Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Intro Network path Bootloader Device model Xen Conclusion Securing your cloud with Xen’s advanced security features ...
Intro Network path Bootloader Device model Xen Conclusion Xen: an open-source, enterprise-grade, type I hypervisor E...
Intro Network path Bootloader Device model Xen Conclusion Built for the Cloud before it was called the Cloud Edinbur...
Intro Network path Bootloader Device model Xen Conclusion Advanced security features Edinburgh – 21-23 October, 201...
Intro Network path Bootloader Device model Xen Conclusion Goal Tools to think about security in Xen Edinburgh – 21...
Intro Network path Bootloader Device model Xen Conclusion Goal Tools to think about security in Xen Know some key s...
Intro Network path Bootloader Device model Xen Conclusion Goal Tools to think about security in Xen Know some key s...
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Edinburgh – 21-...
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introducti...
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introducti...
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introducti...
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introducti...
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introducti...
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introducti...
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introducti...
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introducti...
Intro Network path Bootloader Device model Xen Conclusion Xen Architecture dom 0 device model (qemu) toolstack Har...
Intro Network path Bootloader Device model Xen Conclusion Security Overview Threat Model Edinburgh – 21-23 October...
Intro Network path Bootloader Device model Xen Conclusion Security Overview Threat Model Attacker can access guest ...
Intro Network path Bootloader Device model Xen Conclusion Security Overview Threat Model Attacker can access guest ...
Intro Network path Bootloader Device model Xen Conclusion Security Overview Security considerations How much code i...
Intro Network path Bootloader Device model Xen Conclusion Security Overview Security considerations How much code i...
Intro Network path Bootloader Device model Xen Conclusion Security Overview Security considerations How much code i...
Intro Network path Bootloader Device model Xen Conclusion Security Overview Security considerations How much code i...
Intro Network path Bootloader Device model Xen Conclusion Example System Hardware setup Edinburgh – 21-23 October,...
Intro Network path Bootloader Device model Xen Conclusion Example System Hardware setup Two networks: control netwo...
Intro Network path Bootloader Device model Xen Conclusion Example System Hardware setup Two networks: control netwo...
Intro Network path Bootloader Device model Xen Conclusion Example System Hardware setup Two networks: control netwo...
Intro Network path Bootloader Device model Xen Conclusion Example System Hardware setup Two networks: control netwo...
Intro Network path Bootloader Device model Xen Conclusion Example System Hardware setup Two networks: control netwo...
Intro Network path Bootloader Device model Xen Conclusion Example System Hardware setup Two networks: control netwo...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Network path dom 0 toolstack Domain netf...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Network path dom 0 toolstack Domain netf...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Network path dom 0 toolstack Domain netf...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Network path dom 0 toolstack Domain netf...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Network path dom 0 toolstack Domain netf...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Network path dom 0 toolstack Domain netf...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Network path dom 0 toolstack Domain netf...
Intro Network path Bootloader Device model Xen Conclusion Security feature: Driver Domains dom 0 Domain toolstack ...
Intro Network path Bootloader Device model Xen Conclusion Security feature: Driver Domains dom 0 Domain toolstack ...
Intro Network path Bootloader Device model Xen Conclusion Security feature: Driver Domains dom 0 Domain toolstack ...
Intro Network path Bootloader Device model Xen Conclusion Security feature: Driver Domains dom 0 Domain toolstack ...
Intro Network path Bootloader Device model Xen Conclusion Security feature: Driver Domains dom 0 Domain toolstack ...
Intro Network path Bootloader Device model Xen Conclusion Security feature: Driver Domains dom 0 Domain toolstack ...
Intro Network path Bootloader Device model Xen Conclusion Security feature: Driver Domains dom 0 Domain toolstack ...
Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers...
Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers...
Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers...
Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers...
Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers...
Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers...
Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers...
Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers...
Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers...
Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers...
Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pyg...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pyg...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pyg...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pyg...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pyg...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pyg...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pyg...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pyg...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pyg...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pyg...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pyg...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pyg...
Intro Network path Bootloader Device model Xen Conclusion Security practice: Fixed kernels dom 0 kernel image tools...
Intro Network path Bootloader Device model Xen Conclusion Security practice: Fixed kernels dom 0 kernel image tools...
Intro Network path Bootloader Device model Xen Conclusion Security practice: Fixed kernels dom 0 kernel image tools...
Intro Network path Bootloader Device model Xen Conclusion Security practice: Fixed kernels dom 0 kernel image tools...
Intro Network path Bootloader Device model Xen Conclusion Security practice: Fixed kernels dom 0 kernel image tools...
Intro Network path Bootloader Device model Xen Conclusion Security practice: Fixed kernels dom 0 kernel image tools...
Intro Network path Bootloader Device model Xen Conclusion Security feature: pvgrub dom 0 toolstack domain builder p...
