup DMA
• Dom0 can setup DMA
• Driver domains can setup DMA
• The range of physical addresses is not verified
• IOMMU based systems can restrict the range of
  addresses but they are not present in commodity
  hardware
• There are some techniques to even bypass IOMMU
  checks

9
Security Solutions

• Trusted hypervisor
• Hyperguard Phoenix Technologies A hypervisor
  integrity scanner in SMM.
• Deepwatch Intel project Virtualization
  rootkit scanner
• Domain 0 Hardening Various security solutions
  to white-list and harden Dom0

10
Security Opportunities

• New breed of security products is now possible to
  protect guest OSs from being hijacked
• Hypervisor based security suites cannot be
  detected by malware running in the guest
• Hypervisors allow introspection of very early
  boot sequences of the guest, thereby making
  possible an entire need breed of BIOS rootkit and
  kernel rootkit scanners

11
Security Opportunities

• APIs like VMSAFE from VMWare allow introspection
  of interesting system events in the guests
• These events can then be processed on a dedicated
  security appliance
• These events include CPU state monitoring, page
  faults, memory/register accesses, File-system
  events, network events etc.

12
Early Trends Consolidate common security
functions to security appliance
AV
F W
AV
F W
AV
F W
AV
F W
AV
F W
AV
F W
OS
OS
OS
OS
OS
OS
Enterprise Hypervisor
Hardware
Security Appliance Manager
Antivirus
Firewall
OS
OS
OS
OS
OS
OS
Enterprise Hypervisor
AV Shim
FW Shim
Hardware
13
Security is hard at all levels

• A prisoner was wrongly released after a fax was
  received from a grocery store stating that the
  Kentucky Supreme Court had demanded his release
  http//www.cnn.com/2007/US/04/21/wrongly.freed.ap
  /index.html

14
Security principles

• Open designyou need all the help you can get
• Economy of mechanism fewer things to get right
• Minimize secrets secrets dont remain secret
• Fail-safe defaults most users wont change them
• Least privilege limit the damage of an accident
• Separation of privilege dangerous operation
  should require multiple principals
• Complete mediation check every operation

15
Sample Security Issues

• http//taviso.decsystem.org/virtsec.pdf - Paper
  detailing several bugs in Virtual PC, Xen,
  Vmware, Parallels and BOCHS.
• http//www.theregister.co.uk/2009/10/09/amazon_clo
  ud_bitbucket_ddos_aftermath/ - UDP flood based
  DDoS against Amazon EC2
• Argument handling bugs in FLASK (Xen)

16

• Example A specially crafted poke to I/O port
  0x1004, results in an out-of-bounds write to an
  attacker controlled location. By interacting with
  the power management subsystem in specific ways,
  a write to an arbitrary location can be performed
  upon restarting a suspended virtual machine.
• VMware PIIX4 ACPI PM OOB Write
• section .text
• global _start
• _start
• mov eax, 110
• mov ebx, 3
• int 0x80a
• mov ax, 0x6c81
• mov dx, 0x1004
• out dx, ax
• xor ebx, ebx
• xor eax, eax
• inc eax
• int 0x80
• a. iopl()