Cloud Security with LibVMI
- 2. Outline
● What is the Cloud?
● Looking at HW based security
● Virtual Machine Introspection
● LibVMI
● Demos
● What’s next?
- 3. What is the Cloud?
Big Tech Technician End user
Management Developers Researcher
- 5. Cloud Security
● Mainly an issue for the cloud providers
● They need to monitor their virtual hardware
● And for enterprise cloud applications
● They need to monitor their database and webapp
● An end user can only change his password
● He has no access to the underlying hardware/software
- 6. Cloud Security
● Co-resident/breakout attacks
● Possible
● Network based attacks
● Probable
● Attackers will go after the low-hanging fruit
● We need to leverage Cloud defense mechanisms
- 7. Why should you care?
● The technology powering the Cloud is also
available on end-user systems
● on your phone, PC, tablets..
● Defense mechanisms that work for the
Cloud will work for you!
- 17. 2006: VT-x & AMD-V
Ring2
Ring1
Ring3
Ring0
App
Operating System
Disabled/Unused
Ring-1 Hypervisor
- 18. 2006: VT-x & AMD-V
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
VMX root
OS/Hypervisor
VMX non-root
Virtual Machine
More privilege
- 19. 2006: VT-x & AMD-V
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
VMX root
OS/Hypervisor
VMX non-root
Virtual Machines
- 20. Psst.. I’m here too (since ‘93)!
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
VMX root
OS/Hypervisor
VMX non-root
Virtual Machines
Ring-2
System
Management Mode
- 21. Psst.. I’m here too (since ‘93)!
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
VMX root
OS/Hypervisor
VMX non-root
Virtual Machines
System
Management Mode
Ring2
Ring1
Ring3
Ring0
- 22. 2006?: Intel Dual-monitor SMM
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Secure Transfer
Monitor (STM)
- 23. 2008: Intel Management Engine
Ring-3
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Intel ME
- 25. 2008: Intel Management Engine
User Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Kernel
ARC 600(?)
- 26. 2008: Intel Management Engine
User
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
ARC 600(?)
- 30. Oh yea, we have these too..
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring0
SGX
Ring3
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring0
SGX
Ring3
SGX
Ring3
User
Supervisor
User
Supervisor
User
Supervisor
ARM CPUs in your
harddrive, NIC, etc.
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
User
Kernel
- 32. The Cloud in 2015
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
Ring2
Ring1
Ring3
Ring0
VMX root
OS/Hypervisor
VMX non-root
Virtual Machines
- 33. Securing Virtual Machines
● Security based on the Hypervisor
● Move security stack outside of the OS!
● Monitor
o VM Memory
o Virtual Hardware state
- 35. What is VMI
● View and control virtual machine from an
external perspective
● Including
o Network
o Disk
o Memory
o vCPU
- 36. VMI - The 3 aspects
1. Isolation
2. Interpretation
3. Interposition
- 37. Isolation
● Move security component outside of the
guest operating system
● Hypervisor exposes a smaller attack surface
● Increasingly harder to tamper with or disable
security system
- 39. Interposition
● Step into the execution of the machine
● Prevent attacks from modifying the system
(repair hooks, privileges, etc.)
● Needs to be fast, reliable, and stealthy
● Based directly on hardware events
- 40. VMI - The 3 aspects
1. Isolation → Hypervisor
2. Interpretation → LibVMI / Volatility
3. Interposition → Intel
- 42. Use cases
● System-level debugging
● Timeline or trend analysis
● Runtime security
● OS Integrity
● Malware analysis
● Forensics
- 44. Core features
● Read and write VM memory
● Virtual Memory Translation (Paging)
o Using various methods (DTB, PID, Kernel Symbol)
● Find and map guest OS data structures
● Place monitoring event-hooks into the guest
o Exceptions, Page Faults
- 45. Events on Xen with Intel CPUs
● Intel Extended Page Tables (EPT)
● Register write events ([X]CR0/3/4, MSRs)
● Software breakpoint interrupts (INT3)
● Single-stepping (MTF)
- 49. Future directions
● More guest OS support:
o Android, BSD, etc.
● More (and better) hypervisor support:
o KVM events, VirtualBox, Hyper-V, ESXi, etc.
● More events support on more platforms:
o AMD, ARM, Intel
- 51. Future directions in the Cloud
● Software developed with Cloud in mind
● Scalable Applications and Separation of
Tasks
● Enable VMI in the cloud
o The Software and Hardware is already available
o Cloud Providers do not provide access