Intro Network path Bootloader Device model Xen Conclusion Security feature: pvgrub dom 0 toolstack domain builder p...
Intro Network path Bootloader Device model Xen Conclusion Security feature: pvgrub dom 0 toolstack domain builder p...
Intro Network path Bootloader Device model Xen Conclusion Security feature: pvgrub dom 0 toolstack domain builder p...
Intro Network path Bootloader Device model Xen Conclusion Security feature: pvgrub dom 0 toolstack domain builder p...
Intro Network path Bootloader Device model Xen Conclusion HowTo: pvgrub Make sure that you have the pvgrub image E...
Intro Network path Bootloader Device model Xen Conclusion HowTo: pvgrub Make sure that you have the pvgrub image pv...
Intro Network path Bootloader Device model Xen Conclusion HowTo: pvgrub Make sure that you have the pvgrub image pv...
Intro Network path Bootloader Device model Xen Conclusion HowTo: pvgrub Make sure that you have the pvgrub image pv...
Intro Network path Bootloader Device model Xen Conclusion HowTo: pvgrub Make sure that you have the pvgrub image pv...
Intro Network path Bootloader Device model Xen Conclusion HowTo: pvgrub Make sure that you have the pvgrub image pv...
Intro Network path Bootloader Device model Xen Conclusion HowTo: pvgrub Make sure that you have the pvgrub image pv...
Intro Network path Bootloader Device model Xen Conclusion HowTo: pvgrub Make sure that you have the pvgrub image pv...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Device model (qemu) dom 0 device model (q...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Device model (qemu) dom 0 device model (q...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Device model (qemu) dom 0 device model (q...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Device model (qemu) dom 0 device model (q...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Device model (qemu) dom 0 device model (q...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Device model (qemu) dom 0 device model (q...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Device model (qemu) dom 0 device model (q...
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Device model (qemu) dom 0 device model (q...
Intro Network path Bootloader Device model Xen Conclusion Security feature: qemu stub domains dom 0 toolstack Stub ...
Intro Network path Bootloader Device model Xen Conclusion Security feature: qemu stub domains dom 0 toolstack Stub ...
Intro Network path Bootloader Device model Xen Conclusion Security feature: qemu stub domains dom 0 toolstack Stub ...
Intro Network path Bootloader Device model Xen Conclusion Security feature: qemu stub domains dom 0 toolstack Stub ...
Intro Network path Bootloader Device model Xen Conclusion Security feature: qemu stub domains dom 0 toolstack Stub ...
Intro Network path Bootloader Device model Xen Conclusion Security feature: qemu stub domains dom 0 toolstack Stub ...
Intro Network path Bootloader Device model Xen Conclusion HowTo: qemu stub domains Make sure that you have the stub...
Intro Network path Bootloader Device model Xen Conclusion HowTo: qemu stub domains Make sure that you have the stub...
Intro Network path Bootloader Device model Xen Conclusion HowTo: qemu stub domains Make sure that you have the stub...
Intro Network path Bootloader Device model Xen Conclusion HowTo: qemu stub domains Make sure that you have the stub...
Intro Network path Bootloader Device model Xen Conclusion HowTo: qemu stub domains Make sure that you have the stub...
Intro Network path Bootloader Device model Xen Conclusion HowTo: qemu stub domains Make sure that you have the stub...
Intro Network path Bootloader Device model Xen Conclusion HowTo: qemu stub domains Make sure that you have the stub...
Intro Network path Bootloader Device model Xen Conclusion HowTo: qemu stub domains Make sure that you have the stub...
Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests Edinburgh – 21-23 October...
Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of ...
Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of ...
Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of ...
Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of ...
Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of ...
Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of ...
Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of ...
Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of ...
Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of ...
Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What is FLASK? Ed...
Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What is FLASK? Xen...
Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What is FLASK? Xen...
Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What is FLASK? Xen...
Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What is FLASK? Xen...
Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What is FLASK? Xen...
Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What can FLASK do?...
Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What can FLASK do?...
Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What can FLASK do?...
Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What can FLASK do?...
Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What can FLASK do?...
Intro Network path Bootloader Device model Xen Conclusion HowTo: Use the example FLASK policy Build Xen with XSM en...
Intro Network path Bootloader Device model Xen Conclusion HowTo: Use the example FLASK policy Build Xen with XSM en...
Intro Network path Bootloader Device model Xen Conclusion HowTo: Use the example FLASK policy Build Xen with XSM en...
Intro Network path Bootloader Device model Xen Conclusion HowTo: Use the example FLASK policy Build Xen with XSM en...
Intro Network path Bootloader Device model Xen Conclusion HowTo: Use the example FLASK policy Build Xen with XSM en...
Intro Network path Bootloader Device model Xen Conclusion HowTo: Use the example FLASK policy Build Xen with XSM en...
