Astronomy Update- Curiosity’s exploration of Mars _ Local Briefs _ leadertele...
Analysis of monolithic and microkernel architectures
1. Analysis of Monolithic and Microkernel
Architectures: Towards secure Hypervisor Design
by Dr. Jordan Shropshire
PREPARED BY
SHAKIL AHMED (19-91472-3).
SERIAL: 12
ADVANCED OPERATING SYSTEM (MSCS).
2. Contents
Motivation of the Paper.
Background
Hypervisors.
Security Rings.
Trusted Code Base.
Monolithic and Microkernel Architectures.
Threat Model.
Analysis on Six Features
Management interface.
Monitoring.
Hypercalls.
Interrupts.
Networking.
Storage.
Conclusion.
3. Motivation of the Paper
The research mainly focused on hypervisor security from holistic perspective.
The author investigated the impact of monolithic and microkernel hypervisor
architectures on the size and scope of the attack surface.
The research differentiate six architectural features such as management API,
monitoring interface, hyper calls, interrupts, networking and I/O.
Those features are mainly used for attack vectors.
The research finalized with the observation of the relative strengths and
vulnerabilities of both types of architectures (Monolithic and Microkernel) and made
the decision that, no design is secured in terms of incorporate tradeoffs in core process.
4. Background: Hypervisor
A firmware, software or hardware that creates and runs virtual machine. Hypervisors
also act as a bridge between virtual machine (VM) and hardware.
A computer on which a hypervisor is running one or more virtual machines is defined
as a host machine.
We can call each virtual machine as a guest machine.
There are two types of hypervisors like
Type 1 or bare-metal hypervisor: It doesn’t require additional OS, even it is a light OS.
Type 2 or hosted hypervisors: It is an application installed on an OS and not directly on
the bare-metal.
Virtual machine sends request to hypervisor in form of hypercalls whereas hypercall is
Paravirtualization concept by which VM kernel is altered.
5. Background: Hypervisor
Hypercalls are just like system calls.
It acts as a bridge between user mode applications and kernel functions.
Hypervisors receive interrupt signals to determine which VM should receive
interrupt.
A scheduler is used for processing capabilities among virtual machines.
6. Background: Security Rings
A protection or security ring is the hierarchical protection domains and the
mechanisms to protect data from faults and malicious behavior.
The ring consists of 3 rings “0 to 3” where “0” defines innermost and “3” defines the
outermost ring.
Ring “0” is only active for kernel and it interacts with the hardware, basically
corresponds with hypervisor.
Ring “1 and 2” are reserved for device drivers.
Ring “3” is only for user mode.
They provide the security buffer against accidental or intentional corruption.
A fault or an exception at an outer ring has less impact than inner ring.
7. Background: Trusted Code Base
It includes some components in core system process which insures the basic
functionality and security.
It also supports isolation of an object.
Trusted code base should be smaller in size.
Due to smaller size, it excludes the less prior and non essential elements.
It also takes less effort to include component.
8. Background: Monolithic and Microkernel
Architecture
Microkernel architectures are designed
to minimize code in the hypervisor space.
The security rings “3” consists of
management interface and application,
security ring “1” consists of virtualization
stack, management OS kernel and guest
OS kernel and security ring “0” consists of
hypervisor in microkernel. The figure 1
shows the architecture of the microkernel.
Ex: Xen, Hyper-V etc.
Figure 1: Microkernel Architecture
9. Background: Monolithic and Microkernel
Architecture
Monolithic architectures condense all
the sub systems within a single entity.
Security ring “3” consists of application,
ring “1” consists of guest OS kernel and
ring “0” consists of management interface,
virtualization stack and hypervisor kernel.
Compared to microkernel hypervisors
the monolithic architecture has a larger
footprint. The figure 2 shows the
monolithic kernel architecture.
Ex. ESXi etc.
Figure 2: Monolithic Architecture
10. Threat Model
Hacker pursue any weakness in hypervisor to perform attack.
Threat model expects an aggressors that will have logical access to hypervisor
interfaces but not in hardware directly.
An attack might occur from a entity which is hosted in hypervisor or from outside.
Finding any host in any open port attacker might gain the opportunity to breach the
system.
If access is secured then attackers tries to elevate the privileges to achieve root level
permission to breach into system.
11. Analysis on Six Features
In this section the author discussed the analysis of six features of hypervisors.
In terms of monolithic and microkernel the six features are differentiate.
The analysis focuses on differences in subsystem footprint, distribution of trusted
code and impact of security ring configuration.
12. Analysis: Management Interface
This section notes the vulnerabilities and security tradeoffs in the management
interface.
It allows remote agents to connect with a hypervisor and perform managerial duties
such as initiating VM migrations, provisioning hardware and reconfiguring resource
pools.
The management interface makes a prime target for attack.
Due to this vulnerability micro kernel tends to have more configuration options.
