The Linux Foundation, profile picture
Uploaded byThe Linux Foundation
PDF, PPTX195,340 views

LCEU13: Securing your cloud with Xen's advanced security features - George Dunlap, Citrix

The document discusses securing cloud environments using Xen, an open-source type 1 hypervisor, emphasizing its advanced security features and architecture. It covers key concepts, security analysis principles, potential attack surfaces, and specific features like driver domains that enhance security. Finally, it provides insights on how to implement these security features effectively within a Xen environment.

Embed presentation

Download as PDF, PPTX
1 / 150
2 / 150
3 / 150
4 / 150
5 / 150
6 / 150
7 / 150
8 / 150
9 / 150
10 / 150
11 / 150
12 / 150
13 / 150
14 / 150
15 / 150
16 / 150
17 / 150
18 / 150
19 / 150
20 / 150
21 / 150
22 / 150
23 / 150
24 / 150
25 / 150
26 / 150
27 / 150
28 / 150
29 / 150
30 / 150
31 / 150
32 / 150
33 / 150
34 / 150
35 / 150
36 / 150
37 / 150
38 / 150
39 / 150
40 / 150
41 / 150
42 / 150
43 / 150
44 / 150
45 / 150
46 / 150
47 / 150
48 / 150
49 / 150
50 / 150
51 / 150
52 / 150
53 / 150
54 / 150
55 / 150
56 / 150
57 / 150
58 / 150
59 / 150
60 / 150
61 / 150
62 / 150
63 / 150
64 / 150
65 / 150
66 / 150
67 / 150
68 / 150
69 / 150
70 / 150
71 / 150
72 / 150
73 / 150
74 / 150
75 / 150
76 / 150
77 / 150
78 / 150
79 / 150
80 / 150
81 / 150
82 / 150
83 / 150
84 / 150
85 / 150
86 / 150
87 / 150
88 / 150
89 / 150
90 / 150
91 / 150
92 / 150
93 / 150
94 / 150
95 / 150
96 / 150
97 / 150
98 / 150
99 / 150
100 / 150
101 / 150
102 / 150
103 / 150
104 / 150
105 / 150
106 / 150
107 / 150
108 / 150
109 / 150
110 / 150
111 / 150
112 / 150
113 / 150
114 / 150
115 / 150
116 / 150
117 / 150
118 / 150
119 / 150
120 / 150
121 / 150
122 / 150
123 / 150
124 / 150
125 / 150
126 / 150
127 / 150
128 / 150
129 / 150
130 / 150
131 / 150
132 / 150
133 / 150
134 / 150
135 / 150
136 / 150
137 / 150
138 / 150
139 / 150
140 / 150
141 / 150
142 / 150
143 / 150
144 / 150
145 / 150
146 / 150
147 / 150
148 / 150
149 / 150
150 / 150
Intro Network path Bootloader Device model Xen Conclusion Securing your cloud with Xen’s advanced security features George Dunlap Edinburgh – 21-23 October, 2013
Intro Network path Bootloader Device model Xen Conclusion Xen: an open-source, enterprise-grade, type I hypervisor Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 2 / 33
Intro Network path Bootloader Device model Xen Conclusion Built for the Cloud before it was called the Cloud Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 2 / 33
Intro Network path Bootloader Device model Xen Conclusion Advanced security features Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 3 / 33
Intro Network path Bootloader Device model Xen Conclusion Goal Tools to think about security in Xen Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 4 / 33
Intro Network path Bootloader Device model Xen Conclusion Goal Tools to think about security in Xen Know some key security features of Xen Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 4 / 33
Intro Network path Bootloader Device model Xen Conclusion Goal Tools to think about security in Xen Know some key security features of Xen Equipped with the knowledge to get them working Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 4 / 33
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains pvgrub Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains pvgrub stub domains Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains pvgrub stub domains PV vs HVM Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains pvgrub stub domains PV vs HVM FLASK example policy Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
Intro Network path Bootloader Device model Xen Conclusion Xen Architecture dom 0 device model (qemu) toolstack Hardware Drivers netback blkback Paravirtualized (PV) Domain netfront blkfront Fully Virtualized (HVM) Domain Xen Hypervisor I/O Devices Edinburgh – 21-23 October, 2013 CPU Memory Hardware Securing your cloud with Xen’s advanced security features 6 / 33
Intro Network path Bootloader Device model Xen Conclusion Security Overview Threat Model Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 7 / 33
Intro Network path Bootloader Device model Xen Conclusion Security Overview Threat Model Attacker can access guest network Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 7 / 33
Intro Network path Bootloader Device model Xen Conclusion Security Overview Threat Model Attacker can access guest network Attacker controls one guest OS Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 7 / 33
Intro Network path Bootloader Device model Xen Conclusion Security Overview Security considerations How much code is accessible? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 8 / 33
Intro Network path Bootloader Device model Xen Conclusion Security Overview Security considerations How much code is accessible? What is the interface like? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 8 / 33
Intro Network path Bootloader Device model Xen Conclusion Security Overview Security considerations How much code is accessible? What is the interface like? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 8 / 33
