USENIX OSDI 2012 Poster "Nested Virtual Machines and Proxies for Easily Implementable Rollback of Secure Communication" by Kuniyasu Suzaki, Kengo Iijima, Akira Tanaka, and Yutaka Oiwa, AIST: National Institute of Advanced Industrial Science and Technology; Etsuya Shibayama, The University of Tokyo
1. Nested Virtual Machines and Proxies
for Easily Implementable Rollback
of Secure Communication
Kuniyasu Suzaki*, Kengo Iijima*, Akira Tanaka*, Yutaka Oiwa*, Etsuya Shibayama*,‡
* National Institute of Advanced Industrial Science and Technology (AIST), ‡ The University of Tokyo
Problem: Implementations of secure communication have vulnerabilities.
(Current target is Transport Layer Security and Secure Socket Layer: TLS/SSL)
Approach: Verify the implementation by fuzzing test. It requires to check
many states of protocol. The states are verified repeatedly by rollback.
Challenge :
• Fine-grained (packet level) control of snapshot & rollback to check states of protocol
• Re-connect secure communication when resuming, because rollback cuts the connection
• Rollback must include packets on network and computing environment (random number, etc)
Straight solution requires heavy customization on existing rollback implementation,
because it does not treat status of packets on network and network connection.
We propose
• new protocol which capsulates TLS/SSL packets and controls VM’s snapshot / rollback
• rollback technique which integrates nested VMs and proxies
Merits:
• Easy implementation which utilizes existing nested VM’s snapshot/rollback
• Development is internal and external proxies only
• This technique is applied on another nested VM implementation
• Snapshots are transferred to other real machines and resumed for parallel test
・ New protocol encapsulates TLS/SSL Client (Real Machine) Server (Real Machine)
packets and manages status on the network.
・ The external VM’s snapshot keeps the External VM Add VM Control External VM
The connection is cut
connection between internal VM and Encapsulate packet when external VM
internal proxy. TLS/SSL packet (Snapshot,Rollback) takes snapshot. All
With control packets are flushed Decapsulate
・ When rolling back, the connection is re- Internal packet. before the snapshot control packet Internal
established between external & internal VM using control packet. VM
TLS client Internal Interal TLS
proxies using new protocol. (fuzzing)
Proxy
External
Proxy
Port forward Proxy
server
・ VM includes all computing environment
and makes possible to check code which
depends on environment (e.g., random Snapshots Snapshots
External Proxy controls two external
number generator). External VM VMs for snapshot & rollback. External VM
External VM External VM
External Proxy manages re-connection
・ The rollback technique is implemented Internal VM Internal VM
Internal VM with internal proxies when rolling back. Internal VM
TLS client TLS server
with KVM and QEMU. Proxies uses Perl. SSH
Keep connection
SSH
Keep connection
Client1 Server2 Keep connection Keep connection
VM-C1 VM-S2
(Fuzz Generator) Figure 1. Overview of rollback with nested VM and proxies
・ This technique is used for TLS/SSL fuzzing (Fig 2).
Client Hello ・ The part of client will be replaced with protocol fuzzing
Server Hello generator which is developing now.
Server Certificate
Send snapshot images to try
fuzzing test on other machines
・Snapshot images are transferred to other machines and
Server Hello Done restart them. It makes possible for parallel test.
Snapshot
Take Snapshot
Server2 Table 1. Protocol which capsulates existing protocol and controls VM
Client2
[fuzz]Client Key Exchange VM-C2 VM-S2
Proposed Action
… Protocol
Load VM Capsule Sending Internal proxy encapsulates TLS/SSL packet.
Receiving Internal proxy decapsulates control
Resume [fuzz] Client Key Exchange packet.
Rollback
[fuzz] Client Key Exchange … Take Snapshot Take VM snapshot image. Packets between internal
… proxies are purged. Return snapshot ID.
Rollback (with Rollback snapshot image. Connection between
ID) internal proxies is dis- and re-connected when
Figure 2. Image of fuzzing test rolling back.