Xoar-BartMiller

advertisement
Bart Miller – October 22nd, 2012






TCB & Threat Model
Xen Platform
Xoar Architecture Overview
Xoar Components
Design Goals
Results
 Security
 Vulnerability Mitigation
 Performance


Trusted Computing Base is defined as “the
totality of protection mechanisms within a
computer system – including hardware,
firmware, and software – the combination of
which is responsible for enforcing a security
policy.”
Xen, by virtue of privilege, is part of the TCB


In Xen, all components operate under a
monolithic trust domain
Compromise of any component yields two
benefits:
 Gain privilege level of component
 Access its interfaces to other components

Assumption #1: Administrators are not a
concern
 Business imperative

Assumption #2: Malicious guest VM
 Violate data integrity or confidentiality
 Exploiting code

Assumption #3: The control VM will contain
bugs

Device drivers
 Virtualized, passed-through, or emulated

XenStore
 Hierarchical key-value store
 System-wide registry
 Most critical component
▪ Vulnerable to DoS attacks
▪ Perform most administrative operations

Toolstack
 Administrative functions
 Create, destroy, managing resources and privilege
for guest VMs

System Boot
 Starts DomO process, initialize hardware

Reduce privilege
 Each component should only have the privileges
essential to its purpose
 Each component should only expose interfaces
when necessary

Reduce sharing
 Sharing components should be avoided wherever
it is reasonable
 Any sharing of components must be explicit
 Allows for logging and auditing in the event of a
compromise

Reduce staleness
 A component should only run for as long as it
needs to perform its task.
 It should be restored to a known, good state as
frequently as practicable.

Reduced TCB
 Bootstrapper, PCIBack, and Builder are most
privileged components
 Bootstrapper and PCIBack destroyed once
initialized
 TCB reduced
▪ Linux: 7.6M LoC
▪ Builder: 13,5k LoC (Builder)

Solved through isolation
 Device Emulation
 Virtualized Drivers


XenStore, re-written
Hypervisor vulnerabilities remain

Test system
 Ca. 2011 server
 Quad-core Xeon, 4Gb RAM
 All virtualization features enabled

Memory overhead
 512Mb – 896Mb in Xoar vs.
 750Mb in XenServer

Any questions?
Download