Intro Network path Bootloader Device model Xen Conclusion Security Overview Security considerations How much code is accessible? What is the interface like? Defense-in-depth Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 8 / 33
Intro Network path Bootloader Device model Xen Conclusion Example System Hardware setup Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
Intro Network path Bootloader Device model Xen Conclusion Example System Hardware setup Two networks: control network, guest network Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
Intro Network path Bootloader Device model Xen Conclusion Example System Hardware setup Two networks: control network, guest network IOMMU with interrupt remapping (AMD or Intel VT-d v2) Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
Intro Network path Bootloader Device model Xen Conclusion Example System Hardware setup Two networks: control network, guest network IOMMU with interrupt remapping (AMD or Intel VT-d v2) Default configuration Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
Intro Network path Bootloader Device model Xen Conclusion Example System Hardware setup Two networks: control network, guest network IOMMU with interrupt remapping (AMD or Intel VT-d v2) Default configuration Network drivers in dom0 Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
Intro Network path Bootloader Device model Xen Conclusion Example System Hardware setup Two networks: control network, guest network IOMMU with interrupt remapping (AMD or Intel VT-d v2) Default configuration Network drivers in dom0 PV guests with pygrub Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
Intro Network path Bootloader Device model Xen Conclusion Example System Hardware setup Two networks: control network, guest network IOMMU with interrupt remapping (AMD or Intel VT-d v2) Default configuration Network drivers in dom0 PV guests with pygrub HVM guests with qemu running in domain 0 Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Network path dom 0 toolstack Domain netfront iptables bridge Rogue Domain NIC Driver netback netfront Xen Hypervisor Control NIC Guest NIC Hardware How to break in? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 10 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Network path dom 0 toolstack Domain netfront iptables bridge Rogue Domain NIC Driver netback netfront Xen Hypervisor Control NIC Guest NIC Hardware How to break in? Bugs in hardware driver Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 10 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Network path dom 0 toolstack Domain netfront iptables bridge Rogue Domain NIC Driver netback netfront Xen Hypervisor Control NIC Guest NIC Hardware How to break in? Bugs in hardware driver Bugs in bridging / filtering Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 10 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Network path dom 0 toolstack Domain netfront iptables bridge Rogue Domain NIC Driver netback netfront Xen Hypervisor Control NIC Guest NIC Hardware How to break in? Bugs in hardware driver Bugs in bridging / filtering Bugs in netback via the ring protocol Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 10 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Network path dom 0 toolstack Domain netfront iptables bridge Rogue Domain NIC Driver netback netfront Xen Hypervisor Control NIC Guest NIC Hardware What does it buy you? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 11 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Network path dom 0 toolstack Domain netfront iptables bridge Rogue Domain NIC Driver netback netfront Xen Hypervisor Control NIC Guest NIC Hardware What does it buy you? Control of domain 0 kernel Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 11 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Network path dom 0 toolstack Domain netfront iptables bridge Rogue Domain NIC Driver netback netfront Xen Hypervisor Control NIC Guest NIC Hardware What does it buy you? Control of domain 0 kernel Pretty much control of the whole system Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 11 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: Driver Domains dom 0 Domain toolstack netfront Driver Domain iptables NIC Driver NIC Driver bridge netback Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware What is it? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 12 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: Driver Domains dom 0 Domain toolstack netfront Driver Domain iptables NIC Driver NIC Driver bridge netback Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware What is it? Unprivileged VM which drives hardware, provides access to guests Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 12 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: Driver Domains dom 0 Domain toolstack netfront Driver Domain iptables NIC Driver NIC Driver bridge netback Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware Now an exploit buys you: Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 13 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: Driver Domains dom 0 Domain toolstack netfront Driver Domain iptables NIC Driver NIC Driver bridge netback Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware Now an exploit buys you: Control of a PV VM (PV hypercall