Secure Virtual Machine
Execution Under an
Untrusted Management OS
Chunxiao Li
Anand Raghunathan
Niraj K. Jha
Outline

Background: Security & Virtualization

Security challenges in virtualization-based
architecture

A secure virtual machine execution
environment

Implementation & results

Security analysis
1
The goal of computer security

Computer security: a branch of information
security applied to computers

Three objectives of
information security:
Confidentiality
 Integrity
 Availability

Confidentiality:
Authentication,
Authorization,
Access control,
Encryption/
Decryption
Integrity:
Data validation,
One-way Hash,
Digital signature
Availability:
Defending DoS,
against DoS,
Back up / restore,
Load balancing
2
What is virtualization?

Virtualization: Technology for creating a software-controlled
environment to allow program execution in it [1]
[1] http://www.ok-labs.com/virtualization-and-security/what-is-virtualization
[2] Barham et al., “Xen and the art of virtualization,” SOSP 2003
3
Relationship between
virtualization and security

On the one hand, virtualization can be utilized to
enhance security



Secure logging (Chen et al., 2001)
Terra architecture (Garfinkel et al., 2003)
On the other hand, virtualization also gives rise to
several security concerns


Scaling, transience, software lifecycle, diversity,
mobility, identity and data lifetime [1]
Virtual machine-based rootkits (VMBR) [2]
[1] Garfinkel et al., “When virtual is harder than real,” HTOS 2005
[2] King et al., “Subvirt: Implementing malware with virtual machines,” IEEE S&P 2006
4
Outline

Background: Security & Virtualization

Security challenges in virtualization-based
architecture

A secure virtual machine execution
environment

Implementation & results

Security analysis
5
Security challenges in
virtualization-based architecture

Our work tries to solve one of the
fundamental security concerns in
virtualization

The trusted computing base of a VM is too
large
6

A Security challenge of
virtualization-based
architecture
Trusted computing base (TCB): a small amount of software and
hardware that security depends on and that we distinguish from a much
larger amount that can misbehave without affecting security [1]

Smaller TCB  more security
C
B
A
TCB
[1] Lampson et al., “Authentication in distributed systems: Theory and practice,” ACM TCS 1992
7
A Security challenge of
virtualization-based architecture
(Contd.)

Security challenge : TCB for a VM is too large
Smaller TCB
Actual TCB
8
Xen architecture and the
threat model

Management VM – Dom0

Guest VM – DomU

Dom0 may be malicious




Vulnerabilities
Device drivers
Careless/malicious
administration
Dom0 is in the TCB of DomU because it can access
the memory of DomU, which may cause information
leakage/modification
9
Outline

Background: Security & Virtualization

Security challenges in virtualization-based
architecture

A secure virtual machine execution
environment

Implementation & results

Security analysis
10
Towards a secure execution
environment for DomU

Scenario: A client uses the service of a cloud
computing company to build a remote VM

A secure network interface

A secure secondary storage

A secure run-time environment

Build, save, restore, destroy
11
Towards a secure execution
environment for DomU
(Contd.)

A secure run-time environment is the most fundamental


The first two already have solutions:
 Network interface: Transport layer security (TLS)
 Secondary storage: Network file system (NFS)
The security mechanism in the first two rely on a secure
run-time environment
 All the cryptographic algorithms and security
protocols reside in the run-time environment
12
Domain building

Building process
13
Domain save/restore
14
Domain save/restore
(Contd.)
DomU memory
Page1
Page2
Page3
S Page4
Page5
Dom0
Xen
Layer
Storage
Page3
15
Domain save/restore
(Contd.)
DomU memory
Dom0
Page1
Page2
Page3
3egap
S Page4
$
Page5
Hash
Xen
Layer
W
Hash
Storage
16
Outline

Background: Security & Virtualization

Security challenges in virtualization-based
architecture

A secure virtual machine execution
environment

Implementation & results

Security analysis
17
Implementation & results


Modification of Xen system only affects domain build, save
and restore
Normal work in DomU has little performance degradation
18
Outline

Background: Security & Virtualization

Security challenges in virtualization-based
architecture

A secure virtual machine execution
environment

Implementation & results

Security analysis
19
Security analysis

Malicious Dom0 in original Xen system may:
Access any memory page of DomU and read
its content
 Access any memory page of DomU and
change its content
 Randomly start and shut down the domain,
and thus control the availability of all VMs


We successfully solved the first two security
concerns, with a small execution time
overhead
20
Outline

Background: Security & Virtualization

Security challenges in virtualization-based
architecture

A secure virtual machine execution
environment

Implementation & results

Security analysis
21
Conclusion

Virtualization technology can both benefit and undermine
computer security in different ways

One of the fundamental security concerns of
virtualization-based architecture is that the TCB of a
VM is too large

A protection mechanism in Xen virtualization system
proposed, which successfully excludes the management
domain out of the TCB with small execution time
overhead
22
Thank you!