SlideShare ist ein Scribd-Unternehmen logo

Hypervisor Security - OpenStack Summit Hong Kong

Als PPTX, PDF herunterladen
R
Robert Clark

Hypervisor Security and steps that must be taken to protect against breakouts Video here: https://www.youtube.com/watch?v=y8L6B6Q5EdI

Technologie
1 von 67
Robert Clark Lead Security Architect HP Cloud Hypervisor Security
About the Speaker
OpenStack Security Group • Established 18-24 months ago • Issues OpenStack Security Notes • Consults on OpenStack Security Advisories • Security Initiatives • Nearly 100 members
OpenStack Security Guide http://docs.openstack.org/security
OpenStack Security Guide
Virtualization Overview
Virtualization Technologies • Hosted OS Virtualization – VMware Desktop Solutions • Para Virtualization – The guest needs to know it’s running in a virtualized environment • Full Virtualization – The guest is un-aware that it is running on a virtualized platform.
Virtualization Stack Compute Host Alice VM Alice VM Alice VM Hardware Hypervisor Device Emulation
Simplified KVM Compute Host Alice VM Alice VM Alice VM Hardware CPU VIRT Linux Kernel KVM QEMU Linux OS
Simplified Xen Compute Host Dom0 Alice VM Hardware Xen Hypervisor Alice VM QEMU
Generalized Virtualization Stack Compute Host Alice VM Alice VM Alice VM Hardware Hypervisor / Host OS / Dom0 QEMU Compute Instances Device Emulation / Paravirt Hardware Interfacing / Enabling Hardware Memory, Disk, CPU etc
Attack Vectors
Introducing ‘Mal’ Mal VM
Compute Host Attack Vectors Compute Host [Nova] Alice VM Alice VM
Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM
Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM KVM / XEN QEMU
Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM KVM / XEN QEMU Dom0 Linux Kernel Linux OS
Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM KVM / XEN QEMU Dom0 Linux Kernel Linux OS
Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM QEMU Basic VM to VM network Attacks KVM / XEN QEMU Dom0 Linux Kernel Linux OS
Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM KVM / XEN QEMU VM to hypervisor attacks KVM / XEN QEMU Dom0 Linux Kernel Linux OS
Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM KVM / XEN QEMU VM to QEMU / Device attacks KVM / XEN QEMU Dom0 Linux Kernel Linux OS
Dom0 Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM QEMU Linux Kernel Linux OS VM to QEMU KVM / XEN QEMU
Dom0 Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM QEMU Linux Kernel Linux OS VM to QEMU KVM / XEN QEMU
Dom0 Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM QEMU Linux Kernel Linux OS 1. VM to QEMU KVM / XEN QEMU 2.
Dom0 Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM QEMU Linux Kernel Linux OS 1. VM to QEMU KVM / XEN QEMU 2.
Dom0 Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM QEMU Linux Kernel Linux OS VM to hypervisor attacks KVM / XEN QEMU
Dom0 Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM QEMU Linux Kernel Linux OS VM to hypervisor attacks KVM / XEN QEMU
Dom0 Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM QEMU Linux Kernel Linux OS VM to hypervisor attacks KVM / XEN QEMU
Dom0 Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM QEMU Linux Kernel Linux OS VM to OS / Management / Linux Kernel / Dom0 KVM / XEN QEMU
Dom0 Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM QEMU Linux Kernel Linux OS VM to OS / Management / Linux Kernel / Dom0 KVM / XEN QEMU
Dom0 Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM QEMU Linux Kernel Linux OS 1. 2. VM to OS / Management / Linux Kernel / Dom0 KVM / XEN QEMU
Dom0 Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM QEMU Linux Kernel Linux OS 1. 2. 3. VM to OS / Management / Linux Kernel / Dom0 KVM / XEN QEMU
Cloud Issues Compute Host [Nova] Alice VM Bob VM
Cloud Issues - Scale Compute Host [Nova] Cher VM Dave VM Compute Host [Nova] Alice VM Bob VM
Cloud Issues - Scale Compute Host [Nova] Cher VM Dave VM Compute Host [Nova] Alice VM Bob VM Compute Manager Block Storage Network Nodes Operations Systems Object Storage
Cloud Issues - Scale Compute Host [Nova] Cher VM Dave VM Compute Host [Nova] Alice VM Bob VM Compute Manager Block Storage Network Nodes Operations Systems Object Storage Mal VM
Cloud Issues – Flat Exploitation Compute Host [Nova] Cher VM Dave VM Compute Host [Nova] Alice VM Bob VM Compute Manager Block Storage Network Nodes Operations Systems Object Storage Mal VM
Cloud Issues – Flat Exploitation Compute Host [Nova] Cher VM Dave VM Compute Host [Nova] Alice VM Bob VM Compute Manager Block Storage Network Nodes Operations Systems Object Storage Mal VM
Cloud Issues – Service Trust Compute Host [Nova] Cher VM Dave VM Compute Host [Nova] Alice VM Bob VM Compute Manager Block Storage Network Nodes Operations Systems Object Storage Mal VM