Intro Network path Bootloader Device model Xen Conclusion HowTo: Use the example FLASK policy Build Xen with XSM en...
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Edinburgh – 21-...
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introducti...
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introducti...
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introducti...
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introducti...
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introducti...
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introducti...
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introducti...
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introducti...
Intro Network path Bootloader Device model Xen Conclusion Goal Tools to think about security in Xen Edinburgh – 21...
Intro Network path Bootloader Device model Xen Conclusion Goal Tools to think about security in Xen Know some key s...
Intro Network path Bootloader Device model Xen Conclusion Goal Tools to think about security in Xen Know some key s...
Intro Network path Bootloader Device model Xen Conclusion Questions Questions? More info at http://wiki.xen.org/wik...
Nächste SlideShare
Wird geladen in …5
×

LCEU13: Securing your cloud with Xen's advanced security features - George Dunlap, Citrix

194.970 Aufrufe

Veröffentlicht am

Xen is a mature enterprise-grade virtual machine with many advanced security features which are unique to Xen. For this reason it's the hypervisor of choice for the NSA, the DoD, and the new QubesOS Secure Desktop project. While much of the security of Xen is inherent in its design, many of the advanced security features, such as stub domains, driver domains, XSM, and so on are not enabled by default. This session will describe all of the advanced security features of Xen, and the best way to configure them for the Cloud environment. When the audience leaves, they should have a general framework to evaluate the security of their system, know the key security features of Xen, and have a basic framework of knowledge to help them make sense of the documentation. This talk will *not* go into mind-numbing detail about specific commands to type or configuration options.

Veröffentlicht in: Technologie, News & Politik
no profile picture user

  • Als Erste(r) kommentieren

LCEU13: Securing your cloud with Xen's advanced security features - George Dunlap, Citrix

  1. 1. Intro Network path Bootloader Device model Xen Conclusion Securing your cloud with Xen’s advanced security features George Dunlap Edinburgh – 21-23 October, 2013
  2. 2. Intro Network path Bootloader Device model Xen Conclusion Xen: an open-source, enterprise-grade, type I hypervisor Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 2 / 33
  3. 3. Intro Network path Bootloader Device model Xen Conclusion Built for the Cloud before it was called the Cloud Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 2 / 33
  4. 4. Intro Network path Bootloader Device model Xen Conclusion Advanced security features Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 3 / 33
  5. 5. Intro Network path Bootloader Device model Xen Conclusion Goal Tools to think about security in Xen Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 4 / 33
  6. 6. Intro Network path Bootloader Device model Xen Conclusion Goal Tools to think about security in Xen Know some key security features of Xen Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 4 / 33
  7. 7. Intro Network path Bootloader Device model Xen Conclusion Goal Tools to think about security in Xen Know some key security features of Xen Equipped with the knowledge to get them working Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 4 / 33
  8. 8. Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
  9. 9. Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
  10. 10. Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
  11. 11. Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
  12. 12. Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
  13. 13. Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains pvgrub Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
  14. 14. Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains pvgrub stub domains Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
  15. 15. Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains pvgrub stub domains PV vs HVM Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
  16. 16. Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains pvgrub stub domains PV vs HVM FLASK example policy Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
  17. 17. Intro Network path Bootloader Device model Xen Conclusion Xen Architecture dom 0 device model (qemu) toolstack Hardware Drivers netback blkback Paravirtualized (PV) Domain netfront blkfront Fully Virtualized (HVM) Domain Xen Hypervisor I/O Devices Edinburgh – 21-23 October, 2013 CPU Memory Hardware Securing your cloud with Xen’s advanced security features 6 / 33
  18. 18. Intro Network path Bootloader Device model Xen Conclusion Security Overview Threat Model Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 7 / 33
  19. 19. Intro Network path Bootloader Device model Xen Conclusion Security Overview Threat Model Attacker can access guest network Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 7 / 33
  20. 20. Intro Network path Bootloader Device model Xen Conclusion Security Overview Threat Model Attacker can access guest network Attacker controls one guest OS Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 7 / 33
  21. 21. Intro Network path Bootloader Device model Xen Conclusion Security Overview Security considerations How much code is accessible? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 8 / 33
  22. 22. Intro Network path Bootloader Device model Xen Conclusion Security Overview Security considerations How much code is accessible? What is the interface like? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 8 / 33
  23. 23. Intro Network path Bootloader Device model Xen Conclusion Security Overview Security considerations How much code is accessible? What is the interface like? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 8 / 33
  24. 24. Intro Network path Bootloader Device model Xen Conclusion Security Overview Security considerations How much code is accessible? What is the interface like? Defense-in-depth Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 8 / 33