interface) Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 13 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: Driver Domains dom 0 Domain toolstack netfront Driver Domain iptables NIC Driver NIC Driver bridge netback Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware Now an exploit buys you: Control of a PV VM (PV hypercall interface) Guest network traffic Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 13 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: Driver Domains dom 0 Domain toolstack netfront Driver Domain iptables NIC Driver NIC Driver bridge netback Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware Now an exploit buys you: Control of a PV VM (PV hypercall interface) Guest network traffic Control of NIC Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 13 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: Driver Domains dom 0 Domain toolstack netfront Driver Domain iptables NIC Driver NIC Driver bridge netback Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware Now an exploit buys you: Control of a PV VM (PV hypercall interface) Guest network traffic Control of NIC Opportunity to attack netfront of other guests Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 13 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Just installing the xen tools in the VM is usually good enough Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Just installing the xen tools in the VM is usually good enough Give the VM access to the physical NIC with PCI pass-through Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Just installing the xen tools in the VM is usually good enough Give the VM access to the physical NIC with PCI pass-through Configure the network topology in the driver domain Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Just installing the xen tools in the VM is usually good enough Give the VM access to the physical NIC with PCI pass-through Configure the network topology in the driver domain Just like you would for dom0 Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Just installing the xen tools in the VM is usually good enough Give the VM access to the physical NIC with PCI pass-through Configure the network topology in the driver domain Just like you would for dom0 Configure the guest vif to use the new domain ID Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Just installing the xen tools in the VM is usually good enough Give the VM access to the physical NIC with PCI pass-through Configure the network topology in the driver domain Just like you would for dom0 Configure the guest vif to use the new domain ID Add backend=domnet to vif declaration Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Just installing the xen tools in the VM is usually good enough Give the VM access to the physical NIC with PCI pass-through Configure the network topology in the driver domain Just like you would for dom0 Configure the guest vif to use the new domain ID Add backend=domnet to vif declaration vif = [ ’type=pv, bridge=xenbr0, backend=domnet’ ] Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Just installing the xen tools in the VM is usually good enough Give the VM access to the physical NIC with PCI pass-through Configure the network topology in the driver domain Just like you would for dom0 Configure the guest vif to use the new domain ID Add backend=domnet to vif declaration vif = [ ’type=pv, bridge=xenbr0, backend=domnet’ ] http://wiki.xen.org/wiki/Driver Domain Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor What is it? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 15 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor What is it? grub implementation for PV guests Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 15 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor What is it? grub implementation for PV guests Python program running in domain 0 Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 15 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor What is it? grub implementation for PV guests Python program running in domain 0 Reads guest FS, parses grub.conf, presents menu Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 15 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor What is it? grub implementation for PV guests Python program running in domain 0 Reads guest FS, parses grub.conf, presents menu Passes resulting kernel image to domain builder Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 15 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor How to break in? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 16 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor How to break in? Bugs in file system parser Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 16 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor How to break in? Bugs in file system parser Bugs in menu parser Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 16 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor How to break in? Bugs in file system parser Bugs in menu parser Bugs in kernel / initrd image parsers Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 16 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pygrub kernel Paravirtualized (PV) Domain guest disk Xen Hypervisor What does it buy you? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 17 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pygrub kernel Paravirtualized (PV) Domain guest disk Xen Hypervisor What does it buy you? Control of domain 0 user space Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 17 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Pygrub dom 0 toolstack domain builder pygrub kernel Paravirtualized (PV) Domain guest disk Xen Hypervisor What does it buy you? Control of domain 0 user space Pretty much control of the whole system Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 17 / 33