Cloud Issues – Service Trust Compute Host [Nova] Cher VM Dave VM Compute Host [Nova] Alice VM Bob VM Compute Manager Block Storage Network Nodes Operations Systems Object Storage Mal VM
Cloud Issues – Nova RPC Compute Host [Nova] Cher VM Dave VM Compute Host [Nova] Alice VM Bob VM Compute Manager Block Storage Network Nodes Operations Systems Object Storage Mal VM
What about side channels?
Cross-VM Side Channel Attacks • Web Servers providing SSL • VOIP providers • Cloud VPN • Chat Applications • Secure File Storage • Virtually any service doing anything useful
Cross-VM Side Channel Attacks Alice Client Compute Host [Nova] Bob VM TLS/SSL CPU L1 Cache • Disrupting or observing system operation
Cross-VM Side Channel Attacks Alice Client Compute Host [Nova] Bob VM TLS/SSL Stealing the bits! Mal MITM CPU L1 Cache
Cross-VM Side Channel Attacks Alice Client Compute Host [Nova] Bob VM Mal VM TLS/SSL Mal MITM CPU L1 Cache Stealing the bits!
Cross-VM Side Channel Attacks Alice Client Compute Host [Nova] Bob VM Mal VM TLS/SSL Mal MITM CPU L1 Cache Stealing the bits!
Cross-VM Side Channel Attacks Alice Client Compute Host [Nova] Bob VM Mal VM TLS/SSL Mal MITM CPU L1 Cache Stealing the bits!
Isn’t this all a bit theoretical?
CloudBurst • Date: 2008 • Type: OS Virtualization - VMWare • Result: Full Breakout • Author: Kostya Kirtchinsky, Immunity Inc
Xen Ownage Trilogy • Date: 2011 • Type: Xen • Result: Full Breakout • Author: Joanna Rutkowska
VirtuNoid • Date: 2011 • Type: Kernel Side Full Virtualization - KVM • Result: Full Breakout • Author: Nelson Elhage • CVE-2011-1751
SYSRET-64 • Date: 2012 • Type: Para Virtualization - Xen • Result: Full Breakout • Author: Rafal Wojtczuk • US-CERT #649219
VMDK Has Left The Building • Date: 2012 • Type: ESXi File Handling Logic • Result: Data Leakage / Loss • Author: Friedwart Kuhn
KVM IOAPIC, SET MSR, TIME • Date: 2013 • Type: Full Virtualization - KVM • Result: Denial of Service, Potential Breakout • Author: Andrew Honig • IOAPIC: CVE-2013-1798 • TIME: CVE-2013-1797 • SET MSR: CVE-2013-1796
Virtualization Security Trends IBM X-Force 2010 Mid-Term Report
Virtualization Security Trends Attack Vector Xen KVM Virtual CPUs 5 (8.5%) 8 (21.1%) SMP 1 (1.7%) 3 (7.9%) Software MMU 4 (6.8%) 2 (5.3%) Interrupt and Timer Mechanisms 2 (3.4%) 4 (10.5%) I/O and Networking 11 (18.6%) 10 (26.3%) VM Exits 4 (6.8%) 2 (5.3%) Hypercalls 2 (3.4%) 1 (2.6%) VM Management 7 (11.9%) 2 (5.3%) Remote Management Software 9 (15.3%) 1 (2.6%) Hypervisor add-ons 5 (8.5%) 0 (0.0%) TOTAL 59 38
Time to unplug? Go home cloud, you’re drunk!
Protections – Compiler Hardening • RELocation Read-Only • Stack Canaries • Never eXecute (NX) / (DEP) • Position Independent Executable • Address Space Layout Randomization • QEMU: CFLAGS="-arch x86_64 -fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -pie -fPIE -ftrapv -D_FORTIFY_SOURCE=2 O2 -Wl,-z,relro,- z,now"
Protections – Reduce Attack Surface • Out of the box you probably support – 3D Graphics – Multiple Network Devices – Sound – Bluetooth!? • Compile them out!
Protections – Mandatory Access Controls • Limit the capabilities of a successful exploit • Define and constrain with QEMU should be doing • Provide isolation for VM processes (KVM) • SELinux • AppArmour
Protections – Mandatory Access Controls
Protection • Reduce Attack Surface • Harden Compilation • Isolate, detect and alert on exploitation through MAC • Harden your base OS/Dom0 using the same techniques • Apply MAC to other OpenStack components
OpenStack Security Guide • http://docs.openstack.org/sec • Chapter 26 – Securing OpenStack Networking Services • Chapter 40 – Hypervisor Selection • Chapter 41 – Hardening the Virtualization Layers • Chapter 43 – Security Services for Instances
Thank You Please consider contributing to the OpenStack Security Group
References • Directly Referenced / Informed This Talk – http://www.insinuator.net/2013/05/analysis-of-hypervisor-breakouts/ – https://www.ernw.de/download/ERNW_DCVI-HypervisorsToClouds.pdf – https://www.hashdays.ch/downloads/slides/jonathan_sinclair_vm_state.pdf – ftp://public.dhe.ibm.com/linux/pdfs/LXW03004-USEN-00.pdf – http://blog.cryptographyengineering.com/2012/10/attack-of-week-cross-vm- timing-attacks.html – http://www.vupen.com/blog/20120904.Advanced_Exploitation_of_Xen_Sysre t_VM_Escape_CVE-2012-0217.php – http://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf – http://invisiblethingslab.com/resources/bh08/part1.pdf – http://blogs.gartner.com/neil_macdonald/2011/01/26/yes-hypervisors-are- vulnerable/ – ftp://public.dhe.ibm.com/common/ssi/ecm/en/wgl03003usen/WGL03003USE N.PDF