  25. 25. Intro Network path Bootloader Device model Xen Conclusion Example System Hardware setup Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
  26. 26. Intro Network path Bootloader Device model Xen Conclusion Example System Hardware setup Two networks: control network, guest network Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
  27. 27. Intro Network path Bootloader Device model Xen Conclusion Example System Hardware setup Two networks: control network, guest network IOMMU with interrupt remapping (AMD or Intel VT-d v2) Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
  28. 28. Intro Network path Bootloader Device model Xen Conclusion Example System Hardware setup Two networks: control network, guest network IOMMU with interrupt remapping (AMD or Intel VT-d v2) Default configuration Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
  29. 29. Intro Network path Bootloader Device model Xen Conclusion Example System Hardware setup Two networks: control network, guest network IOMMU with interrupt remapping (AMD or Intel VT-d v2) Default configuration Network drivers in dom0 Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
  30. 30. Intro Network path Bootloader Device model Xen Conclusion Example System Hardware setup Two networks: control network, guest network IOMMU with interrupt remapping (AMD or Intel VT-d v2) Default configuration Network drivers in dom0 PV guests with pygrub Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
  31. 31. Intro Network path Bootloader Device model Xen Conclusion Example System Hardware setup Two networks: control network, guest network IOMMU with interrupt remapping (AMD or Intel VT-d v2) Default configuration Network drivers in dom0 PV guests with pygrub HVM guests with qemu running in domain 0 Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
  32. 32. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Network path dom 0 toolstack Domain netfront iptables bridge Rogue Domain NIC Driver netback netfront Xen Hypervisor Control NIC Guest NIC Hardware How to break in? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 10 / 33
  33. 33. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Network path dom 0 toolstack Domain netfront iptables bridge Rogue Domain NIC Driver netback netfront Xen Hypervisor Control NIC Guest NIC Hardware How to break in? Bugs in hardware driver Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 10 / 33
  34. 34. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Network path dom 0 toolstack Domain netfront iptables bridge Rogue Domain NIC Driver netback netfront Xen Hypervisor Control NIC Guest NIC Hardware How to break in? Bugs in hardware driver Bugs in bridging / filtering Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 10 / 33
  35. 35. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Network path dom 0 toolstack Domain netfront iptables bridge Rogue Domain NIC Driver netback netfront Xen Hypervisor Control NIC Guest NIC Hardware How to break in? Bugs in hardware driver Bugs in bridging / filtering Bugs in netback via the ring protocol Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 10 / 33
  36. 36. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Network path dom 0 toolstack Domain netfront iptables bridge Rogue Domain NIC Driver netback netfront Xen Hypervisor Control NIC Guest NIC Hardware What does it buy you? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 11 / 33
  37. 37. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Network path dom 0 toolstack Domain netfront iptables bridge Rogue Domain NIC Driver netback netfront Xen Hypervisor Control NIC Guest NIC Hardware What does it buy you? Control of domain 0 kernel Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 11 / 33
  38. 38. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Network path dom 0 toolstack Domain netfront iptables bridge Rogue Domain NIC Driver netback netfront Xen Hypervisor Control NIC Guest NIC Hardware What does it buy you? Control of domain 0 kernel Pretty much control of the whole system Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 11 / 33
  39. 39. Intro Network path Bootloader Device model Xen Conclusion Security feature: Driver Domains dom 0 Domain toolstack netfront Driver Domain iptables NIC Driver NIC Driver bridge netback Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware What is it? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 12 / 33
  40. 40. Intro Network path Bootloader Device model Xen Conclusion Security feature: Driver Domains dom 0 Domain toolstack netfront Driver Domain iptables NIC Driver NIC Driver bridge netback Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware What is it? Unprivileged VM which drives hardware, provides access to guests Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 12 / 33
  41. 41. Intro Network path Bootloader Device model Xen Conclusion Security feature: Driver Domains dom 0 Domain toolstack netfront Driver Domain iptables NIC Driver NIC Driver bridge netback Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware Now an exploit buys you: Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 13 / 33
  42. 42. Intro Network path Bootloader Device model Xen Conclusion Security feature: Driver Domains dom 0 Domain toolstack netfront Driver Domain iptables NIC Driver NIC Driver bridge netback Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware Now an exploit buys you: Control of a PV VM (PV hypercall interface) Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 13 / 33
  43. 43. Intro Network path Bootloader Device model Xen Conclusion Security feature: Driver Domains dom 0 Domain toolstack netfront Driver Domain iptables NIC Driver NIC Driver bridge netback Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware Now an exploit buys you: Control of a PV VM (PV hypercall interface) Guest network traffic Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 13 / 33
  44. 44. Intro Network path Bootloader Device model Xen Conclusion Security feature: Driver Domains dom 0 Domain toolstack netfront Driver Domain iptables NIC Driver NIC Driver bridge netback Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware Now an exploit buys you: Control of a PV VM (PV hypercall interface) Guest network traffic Control of NIC Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 13 / 33