In monolithic architecture requires fewer classes than micro kernel architecture.
Micro kernel architecture is slightly better than monolithic kernel due to provide
constraint in management interface which limit system customization.
13. Analysis: Monitoring
The monitoring interface allows external devices to query a hypervisor, receive metrics,
prepare VM performance report or poll hardware.
Attackers would be interested in tapping into the monitoring system and changing reported
metrics.
For resolving this, there are so many steps are introduced between monitoring interface and
hypervisor.
These steps will eliminate potential threat before perform query in hypervisor.
Maximum steps found in micro kernel architecture is 14 steps and 10 steps for monolithic
architecture.
14. Analysis: Monitoring Cont’d
For the purpose of illustration, the
Hyper-V monitoring process is shown in
figure 3.
Process:
The VM management service receives a
request for monitoring data.
The VMMS transfer to windows
management instrumentation.
The WMI reads the request and trigger
virtual interface drivers.
Figure 3: Hyper-V monitoring Path.
15. Analysis: Monitoring Cont’d
VID passes the request down the virtstack.
The virtstack reference the WinV library.
The root partition issues a hypercall.
Hardware performance is observed.
The hypervisor interrupts the root partition.
The performance data is moved up the virtstack to VID.
The virtual machine kernel interrupts the WMI with the result.
When the metrics is prepared, the operation passed to the VMMS.
The interface finishes the request.
16. Analysis: Hypercalls
This section analyze weakness inherent in the hypercall subsystem.
Virtual machines use hypercalls to communicate with hypervisors.
Susceptible to attack by rooted virtual machines.
Corrupted hypercalls can deteriorate the system
From study, we also found larger hypercall libraries increases more risk.
Due to management partition in micro kernel architecture, it reduces the risk than
monolithic architecture even though monolithic architecture require lesser hypercalls.
17. Analysis: Hypercalls cont’d
Hypercalls table for both microkernel and monolithic architecture.
Table 1: Ranking of Hypercalls for microkernel and monolithic kernel.
18. Analysis: Interrupts
Hypervisor communicate with machine via interrupts.
The location of hypervisor and its interrupt descriptor table has implications for
information security.
Emulator which are located in user space are susceptible to tempering.
So emulator which are located in privileged zone are hard to reach
Micro kernel architecture features an interrupts emulator in management partition in
ring 3 whereas monolithic architecture resides interrupts emulator in hypervisor which
require more permission
19. Analysis: Networking
The network subsystem provides virtual machine with its own emulated network adapter.
The network subsystem in primary target for attackers.
Attacker tries to read or modify packet data sent through the network
Regarding this, micro kernel architecture splits network process between management
partition and hypervisor.
The network subsystem is divided between management partition and kernel
In monolithic architecture, entire network process occurs in ring 0
20. Analysis: Networking cont’d
For purposes of illustration, The ESXi
network process is shown in figure 4.
Process:
Application issues a system call to initiate an
asynchronous network operation.
The guest OS starts the network operation.
The hypervisor traps the instruction and copies
the packet into a temporary data store in ring 0.
The hypervisor returns to the guest OS in ring 1.
The guest returns to the appropriate application
in ring 3.
The emulated NIC (vlance instance for strict
virtualization) device polls the temporary store
and retrieves the packet. Figure 4: ESXi Network Path.
21. Analysis: Networking cont’d
The emulator queries VMFS for the MAC address with the packet.
The associated MAC address is returned for pairing with the datagram.
The formed packet is retrieved by the virtual switch for routing.
The packet exits the virtual switch process and enters the network stack.
The network stack finalizes the frame header and passes it to the drivers.
As the packet is being sent, a message is passed up the stack to inform the appropriate virtual NIC.
The device driver transmits the packet onto the network.
The hypervisor receives a response packet and stores it in a temporary buffer.
The packet is passed up the network stack.
The received packet elements enter the virtual switch for processing.
The emulated NIC accepts the packet and reformats the header.
The packet is loaded into shared storage using the Vmbus.
An interrupt is sent to the virtual machine kernel, alerting to the received packet.
The guest kernel interrupts the guest application.
22. Analysis: Storage
The I/O subsystem is another backend interface.
It abstracts physical device and provides a unique software emulation for VM
For monolithic architecture, the I/O process is condensed in ring 0
Even though it simplifies architecture but increases the vulnerability.
Micro kernel architecture stretches the I/O process in several rings from 3 to 0.
It reduces the risk by providing lesser access in hypervisor kernel
23. Analysis: Storage Cont’d
To illustrate the storage process, the Xen I/O architecture is depicted in Figure 5.
Figure 5: Xen Storage Path.
24. Conclusion
The paper discussed about the vulnerabilities and security tradeoffs in monolithic and
microkernel architectures. It also assessed the impact of six architectural features on
the scope of the attack surface. Because both architectures have inherent weaknesses it
is not possible to conclude that one is more secure than the other.