Empfohlen

Virtualization securityv2
Virtualization securityv2Virtualization securityv2
Virtualization securityv2vivekbhat
 
VMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor SecurityVMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor SecurityVMworld
 
Virtualization security and threat
Virtualization security and threatVirtualization security and threat
Virtualization security and threatAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response TeamWHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response TeamSymantec
 
Security Best Practices For Hyper V And Server Virtualization
Security Best Practices For Hyper V And Server VirtualizationSecurity Best Practices For Hyper V And Server Virtualization
Security Best Practices For Hyper V And Server Virtualizationrsnarayanan
 
CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2vivekbhat
 
Usenix Invited Talk
Usenix Invited TalkUsenix Invited Talk
Usenix Invited Talkwebhostingguy
 
Linux On V Mware ESXi
Linux On V Mware ESXiLinux On V Mware ESXi
Linux On V Mware ESXiMasafumi Ohta
 

Empfohlen

Virtualization securityv2
Virtualization securityv2Virtualization securityv2
Virtualization securityv2vivekbhat
 
VMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor SecurityVMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor SecurityVMworld
 
Virtualization security and threat
Virtualization security and threatVirtualization security and threat
Virtualization security and threatAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response TeamWHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response TeamSymantec
 
Security Best Practices For Hyper V And Server Virtualization
Security Best Practices For Hyper V And Server VirtualizationSecurity Best Practices For Hyper V And Server Virtualization
Security Best Practices For Hyper V And Server Virtualizationrsnarayanan
 
CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2vivekbhat
 
Usenix Invited Talk
Usenix Invited TalkUsenix Invited Talk
Usenix Invited Talkwebhostingguy
 
Linux On V Mware ESXi
Linux On V Mware ESXiLinux On V Mware ESXi
Linux On V Mware ESXiMasafumi Ohta
 
How to Optimize Microsoft Hyper-V Failover Cluster and Double Performance
How to Optimize Microsoft Hyper-V Failover Cluster and Double PerformanceHow to Optimize Microsoft Hyper-V Failover Cluster and Double Performance
How to Optimize Microsoft Hyper-V Failover Cluster and Double PerformanceStarWind Software
 
Transitioning to vmWare ESXi
Transitioning to vmWare ESXiTransitioning to vmWare ESXi
Transitioning to vmWare ESXiJose Antonio Chavez Verdin
 
Virtualization Technology Overview
Virtualization Technology OverviewVirtualization Technology Overview
Virtualization Technology OverviewOpenCity Community
 
Hypervisors
HypervisorsHypervisors
HypervisorsInzemamul Haque
 
Scale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorScale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorThe Linux Foundation
 
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...The Linux Foundation
 
VMware vSphere 6.0 - Troubleshooting Training - Day 1
VMware vSphere 6.0 - Troubleshooting Training - Day 1VMware vSphere 6.0 - Troubleshooting Training - Day 1
VMware vSphere 6.0 - Troubleshooting Training - Day 1Sanjeev Kumar
 
Virtualization basics
Virtualization basics Virtualization basics
Virtualization basics Chandrani Ray Chowdhury
 
Rootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project VirtualisationRootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project VirtualisationThe Linux Foundation
 
Hypervisor seminar
Hypervisor seminarHypervisor seminar
Hypervisor seminar용환 노
 
Securing Your Cloud with Xen (CloudOpen NA 2013)
Securing Your Cloud with Xen (CloudOpen NA 2013)Securing Your Cloud with Xen (CloudOpen NA 2013)
Securing Your Cloud with Xen (CloudOpen NA 2013)Russell Pavlicek
 
VMware vSphere 5 seminar
VMware vSphere 5 seminarVMware vSphere 5 seminar
VMware vSphere 5 seminarMarkiting_be
 
Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Stefano Stabellini
 
Hypervisor Framework
Hypervisor FrameworkHypervisor Framework
Hypervisor FrameworkEdgar Barbosa
 
Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013The Linux Foundation
 
Virtualization Questions
Virtualization QuestionsVirtualization Questions
Virtualization QuestionsTrupti Jethva
 
Bare-Metal Hypervisor as a Platform for Innovation
Bare-Metal Hypervisor as a Platform for InnovationBare-Metal Hypervisor as a Platform for Innovation
Bare-Metal Hypervisor as a Platform for InnovationThe Linux Foundation
 
30 important-virtualization-vmware-interview-questions-with-answers
30 important-virtualization-vmware-interview-questions-with-answers30 important-virtualization-vmware-interview-questions-with-answers
30 important-virtualization-vmware-interview-questions-with-answersLatif Siddiqui
 
Ian Prattlinuxworld Xen Aug2008
Ian Prattlinuxworld Xen Aug2008Ian Prattlinuxworld Xen Aug2008
Ian Prattlinuxworld Xen Aug2008The Linux Foundation
 
Xen 10th anniversary Status Report (at SELF 2013)
Xen 10th anniversary Status Report (at SELF 2013)Xen 10th anniversary Status Report (at SELF 2013)
Xen 10th anniversary Status Report (at SELF 2013)Russell Pavlicek
 
Virtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesVirtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesJason Chan
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data CenterCisco Canada
 

Weitere ähnliche Inhalte

Was ist angesagt?