  45. 45. Intro Network path Bootloader Device model Xen Conclusion Security feature: Driver Domains dom 0 Domain toolstack netfront Driver Domain iptables NIC Driver NIC Driver bridge netback Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware Now an exploit buys you: Control of a PV VM (PV hypercall interface) Guest network traffic Control of NIC Opportunity to attack netfront of other guests Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 13 / 33
  46. 46. Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
  47. 47. Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
  48. 48. Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
  49. 49. Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Just installing the xen tools in the VM is usually good enough Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
  50. 50. Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Just installing the xen tools in the VM is usually good enough Give the VM access to the physical NIC with PCI pass-through Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
  51. 51. Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Just installing the xen tools in the VM is usually good enough Give the VM access to the physical NIC with PCI pass-through Configure the network topology in the driver domain Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
  52. 52. Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Just installing the xen tools in the VM is usually good enough Give the VM access to the physical NIC with PCI pass-through Configure the network topology in the driver domain Just like you would for dom0 Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
  53. 53. Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Just installing the xen tools in the VM is usually good enough Give the VM access to the physical NIC with PCI pass-through Configure the network topology in the driver domain Just like you would for dom0 Configure the guest vif to use the new domain ID Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
  54. 54. Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Just installing the xen tools in the VM is usually good enough Give the VM access to the physical NIC with PCI pass-through Configure the network topology in the driver domain Just like you would for dom0 Configure the guest vif to use the new domain ID Add backend=domnet to vif declaration Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
  55. 55. Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Just installing the xen tools in the VM is usually good enough Give the VM access to the physical NIC with PCI pass-through Configure the network topology in the driver domain Just like you would for dom0 Configure the guest vif to use the new domain ID Add backend=domnet to vif declaration vif = [ ’type=pv, bridge=xenbr0, backend=domnet’ ] Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
  56. 56. Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Just installing the xen tools in the VM is usually good enough Give the VM access to the physical NIC with PCI pass-through Configure the network topology in the driver domain Just like you would for dom0 Configure the guest vif to use the new domain ID Add backend=domnet to vif declaration vif = [ ’type=pv, bridge=xenbr0, backend=domnet’ ] http://wiki.xen.org/wiki/Driver Domain Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
  57. 57. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor What is it? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 15 / 33
  58. 58. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor What is it? grub implementation for PV guests Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 15 / 33
  59. 59. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor What is it? grub implementation for PV guests Python program running in domain 0 Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 15 / 33
  60. 60. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor What is it? grub implementation for PV guests Python program running in domain 0 Reads guest FS, parses grub.conf, presents menu Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 15 / 33
  61. 61. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor What is it? grub implementation for PV guests Python program running in domain 0 Reads guest FS, parses grub.conf, presents menu Passes resulting kernel image to domain builder Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 15 / 33
  62. 62. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor How to break in? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 16 / 33
  63. 63. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor How to break in? Bugs in file system parser Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 16 / 33
  64. 64. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor How to break in? Bugs in file system parser Bugs in menu parser Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 16 / 33
  65. 65. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor How to break in? Bugs in file system parser Bugs in menu parser Bugs in kernel / initrd image parsers Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 16 / 33
  66. 66. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pygrub kernel Paravirtualized (PV) Domain guest disk Xen Hypervisor What does it buy you? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 17 / 33
  67. 67. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pygrub kernel Paravirtualized (PV) Domain guest disk Xen Hypervisor What does it buy you? Control of domain 0 user space Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 17 / 33
  68. 68. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pygrub kernel Paravirtualized (PV) Domain guest disk Xen Hypervisor What does it buy you? Control of domain 0 user space Pretty much control of the whole system Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 17 / 33
  69. 69. Intro Network path Bootloader Device model Xen Conclusion Security practice: Fixed kernels dom 0 kernel image toolstack domain builder Paravirtualized (PV) Domain guest disk Xen Hypervisor What is it? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 18 / 33
  70. 70. Intro Network path Bootloader Device model Xen Conclusion Security practice: Fixed kernels dom 0 kernel image toolstack domain builder Paravirtualized (PV) Domain guest disk Xen Hypervisor What is it? Passing a known-good kernel from domain 0 Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 18 / 33
