Cloud Security with LibVMI
•
7 likes•3,415 views
The document provides a brief history of hardware security from 1982 to present day, focusing on developments like protected mode, virtualization with Xen and VT-x/AMD-V, the Intel Management Engine, SGX, and virtual machine introspection (VMI). It discusses the core concepts behind VMI including isolation, interpretation, and interposition. LibVMI is introduced as a tool for VMI that allows monitoring VM memory, translating guest virtual addresses, and placing hooks in the guest. Future directions include more guest OS and hypervisor support as well as new event types.
Report
Share
Cloud Security with LibVMI
- 2. Outline ● What is the Cloud? ● Looking at HW based security ● Virtual Machine Introspection ● LibVMI ● Demos ● What’s next?
- 3. What is the Cloud? Big Tech Technician End user Management Developers Researcher
- 5. Cloud Security ● Mainly an issue for the cloud providers ● They need to monitor their virtual hardware ● And for enterprise cloud applications ● They need to monitor their database and webapp ● An end user can only change his password ● He has no access to the underlying hardware/software
- 6. Cloud Security ● Co-resident/breakout attacks ● Possible ● Network based attacks ● Probable ● Attackers will go after the low-hanging fruit ● We need to leverage Cloud defense mechanisms
- 7. Why should you care? ● The technology powering the Cloud is also available on end-user systems ● on your phone, PC, tablets.. ● Defense mechanisms that work for the Cloud will work for you!
- 8. Non-comprehensive History of HW Security ..in 5 minutes
- 11. 1982: Protected mode Ring2 Ring1 Ring3 Ring0 Application Operating System Unused
- 12. 1982: Protected mode Ring2 Ring1 Ring3 Ring0 Application Operating System UnusedMore privilege
- 14. Ring3Ring3 Ring3Ring3 2003: Xen Ring2 Ring3 Ring0 Applications Xen Unused Operating SystemsRing1
- 16. Ring3Ring3 2003: Xen on x86-64 Ring2 Ring1 Ring3 Ring0 OS/Applications Xen Disabled
- 17. 2006: VT-x & AMD-V Ring2 Ring1 Ring3 Ring0 App Operating System Disabled/Unused Ring-1 Hypervisor
- 18. 2006: VT-x & AMD-V Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 VMX root OS/Hypervisor VMX non-root Virtual Machine More privilege
- 19. 2006: VT-x & AMD-V Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 VMX root OS/Hypervisor VMX non-root Virtual Machines
- 20. Psst.. I’m here too (since ‘93)! Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 VMX root OS/Hypervisor VMX non-root Virtual Machines Ring-2 System Management Mode
- 21. Psst.. I’m here too (since ‘93)! Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 VMX root OS/Hypervisor VMX non-root Virtual Machines System Management Mode Ring2 Ring1 Ring3 Ring0
- 22. 2006?: Intel Dual-monitor SMM Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Secure Transfer Monitor (STM)
- 23. 2008: Intel Management Engine Ring-3 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Intel ME
- 25. 2008: Intel Management Engine User Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Kernel ARC 600(?)
- 26. 2008: Intel Management Engine User Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel ARC 600(?)
- 30. Oh yea, we have these too.. Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring0 SGX Ring3 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring0 SGX Ring3 SGX Ring3 User Supervisor User Supervisor User Supervisor ARM CPUs in your harddrive, NIC, etc. User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel
- 32. The Cloud in 2015 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 VMX root OS/Hypervisor VMX non-root Virtual Machines
- 33. Securing Virtual Machines ● Security based on the Hypervisor ● Move security stack outside of the OS! ● Monitor o VM Memory o Virtual Hardware state
- 35. What is VMI ● View and control virtual machine from an external perspective ● Including o Network o Disk o Memory o vCPU
- 36. VMI - The 3 aspects 1. Isolation 2. Interpretation 3. Interposition
- 37. Isolation ● Move security component outside of the guest operating system ● Hypervisor exposes a smaller attack surface ● Increasingly harder to tamper with or disable security system
- 39. Interposition ● Step into the execution of the machine ● Prevent attacks from modifying the system (repair hooks, privileges, etc.) ● Needs to be fast, reliable, and stealthy ● Based directly on hardware events
- 40. VMI - The 3 aspects 1. Isolation → Hypervisor 2. Interpretation → LibVMI / Volatility 3. Interposition → Intel
- 41. LibVMI
- 42. Use cases ● System-level debugging ● Timeline or trend analysis ● Runtime security ● OS Integrity ● Malware analysis ● Forensics
- 44. Core features ● Read and write VM memory ● Virtual Memory Translation (Paging) o Using various methods (DTB, PID, Kernel Symbol) ● Find and map guest OS data structures ● Place monitoring event-hooks into the guest o Exceptions, Page Faults
- 45. Events on Xen with Intel CPUs ● Intel Extended Page Tables (EPT) ● Register write events ([X]CR0/3/4, MSRs) ● Software breakpoint interrupts (INT3) ● Single-stepping (MTF)
- 48. What’s next with LibVMI?
- 49. Future directions ● More guest OS support: o Android, BSD, etc. ● More (and better) hypervisor support: o KVM events, VirtualBox, Hyper-V, ESXi, etc. ● More events support on more platforms: o AMD, ARM, Intel
- 50. What’s next in the Cloud?
- 51. Future directions in the Cloud ● Software developed with Cloud in mind ● Scalable Applications and Separation of Tasks ● Enable VMI in the cloud o The Software and Hardware is already available o Cloud Providers do not provide access
- 52. Thanks! Tamas K Lengyel tamas@tklengyel.com tlengyel@novetta.com @tklengyel Thomas Kittel kittel@sec.in.tum.de LibVMI http://libvmi.com DRAKVUF http://drakvuf.com