How to Optimize Microsoft Hyper-V Failover Cluster and Double Performance
How to Optimize Microsoft Hyper-V Failover Cluster and Double PerformanceHow to Optimize Microsoft Hyper-V Failover Cluster and Double Performance
How to Optimize Microsoft Hyper-V Failover Cluster and Double PerformanceStarWind Software
 
Virtualization Technology Overview
Virtualization Technology OverviewVirtualization Technology Overview
Virtualization Technology OverviewOpenCity Community
 
Scale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorScale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorThe Linux Foundation
 
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...The Linux Foundation
 
VMware vSphere 6.0 - Troubleshooting Training - Day 1
VMware vSphere 6.0 - Troubleshooting Training - Day 1VMware vSphere 6.0 - Troubleshooting Training - Day 1
VMware vSphere 6.0 - Troubleshooting Training - Day 1Sanjeev Kumar
 
Rootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project VirtualisationRootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project VirtualisationThe Linux Foundation
 
Hypervisor seminar
Hypervisor seminarHypervisor seminar
Hypervisor seminar용환 노
 
Securing Your Cloud with Xen (CloudOpen NA 2013)
Securing Your Cloud with Xen (CloudOpen NA 2013)Securing Your Cloud with Xen (CloudOpen NA 2013)
Securing Your Cloud with Xen (CloudOpen NA 2013)Russell Pavlicek
 
VMware vSphere 5 seminar
VMware vSphere 5 seminarVMware vSphere 5 seminar
VMware vSphere 5 seminarMarkiting_be
 
Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Stefano Stabellini
 
Hypervisor Framework
Hypervisor FrameworkHypervisor Framework
Hypervisor FrameworkEdgar Barbosa
 
Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013The Linux Foundation
 
Virtualization Questions
Virtualization QuestionsVirtualization Questions
Virtualization QuestionsTrupti Jethva
 
Bare-Metal Hypervisor as a Platform for Innovation
Bare-Metal Hypervisor as a Platform for InnovationBare-Metal Hypervisor as a Platform for Innovation
Bare-Metal Hypervisor as a Platform for InnovationThe Linux Foundation
 
30 important-virtualization-vmware-interview-questions-with-answers
30 important-virtualization-vmware-interview-questions-with-answers30 important-virtualization-vmware-interview-questions-with-answers
30 important-virtualization-vmware-interview-questions-with-answersLatif Siddiqui
 
Xen 10th anniversary Status Report (at SELF 2013)
Xen 10th anniversary Status Report (at SELF 2013)Xen 10th anniversary Status Report (at SELF 2013)
Xen 10th anniversary Status Report (at SELF 2013)Russell Pavlicek
 

Was ist angesagt? (20)

How to Optimize Microsoft Hyper-V Failover Cluster and Double Performance
How to Optimize Microsoft Hyper-V Failover Cluster and Double PerformanceHow to Optimize Microsoft Hyper-V Failover Cluster and Double Performance
How to Optimize Microsoft Hyper-V Failover Cluster and Double Performance
 
Transitioning to vmWare ESXi
Transitioning to vmWare ESXiTransitioning to vmWare ESXi
Transitioning to vmWare ESXi
 
Virtualization Technology Overview
Virtualization Technology OverviewVirtualization Technology Overview
Virtualization Technology Overview
 
Hypervisors
HypervisorsHypervisors
Hypervisors
 
Scale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorScale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen Hypervisor
 
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
 
VMware vSphere 6.0 - Troubleshooting Training - Day 1
VMware vSphere 6.0 - Troubleshooting Training - Day 1VMware vSphere 6.0 - Troubleshooting Training - Day 1
VMware vSphere 6.0 - Troubleshooting Training - Day 1
 
Virtualization basics
Virtualization basics Virtualization basics
Virtualization basics
 
Rootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project VirtualisationRootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project Virtualisation
 
Hypervisor seminar
Hypervisor seminarHypervisor seminar
Hypervisor seminar
 
Securing Your Cloud with Xen (CloudOpen NA 2013)
Securing Your Cloud with Xen (CloudOpen NA 2013)Securing Your Cloud with Xen (CloudOpen NA 2013)
Securing Your Cloud with Xen (CloudOpen NA 2013)
 
VMware vSphere 5 seminar
VMware vSphere 5 seminarVMware vSphere 5 seminar
VMware vSphere 5 seminar
 
Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)
 