  71. 71. Intro Network path Bootloader Device model Xen Conclusion Security practice: Fixed kernels dom 0 kernel image toolstack domain builder Paravirtualized (PV) Domain guest disk Xen Hypervisor What is it? Passing a known-good kernel from domain 0 Removes attacker avenue to domain builder Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 18 / 33
  72. 72. Intro Network path Bootloader Device model Xen Conclusion Security practice: Fixed kernels dom 0 kernel image toolstack domain builder Paravirtualized (PV) Domain guest disk Xen Hypervisor Disadvantages Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 19 / 33
  73. 73. Intro Network path Bootloader Device model Xen Conclusion Security practice: Fixed kernels dom 0 kernel image toolstack domain builder Paravirtualized (PV) Domain guest disk Xen Hypervisor Disadvantages Host admin must keep up with kernel updates Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 19 / 33
  74. 74. Intro Network path Bootloader Device model Xen Conclusion Security practice: Fixed kernels dom 0 kernel image toolstack domain builder Paravirtualized (PV) Domain guest disk Xen Hypervisor Disadvantages Host admin must keep up with kernel updates Guest admin can’t pass kernel parameters, custom kernels, Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 19 / 33
  75. 75. Intro Network path Bootloader Device model Xen Conclusion Security feature: pvgrub dom 0 toolstack domain builder pvgrub MiniOS guest disk Xen Hypervisor What is it? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 20 / 33
  76. 76. Intro Network path Bootloader Device model Xen Conclusion Security feature: pvgrub dom 0 toolstack domain builder pvgrub MiniOS guest disk Xen Hypervisor What is it? MiniOS + pv port of grub running in a guest context Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 20 / 33
  77. 77. Intro Network path Bootloader Device model Xen Conclusion Security feature: pvgrub dom 0 toolstack domain builder pvgrub MiniOS guest disk Xen Hypervisor What is it? MiniOS + pv port of grub running in a guest context PV equivalent of HVM “BIOS + grub” Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 20 / 33
  78. 78. Intro Network path Bootloader Device model Xen Conclusion Security feature: pvgrub dom 0 toolstack domain builder pvgrub MiniOS guest disk Xen Hypervisor What is it? MiniOS + pv port of grub running in a guest context PV equivalent of HVM “BIOS + grub” Now an exploit buys you: Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 20 / 33
  79. 79. Intro Network path Bootloader Device model Xen Conclusion Security feature: pvgrub dom 0 toolstack domain builder pvgrub MiniOS guest disk Xen Hypervisor What is it? MiniOS + pv port of grub running in a guest context PV equivalent of HVM “BIOS + grub” Now an exploit buys you: Control of your own VM Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 20 / 33
  80. 80. Intro Network path Bootloader Device model Xen Conclusion HowTo: pvgrub Make sure that you have the pvgrub image Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
  81. 81. Intro Network path Bootloader Device model Xen Conclusion HowTo: pvgrub Make sure that you have the pvgrub image pvgrub-$ARCH.gz Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
  82. 82. Intro Network path Bootloader Device model Xen Conclusion HowTo: pvgrub Make sure that you have the pvgrub image pvgrub-$ARCH.gz Normally lives in /usr/lib/xen/boot Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
  83. 83. Intro Network path Bootloader Device model Xen Conclusion HowTo: pvgrub Make sure that you have the pvgrub image pvgrub-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
  84. 84. Intro Network path Bootloader Device model Xen Conclusion HowTo: pvgrub Make sure that you have the pvgrub image pvgrub-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
  85. 85. Intro Network path Bootloader Device model Xen Conclusion HowTo: pvgrub Make sure that you have the pvgrub image pvgrub-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Use appropriate pvgrub as kernel in guest config Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
  86. 86. Intro Network path Bootloader Device model Xen Conclusion HowTo: pvgrub Make sure that you have the pvgrub image pvgrub-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Use appropriate pvgrub as kernel in guest config kernel=”/usr/lib/xen/boot/pvgrub-x86 32.gz” Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
  87. 87. Intro Network path Bootloader Device model Xen Conclusion HowTo: pvgrub Make sure that you have the pvgrub image pvgrub-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Use appropriate pvgrub as kernel in guest config kernel=”/usr/lib/xen/boot/pvgrub-x86 32.gz” http://wiki.xen.org/wiki/Pvgrub Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
  88. 88. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Device model (qemu) dom 0 device model (qemu) toolstack Hardware Drivers Fully Virtualized (HVM) Domain Xen Hypervisor How to break in? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 22 / 33
  89. 89. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Device model (qemu) dom 0 device model (qemu) toolstack Fully Virtualized (HVM) Domain Hardware Drivers Xen Hypervisor How to break in? Bugs in NIC emulator parsing packets Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 22 / 33
  90. 90. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Device model (qemu) dom 0 device model (qemu) toolstack Fully Virtualized (HVM) Domain Hardware Drivers Xen Hypervisor How to break in? Bugs in NIC emulator parsing packets Bugs in emulation of virtual devices Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 22 / 33
  91. 91. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Device model (qemu) dom 0 device model (qemu) toolstack Fully Virtualized (HVM) Domain Hardware Drivers Xen Hypervisor What does it buy you? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 23 / 33
  92. 92. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Device model (qemu) dom 0 device model (qemu) toolstack Fully Virtualized (HVM) Domain Hardware Drivers Xen Hypervisor What does it buy you? Domain 0 privileged userspace Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 23 / 33
  93. 93. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Device model (qemu) dom 0 device model (qemu) toolstack Fully Virtualized (HVM) Domain Hardware Drivers Xen Hypervisor What does it buy you? Domain 0 privileged userspace Pretty much control of the whole system Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 23 / 33