Hypervisor Framework
Hypervisor FrameworkHypervisor Framework
Hypervisor Framework
 
Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013
 
Virtualization Questions
Virtualization QuestionsVirtualization Questions
Virtualization Questions
 
Bare-Metal Hypervisor as a Platform for Innovation
Bare-Metal Hypervisor as a Platform for InnovationBare-Metal Hypervisor as a Platform for Innovation
Bare-Metal Hypervisor as a Platform for Innovation
 
30 important-virtualization-vmware-interview-questions-with-answers
30 important-virtualization-vmware-interview-questions-with-answers30 important-virtualization-vmware-interview-questions-with-answers
30 important-virtualization-vmware-interview-questions-with-answers
 
Ian Prattlinuxworld Xen Aug2008
Ian Prattlinuxworld Xen Aug2008Ian Prattlinuxworld Xen Aug2008
Ian Prattlinuxworld Xen Aug2008
 
Xen 10th anniversary Status Report (at SELF 2013)
Xen 10th anniversary Status Report (at SELF 2013)Xen 10th anniversary Status Report (at SELF 2013)
Xen 10th anniversary Status Report (at SELF 2013)
 

Andere mochten auch

Virtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesVirtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesJason Chan
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data CenterCisco Canada
 
Challenges in Cloud Computing – VM Migration
Challenges in Cloud Computing – VM MigrationChallenges in Cloud Computing – VM Migration
Challenges in Cloud Computing – VM MigrationSarmad Makhdoom
 
Virtualization Security
Virtualization SecurityVirtualization Security
Virtualization Securitysyrinxtech
 
6. Live VM migration
6. Live VM migration6. Live VM migration
6. Live VM migrationHwanju Kim
 
Virtualization 101: Everything You Need To Know To Get Started With VMware
Virtualization 101: Everything You Need To Know To Get Started With VMwareVirtualization 101: Everything You Need To Know To Get Started With VMware
Virtualization 101: Everything You Need To Know To Get Started With VMwareDatapath Consulting
 

Andere mochten auch (6)

Virtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesVirtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit Perspectives
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data Center
 
Challenges in Cloud Computing – VM Migration
Challenges in Cloud Computing – VM MigrationChallenges in Cloud Computing – VM Migration
Challenges in Cloud Computing – VM Migration
 
Virtualization Security
Virtualization SecurityVirtualization Security
Virtualization Security
 
6. Live VM migration
6. Live VM migration6. Live VM migration
6. Live VM migration
 
Virtualization 101: Everything You Need To Know To Get Started With VMware
Virtualization 101: Everything You Need To Know To Get Started With VMwareVirtualization 101: Everything You Need To Know To Get Started With VMware
Virtualization 101: Everything You Need To Know To Get Started With VMware
 

Ähnlich wie Hypervisor Security - OpenStack Summit Hong Kong

Small Python Tools for Software Release Engineering
Small Python Tools for Software Release EngineeringSmall Python Tools for Software Release Engineering
Small Python Tools for Software Release Engineeringpycontw
 
Moving to the Cloud with ny times.com
Moving to the Cloud with ny times.comMoving to the Cloud with ny times.com
Moving to the Cloud with ny times.combgerst
 
Virtualization-the Cloud Enabler by INSPIRE-groups
Virtualization-the Cloud Enabler by INSPIRE-groupsVirtualization-the Cloud Enabler by INSPIRE-groups
Virtualization-the Cloud Enabler by INSPIRE-groupsPraveen Hanchinal
 
All about virtualization spiceworks - slideshare
All about virtualization spiceworks - slideshareAll about virtualization spiceworks - slideshare
All about virtualization spiceworks - slideshareSpiceworks Ziff Davis
 
LOAD BALANCING OF APPLICATIONS USING XEN HYPERVISOR
LOAD BALANCING OF APPLICATIONS USING XEN HYPERVISORLOAD BALANCING OF APPLICATIONS USING XEN HYPERVISOR
LOAD BALANCING OF APPLICATIONS USING XEN HYPERVISORVanika Kapoor
 
Virtualization and Cloud Computing with Elastic Server On Demand
Virtualization and Cloud Computing with Elastic Server On DemandVirtualization and Cloud Computing with Elastic Server On Demand
Virtualization and Cloud Computing with Elastic Server On DemandYan Pritzker
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureSonatype
 
open source virtualization
open source virtualizationopen source virtualization
open source virtualizationKris Buytaert
 
Making IT Easier to Manage Your Virtualized Environment - David Babbitt, Spic...
Making IT Easier to Manage Your Virtualized Environment - David Babbitt, Spic...Making IT Easier to Manage Your Virtualized Environment - David Babbitt, Spic...
Making IT Easier to Manage Your Virtualized Environment - David Babbitt, Spic...Spiceworks
 
VMready Virtual Machine-aware Networking for HP
VMready Virtual Machine-aware Networking for HPVMready Virtual Machine-aware Networking for HP
VMready Virtual Machine-aware Networking for HPIBM System Networking
 
Rmll Virtualization As Is Tool 20090707 V1.0
Rmll Virtualization As Is Tool 20090707 V1.0Rmll Virtualization As Is Tool 20090707 V1.0
Rmll Virtualization As Is Tool 20090707 V1.0guest72e8c1
 
Virtualizare si SCVMM2008
Virtualizare si SCVMM2008Virtualizare si SCVMM2008
Virtualizare si SCVMM2008Tudor Damian
 
KVM tools and enterprise usage
KVM tools and enterprise usageKVM tools and enterprise usage
KVM tools and enterprise usagevincentvdk
 
VMUGIT UC 2013 - 06 Mike Laverick
VMUGIT UC 2013 - 06 Mike LaverickVMUGIT UC 2013 - 06 Mike Laverick
VMUGIT UC 2013 - 06 Mike LaverickVMUG IT
 

Ähnlich wie Hypervisor Security - OpenStack Summit Hong Kong (20)

Erlang on OSv
Erlang on OSvErlang on OSv
Erlang on OSv
 
Small Python Tools for Software Release Engineering
Small Python Tools for Software Release EngineeringSmall Python Tools for Software Release Engineering
Small Python Tools for Software Release Engineering
 
Moving to the Cloud with ny times.com
Moving to the Cloud with ny times.comMoving to the Cloud with ny times.com
Moving to the Cloud with ny times.com
 
Server virtualization
Server virtualizationServer virtualization
Server virtualization
 
Virtualization-the Cloud Enabler by INSPIRE-groups
Virtualization-the Cloud Enabler by INSPIRE-groupsVirtualization-the Cloud Enabler by INSPIRE-groups
Virtualization-the Cloud Enabler by INSPIRE-groups
 
All about virtualization spiceworks - slideshare
All about virtualization spiceworks - slideshareAll about virtualization spiceworks - slideshare
All about virtualization spiceworks - slideshare
 
LOAD BALANCING OF APPLICATIONS USING XEN HYPERVISOR
LOAD BALANCING OF APPLICATIONS USING XEN HYPERVISORLOAD BALANCING OF APPLICATIONS USING XEN HYPERVISOR
LOAD BALANCING OF APPLICATIONS USING XEN HYPERVISOR
 
Virtualization and Cloud Computing with Elastic Server On Demand
Virtualization and Cloud Computing with Elastic Server On DemandVirtualization and Cloud Computing with Elastic Server On Demand
Virtualization and Cloud Computing with Elastic Server On Demand
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
 
[ppt]
[ppt][ppt]
[ppt]
 
open source virtualization
open source virtualizationopen source virtualization
open source virtualization
 
2. OS vs. VMM
2. OS vs. VMM2. OS vs. VMM
2. OS vs. VMM
 
Making IT Easier to Manage Your Virtualized Environment - David Babbitt, Spic...
Making IT Easier to Manage Your Virtualized Environment - David Babbitt, Spic...Making IT Easier to Manage Your Virtualized Environment - David Babbitt, Spic...
Making IT Easier to Manage Your Virtualized Environment - David Babbitt, Spic...
 
VMready Virtual Machine-aware Networking for HP
VMready Virtual Machine-aware Networking for HPVMready Virtual Machine-aware Networking for HP
VMready Virtual Machine-aware Networking for HP
 
E2EVC SCVMM-Mania
E2EVC SCVMM-ManiaE2EVC SCVMM-Mania
E2EVC SCVMM-Mania
 
RMLL / LSM 2009
RMLL / LSM 2009RMLL / LSM 2009
RMLL / LSM 2009
 
Rmll Virtualization As Is Tool 20090707 V1.0
Rmll Virtualization As Is Tool 20090707 V1.0Rmll Virtualization As Is Tool 20090707 V1.0
Rmll Virtualization As Is Tool 20090707 V1.0
 
Virtualizare si SCVMM2008
Virtualizare si SCVMM2008Virtualizare si SCVMM2008
Virtualizare si SCVMM2008
 
KVM tools and enterprise usage
KVM tools and enterprise usageKVM tools and enterprise usage
KVM tools and enterprise usage
 
VMUGIT UC 2013 - 06 Mike Laverick
VMUGIT UC 2013 - 06 Mike LaverickVMUGIT UC 2013 - 06 Mike Laverick
VMUGIT UC 2013 - 06 Mike Laverick
 

Kürzlich hochgeladen

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 

Kürzlich hochgeladen (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Hypervisor Security - OpenStack Summit Hong Kong