  94. 94. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Device model (qemu) dom 0 device model (qemu) toolstack Fully Virtualized (HVM) Domain Hardware Drivers Xen Hypervisor What does it buy you? Domain 0 privileged userspace Pretty much control of the whole system Not hypothetical Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 23 / 33
  95. 95. Intro Network path Bootloader Device model Xen Conclusion Attack surface: Device model (qemu) dom 0 device model (qemu) toolstack Fully Virtualized (HVM) Domain Hardware Drivers Xen Hypervisor What does it buy you? Domain 0 privileged userspace Pretty much control of the whole system Not hypothetical Three exploitable bugs found in qemu last 2 years Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 23 / 33
  96. 96. Intro Network path Bootloader Device model Xen Conclusion Security feature: qemu stub domains dom 0 toolstack Stub Domain Hardware Drivers device model minios Fully Virtualized (HVM) Domain Xen Hypervisor What is it? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 24 / 33
  97. 97. Intro Network path Bootloader Device model Xen Conclusion Security feature: qemu stub domains dom 0 toolstack Stub Domain Hardware Drivers device model minios Fully Virtualized (HVM) Domain Xen Hypervisor What is it? Stub domain: a small “service” domain running just one application Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 24 / 33
  98. 98. Intro Network path Bootloader Device model Xen Conclusion Security feature: qemu stub domains dom 0 toolstack Stub Domain Hardware Drivers device model minios Fully Virtualized (HVM) Domain Xen Hypervisor What is it? Stub domain: a small “service” domain running just one application qemu stub domain: run each qemu in its own domain Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 24 / 33
  99. 99. Intro Network path Bootloader Device model Xen Conclusion Security feature: qemu stub domains dom 0 toolstack Stub Domain device model Hardware Drivers minios Fully Virtualized (HVM) Domain Xen Hypervisor Now an exploit buys you: Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 25 / 33
  100. 100. Intro Network path Bootloader Device model Xen Conclusion Security feature: qemu stub domains dom 0 toolstack Stub Domain device model Hardware Drivers minios Fully Virtualized (HVM) Domain Xen Hypervisor Now an exploit buys you: Control of the stubom VM Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 25 / 33
  101. 101. Intro Network path Bootloader Device model Xen Conclusion Security feature: qemu stub domains dom 0 toolstack Stub Domain device model Hardware Drivers minios Fully Virtualized (HVM) Domain Xen Hypervisor Now an exploit buys you: Control of the stubom VM Access to PV interfaces Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 25 / 33
  102. 102. Intro Network path Bootloader Device model Xen Conclusion HowTo: qemu stub domains Make sure that you have the stubdom image: Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
  103. 103. Intro Network path Bootloader Device model Xen Conclusion HowTo: qemu stub domains Make sure that you have the stubdom image: ioemu-$ARCH.gz Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
  104. 104. Intro Network path Bootloader Device model Xen Conclusion HowTo: qemu stub domains Make sure that you have the stubdom image: ioemu-$ARCH.gz Normally lives in /usr/lib/xen/boot Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
  105. 105. Intro Network path Bootloader Device model Xen Conclusion HowTo: qemu stub domains Make sure that you have the stubdom image: ioemu-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
  106. 106. Intro Network path Bootloader Device model Xen Conclusion HowTo: qemu stub domains Make sure that you have the stubdom image: ioemu-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
  107. 107. Intro Network path Bootloader Device model Xen Conclusion HowTo: qemu stub domains Make sure that you have the stubdom image: ioemu-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Specify stub domains in your guest config Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
  108. 108. Intro Network path Bootloader Device model Xen Conclusion HowTo: qemu stub domains Make sure that you have the stubdom image: ioemu-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Specify stub domains in your guest config device model stubdomain override = 1 Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
  109. 109. Intro Network path Bootloader Device model Xen Conclusion HowTo: qemu stub domains Make sure that you have the stubdom image: ioemu-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Specify stub domains in your guest config device model stubdomain override = 1 http://wiki.xen.org/wiki/Device Model Stub Domains Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
  110. 110. Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
  111. 111. Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
  112. 112. Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
  113. 113. Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Emulated platform devices: APIC, HPET, PIT Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
  114. 114. Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Emulated platform devices: APIC, HPET, PIT Nested virtualization Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
  115. 115. Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Emulated platform devices: APIC, HPET, PIT Nested virtualization PV guests Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
  116. 116. Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Emulated platform devices: APIC, HPET, PIT Nested virtualization PV guests PV Hypercalls Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
  117. 117. Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Emulated platform devices: APIC, HPET, PIT Nested virtualization PV guests PV Hypercalls Shared address space Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
  118. 118. Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Emulated platform devices: APIC, HPET, PIT Nested virtualization PV guests PV Hypercalls Shared address space Survey of security updates looks statistically similar Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
  119. 119. Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Emulated platform devices: APIC, HPET, PIT Nested virtualization PV guests PV Hypercalls Shared address space Survey of security updates looks statistically similar Security practice: If you can’t use stub domains, use PV VMs Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
  120. 120. Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What is FLASK? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 28 / 33
  121. 121. Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What is FLASK? Xen Security Module (XSM): Xen equivalent of LSM Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 28 / 33
  122. 122. Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What is FLASK? Xen Security Module (XSM): Xen equivalent of LSM FLASK: Framework for XSM developed by NSA Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 28 / 33
  123. 123. Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What is FLASK? Xen Security Module (XSM): Xen equivalent of LSM FLASK: Framework for XSM developed by NSA Xen Equivalent of SELinux Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 28 / 33
  124. 124. Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What is FLASK? Xen Security Module (XSM): Xen equivalent of LSM FLASK: Framework for XSM developed by NSA Xen Equivalent of SELinux Uses same concepts, tools as SELinux Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 28 / 33
  125. 125. Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What is FLASK? Xen Security Module (XSM): Xen equivalent of LSM FLASK: Framework for XSM developed by NSA Xen Equivalent of SELinux Uses same concepts, tools as SELinux Allows a policy to restrict hypercalls Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 28 / 33
  126. 126. Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What can FLASK do? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 29 / 33
  127. 127. Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What can FLASK do? Basic: Restricts hypercalls to those needed by a particular guest Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 29 / 33
  128. 128. Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What can FLASK do? Basic: Restricts hypercalls to those needed by a particular guest Advanced: Allows more fine-grained granting of privileges Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 29 / 33
  129. 129. Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What can FLASK do? Basic: Restricts hypercalls to those needed by a particular guest Advanced: Allows more fine-grained granting of privileges FLASK example policy Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 29 / 33
  130. 130. Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What can FLASK do? Basic: Restricts hypercalls to those needed by a particular guest Advanced: Allows more fine-grained granting of privileges FLASK example policy This contains example roles for dom0, domU, stub domains, driver domains, &c Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 29 / 33
  131. 131. Intro Network path Bootloader Device model Xen Conclusion HowTo: Use the example FLASK policy Build Xen with XSM enabled Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
  132. 132. Intro Network path Bootloader Device model Xen Conclusion HowTo: Use the example FLASK policy Build Xen with XSM enabled Build the example policy Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
  133. 133. Intro Network path Bootloader Device model Xen Conclusion HowTo: Use the example FLASK policy Build Xen with XSM enabled Build the example policy Add the appropriate label to guest config files Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
  134. 134. Intro Network path Bootloader Device model Xen Conclusion HowTo: Use the example FLASK policy Build Xen with XSM enabled Build the example policy Add the appropriate label to guest config files seclabel=[foo] Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
  135. 135. Intro Network path Bootloader Device model Xen Conclusion HowTo: Use the example FLASK policy Build Xen with XSM enabled Build the example policy Add the appropriate label to guest config files seclabel=[foo] stubdom label=[foo] Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
  136. 136. Intro Network path Bootloader Device model Xen Conclusion HowTo: Use the example FLASK policy Build Xen with XSM enabled Build the example policy Add the appropriate label to guest config files seclabel=[foo] stubdom label=[foo] http://wiki.xen.org/wiki/Xen Security Modules : XSMFLASK Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
  137. 137. Intro Network path Bootloader Device model Xen Conclusion HowTo: Use the example FLASK policy Build Xen with XSM enabled Build the example policy Add the appropriate label to guest config files seclabel=[foo] stubdom label=[foo] http://wiki.xen.org/wiki/Xen Security Modules : XSMFLASK WARNING: In 4.3, the example policy not extensively tested. Use with care! Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
  138. 138. Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
  139. 139. Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
  140. 140. Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
  141. 141. Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
  142. 142. Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
  143. 143. Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains pvgrub Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
  144. 144. Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains pvgrub stub domains Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
  145. 145. Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains pvgrub stub domains PV vs HVM Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
  146. 146. Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains pvgrub stub domains PV vs HVM FLASK example policy Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
  147. 147. Intro Network path Bootloader Device model Xen Conclusion Goal Tools to think about security in Xen Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 32 / 33
  148. 148. Intro Network path Bootloader Device model Xen Conclusion Goal Tools to think about security in Xen Know some key security features of Xen Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 32 / 33
  149. 149. Intro Network path Bootloader Device model Xen Conclusion Goal Tools to think about security in Xen Know some key security features of Xen Equipped with the knowledge to get them working Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 32 / 33
  150. 150. Intro Network path Bootloader Device model Xen Conclusion Questions Questions? More info at http://wiki.xen.org/wiki/Securing Xen Check out our blog: http://blog.xen.org/ Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 33 / 33

×