  • 1. Robert Clark Lead Security Architect HP Cloud Hypervisor Security
  • 2.
  • 4. OpenStack Security Group • Established 18-24 months ago • Issues OpenStack Security Notes • Consults on OpenStack Security Advisories • Security Initiatives • Nearly 100 members
  • 8. Virtualization Technologies • Hosted OS Virtualization – VMware Desktop Solutions • Para Virtualization – The guest needs to know it’s running in a virtualized environment • Full Virtualization – The guest is un-aware that it is running on a virtualized platform.
  • 10. Simplified KVM Compute Host Alice VM Alice VM Alice VM Hardware CPU VIRT Linux Kernel KVM QEMU Linux OS
  • 11. Simplified Xen Compute Host Dom0 Alice VM Hardware Xen Hypervisor Alice VM QEMU
  • 12. Generalized Virtualization Stack Compute Host Alice VM Alice VM Alice VM Hardware Hypervisor / Host OS / Dom0 QEMU Compute Instances Device Emulation / Paravirt Hardware Interfacing / Enabling Hardware Memory, Disk, CPU etc
  • 15. Compute Host Attack Vectors Compute Host [Nova] Alice VM Alice VM
  • 16. Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM
  • 17. Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM KVM / XEN QEMU
  • 18. Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM KVM / XEN QEMU Dom0 Linux Kernel Linux OS
  • 19. Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM KVM / XEN QEMU Dom0 Linux Kernel Linux OS
  • 20. Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM QEMU Basic VM to VM network Attacks KVM / XEN QEMU Dom0 Linux Kernel Linux OS
  • 21. Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM KVM / XEN QEMU VM to hypervisor attacks KVM / XEN QEMU Dom0 Linux Kernel Linux OS
  • 22. Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM KVM / XEN QEMU VM to QEMU / Device attacks KVM / XEN QEMU Dom0 Linux Kernel Linux OS
  • 23. Dom0 Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM QEMU Linux Kernel Linux OS VM to QEMU KVM / XEN QEMU
  • 24. Dom0 Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM QEMU Linux Kernel Linux OS VM to QEMU KVM / XEN QEMU
  • 25. Dom0 Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM QEMU Linux Kernel Linux OS 1. VM to QEMU KVM / XEN QEMU 2.
  • 26. Dom0 Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM QEMU Linux Kernel Linux OS 1. VM to QEMU KVM / XEN QEMU 2.
  • 27. Dom0 Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM QEMU Linux Kernel Linux OS VM to hypervisor attacks KVM / XEN QEMU
  • 28. Dom0 Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM QEMU Linux Kernel Linux OS VM to hypervisor attacks KVM / XEN QEMU
  • 29. Dom0 Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM QEMU Linux Kernel Linux OS VM to hypervisor attacks KVM / XEN QEMU
  • 30. Dom0 Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM QEMU Linux Kernel Linux OS VM to OS / Management / Linux Kernel / Dom0 KVM / XEN QEMU
  • 31. Dom0 Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM QEMU Linux Kernel Linux OS VM to OS / Management / Linux Kernel / Dom0 KVM / XEN QEMU
  • 32. Dom0 Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM QEMU Linux Kernel Linux OS 1. 2. VM to OS / Management / Linux Kernel / Dom0 KVM / XEN QEMU
  • 33. Dom0 Compute Instance Attack Vectors Compute Host [Nova] Alice VM Alice VM Bob VM Bob VM Mal VM QEMU Linux Kernel Linux OS 1. 2. 3. VM to OS / Management / Linux Kernel / Dom0 KVM / XEN QEMU
  • 34. Cloud Issues Compute Host [Nova] Alice VM Bob VM
  • 35. Cloud Issues - Scale Compute Host [Nova] Cher VM Dave VM Compute Host [Nova] Alice VM Bob VM
  • 36. Cloud Issues - Scale Compute Host [Nova] Cher VM Dave VM Compute Host [Nova] Alice VM Bob VM Compute Manager Block Storage Network Nodes Operations Systems Object Storage
  • 37. Cloud Issues - Scale Compute Host [Nova] Cher VM Dave VM Compute Host [Nova] Alice VM Bob VM Compute Manager Block Storage Network Nodes Operations Systems Object Storage Mal VM
  • 38. Cloud Issues – Flat Exploitation Compute Host [Nova] Cher VM Dave VM Compute Host [Nova] Alice VM Bob VM Compute Manager Block Storage Network Nodes Operations Systems Object Storage Mal VM
  • 39. Cloud Issues – Flat Exploitation Compute Host [Nova] Cher VM Dave VM Compute Host [Nova] Alice VM Bob VM Compute Manager Block Storage Network Nodes Operations Systems Object Storage Mal VM
  • 40. Cloud Issues – Service Trust Compute Host [Nova] Cher VM Dave VM Compute Host [Nova] Alice VM Bob VM Compute Manager Block Storage Network Nodes Operations Systems Object Storage Mal VM
  • 41. Cloud Issues – Service Trust Compute Host [Nova] Cher VM Dave VM Compute Host [Nova] Alice VM Bob VM Compute Manager Block Storage Network Nodes Operations Systems Object Storage Mal VM
  • 42. Cloud Issues – Nova RPC Compute Host [Nova] Cher VM Dave VM Compute Host [Nova] Alice VM Bob VM Compute Manager Block Storage Network Nodes Operations Systems Object Storage Mal VM
  • 44. Cross-VM Side Channel Attacks • Web Servers providing SSL • VOIP providers • Cloud VPN • Chat Applications • Secure File Storage • Virtually any service doing anything useful
  • 45. Cross-VM Side Channel Attacks Alice Client Compute Host [Nova] Bob VM TLS/SSL CPU L1 Cache • Disrupting or observing system operation
  • 46. Cross-VM Side Channel Attacks Alice Client Compute Host [Nova] Bob VM TLS/SSL Stealing the bits! Mal MITM CPU L1 Cache
  • 47. Cross-VM Side Channel Attacks Alice Client Compute Host [Nova] Bob VM Mal VM TLS/SSL Mal MITM CPU L1 Cache Stealing the bits!
  • 48. Cross-VM Side Channel Attacks Alice Client Compute Host [Nova] Bob VM Mal VM TLS/SSL Mal MITM CPU L1 Cache Stealing the bits!
  • 49. Cross-VM Side Channel Attacks Alice Client Compute Host [Nova] Bob VM Mal VM TLS/SSL Mal MITM CPU L1 Cache Stealing the bits!
  • 50. Isn’t this all a bit theoretical?
  • 51. CloudBurst • Date: 2008 • Type: OS Virtualization - VMWare • Result: Full Breakout • Author: Kostya Kirtchinsky, Immunity Inc
  • 52. Xen Ownage Trilogy • Date: 2011 • Type: Xen • Result: Full Breakout • Author: Joanna Rutkowska
  • 53. VirtuNoid • Date: 2011 • Type: Kernel Side Full Virtualization - KVM • Result: Full Breakout • Author: Nelson Elhage • CVE-2011-1751
  • 54. SYSRET-64 • Date: 2012 • Type: Para Virtualization - Xen • Result: Full Breakout • Author: Rafal Wojtczuk • US-CERT #649219
  • 55. VMDK Has Left The Building • Date: 2012 • Type: ESXi File Handling Logic • Result: Data Leakage / Loss • Author: Friedwart Kuhn
  • 56. KVM IOAPIC, SET MSR, TIME • Date: 2013 • Type: Full Virtualization - KVM • Result: Denial of Service, Potential Breakout • Author: Andrew Honig • IOAPIC: CVE-2013-1798 • TIME: CVE-2013-1797 • SET MSR: CVE-2013-1796
  • 57. Virtualization Security Trends IBM X-Force 2010 Mid-Term Report
  • 58. Virtualization Security Trends Attack Vector Xen KVM Virtual CPUs 5 (8.5%) 8 (21.1%) SMP 1 (1.7%) 3 (7.9%) Software MMU 4 (6.8%) 2 (5.3%) Interrupt and Timer Mechanisms 2 (3.4%) 4 (10.5%) I/O and Networking 11 (18.6%) 10 (26.3%) VM Exits 4 (6.8%) 2 (5.3%) Hypercalls 2 (3.4%) 1 (2.6%) VM Management 7 (11.9%) 2 (5.3%) Remote Management Software 9 (15.3%) 1 (2.6%) Hypervisor add-ons 5 (8.5%) 0 (0.0%) TOTAL 59 38
  • 59. Time to unplug? Go home cloud, you’re drunk!
  • 60. Protections – Compiler Hardening • RELocation Read-Only • Stack Canaries • Never eXecute (NX) / (DEP) • Position Independent Executable • Address Space Layout Randomization • QEMU: CFLAGS="-arch x86_64 -fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -pie -fPIE -ftrapv -D_FORTIFY_SOURCE=2 O2 -Wl,-z,relro,- z,now"
  • 61. Protections – Reduce Attack Surface • Out of the box you probably support – 3D Graphics – Multiple Network Devices – Sound – Bluetooth!? • Compile them out!
  • 62. Protections – Mandatory Access Controls • Limit the capabilities of a successful exploit • Define and constrain with QEMU should be doing • Provide isolation for VM processes (KVM) • SELinux • AppArmour
  • 63. Protections – Mandatory Access Controls
  • 64. Protection • Reduce Attack Surface • Harden Compilation • Isolate, detect and alert on exploitation through MAC • Harden your base OS/Dom0 using the same techniques • Apply MAC to other OpenStack components
  • 65. OpenStack Security Guide • http://docs.openstack.org/sec • Chapter 26 – Securing OpenStack Networking Services • Chapter 40 – Hypervisor Selection • Chapter 41 – Hardening the Virtualization Layers • Chapter 43 – Security Services for Instances
  • 66. Thank You Please consider contributing to the OpenStack Security Group
  • 67. References • Directly Referenced / Informed This Talk – http://www.insinuator.net/2013/05/analysis-of-hypervisor-breakouts/ – https://www.ernw.de/download/ERNW_DCVI-HypervisorsToClouds.pdf – https://www.hashdays.ch/downloads/slides/jonathan_sinclair_vm_state.pdf – ftp://public.dhe.ibm.com/linux/pdfs/LXW03004-USEN-00.pdf – http://blog.cryptographyengineering.com/2012/10/attack-of-week-cross-vm- timing-attacks.html – http://www.vupen.com/blog/20120904.Advanced_Exploitation_of_Xen_Sysre t_VM_Escape_CVE-2012-0217.php – http://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf – http://invisiblethingslab.com/resources/bh08/part1.pdf – http://blogs.gartner.com/neil_macdonald/2011/01/26/yes-hypervisors-are- vulnerable/ – ftp://public.dhe.ibm.com/common/ssi/ecm/en/wgl03003usen/WGL03003USE N.PDF