Intro Network path Bootloader Device model Xen Conclusion Security practice: Fixed kernels dom 0 kernel image toolstack domain builder Paravirtualized (PV) Domain guest disk Xen Hypervisor What is it? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 18 / 33
Intro Network path Bootloader Device model Xen Conclusion Security practice: Fixed kernels dom 0 kernel image toolstack domain builder Paravirtualized (PV) Domain guest disk Xen Hypervisor What is it? Passing a known-good kernel from domain 0 Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 18 / 33
Intro Network path Bootloader Device model Xen Conclusion Security practice: Fixed kernels dom 0 kernel image toolstack domain builder Paravirtualized (PV) Domain guest disk Xen Hypervisor What is it? Passing a known-good kernel from domain 0 Removes attacker avenue to domain builder Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 18 / 33
Intro Network path Bootloader Device model Xen Conclusion Security practice: Fixed kernels dom 0 kernel image toolstack domain builder Paravirtualized (PV) Domain guest disk Xen Hypervisor Disadvantages Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 19 / 33
Intro Network path Bootloader Device model Xen Conclusion Security practice: Fixed kernels dom 0 kernel image toolstack domain builder Paravirtualized (PV) Domain guest disk Xen Hypervisor Disadvantages Host admin must keep up with kernel updates Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 19 / 33
Intro Network path Bootloader Device model Xen Conclusion Security practice: Fixed kernels dom 0 kernel image toolstack domain builder Paravirtualized (PV) Domain guest disk Xen Hypervisor Disadvantages Host admin must keep up with kernel updates Guest admin can’t pass kernel parameters, custom kernels, Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 19 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: pvgrub dom 0 toolstack domain builder pvgrub MiniOS guest disk Xen Hypervisor What is it? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 20 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: pvgrub dom 0 toolstack domain builder pvgrub MiniOS guest disk Xen Hypervisor What is it? MiniOS + pv port of grub running in a guest context Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 20 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: pvgrub dom 0 toolstack domain builder pvgrub MiniOS guest disk Xen Hypervisor What is it? MiniOS + pv port of grub running in a guest context PV equivalent of HVM “BIOS + grub” Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 20 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: pvgrub dom 0 toolstack domain builder pvgrub MiniOS guest disk Xen Hypervisor What is it? MiniOS + pv port of grub running in a guest context PV equivalent of HVM “BIOS + grub” Now an exploit buys you: Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 20 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: pvgrub dom 0 toolstack domain builder pvgrub MiniOS guest disk Xen Hypervisor What is it? MiniOS + pv port of grub running in a guest context PV equivalent of HVM “BIOS + grub” Now an exploit buys you: Control of your own VM Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 20 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: pvgrub Make sure that you have the pvgrub image Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: pvgrub Make sure that you have the pvgrub image pvgrub-$ARCH.gz Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: pvgrub Make sure that you have the pvgrub image pvgrub-$ARCH.gz Normally lives in /usr/lib/xen/boot Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: pvgrub Make sure that you have the pvgrub image pvgrub-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: pvgrub Make sure that you have the pvgrub image pvgrub-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: pvgrub Make sure that you have the pvgrub image pvgrub-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Use appropriate pvgrub as kernel in guest config Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: pvgrub Make sure that you have the pvgrub image pvgrub-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Use appropriate pvgrub as kernel in guest config kernel=”/usr/lib/xen/boot/pvgrub-x86 32.gz” Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: pvgrub Make sure that you have the pvgrub image pvgrub-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Use appropriate pvgrub as kernel in guest config kernel=”/usr/lib/xen/boot/pvgrub-x86 32.gz” http://wiki.xen.org/wiki/Pvgrub Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Device model (qemu) dom 0 device model (qemu) toolstack Hardware Drivers Fully Virtualized (HVM) Domain Xen Hypervisor How to break in? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 22 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Device model (qemu) dom 0 device model (qemu) toolstack Fully Virtualized (HVM) Domain Hardware Drivers Xen Hypervisor How to break in? Bugs in NIC emulator parsing packets Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 22 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Device model (qemu) dom 0 device model (qemu) toolstack Fully Virtualized (HVM) Domain Hardware Drivers Xen Hypervisor How to break in? Bugs in NIC emulator parsing packets Bugs in emulation of virtual devices Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 22 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Device model (qemu) dom 0 device model (qemu) toolstack Fully Virtualized (HVM) Domain Hardware Drivers Xen Hypervisor What does it buy you? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 23 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Device model (qemu) dom 0 device model (qemu) toolstack Fully Virtualized (HVM) Domain Hardware Drivers Xen Hypervisor What does it buy you? Domain 0 privileged userspace Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 23 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Device model (qemu) dom 0 device model (qemu) toolstack Fully Virtualized (HVM) Domain Hardware Drivers Xen Hypervisor What does it buy you? Domain 0 privileged userspace Pretty much control of the whole system Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 23 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Device model (qemu) dom 0 device model (qemu) toolstack Fully Virtualized (HVM) Domain Hardware Drivers Xen Hypervisor What does it buy you? Domain 0 privileged userspace Pretty much control of the whole system Not hypothetical Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 23 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack surface: Device model (qemu) dom 0 device model (qemu) toolstack Fully Virtualized (HVM) Domain Hardware Drivers Xen Hypervisor What does it buy you? Domain 0 privileged userspace Pretty much control of the whole system Not hypothetical Three exploitable bugs found in qemu last 2 years Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 23 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: qemu stub domains dom 0 toolstack Stub Domain Hardware Drivers device model minios Fully Virtualized (HVM) Domain Xen Hypervisor What is it? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 24 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: qemu stub domains dom 0 toolstack Stub Domain Hardware Drivers device model minios Fully Virtualized (HVM) Domain Xen Hypervisor What is it? Stub domain: a small “service” domain running just one application Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 24 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: qemu stub domains dom 0 toolstack Stub Domain Hardware Drivers device model minios Fully Virtualized (HVM) Domain Xen Hypervisor What is it? Stub domain: a small “service” domain running just one application qemu stub domain: run each qemu in its own domain Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 24 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: qemu stub domains dom 0 toolstack Stub Domain device model Hardware Drivers minios Fully Virtualized (HVM) Domain Xen Hypervisor Now an exploit buys you: Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 25 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: qemu stub domains dom 0 toolstack Stub Domain device model Hardware Drivers minios Fully Virtualized (HVM) Domain Xen Hypervisor Now an exploit buys you: Control of the stubom VM Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 25 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: qemu stub domains dom 0 toolstack Stub Domain device model Hardware Drivers minios Fully Virtualized (HVM) Domain Xen Hypervisor Now an exploit buys you: Control of the stubom VM Access to PV interfaces Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 25 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: qemu stub domains Make sure that you have the stubdom image: Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: qemu stub domains Make sure that you have the stubdom image: ioemu-$ARCH.gz Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: qemu stub domains Make sure that you have the stubdom image: ioemu-$ARCH.gz Normally lives in /usr/lib/xen/boot Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: qemu stub domains Make sure that you have the stubdom image: ioemu-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: qemu stub domains Make sure that you have the stubdom image: ioemu-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: qemu stub domains Make sure that you have the stubdom image: ioemu-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Specify stub domains in your guest config Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: qemu stub domains Make sure that you have the stubdom image: ioemu-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Specify stub domains in your guest config device model stubdomain override = 1 Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: qemu stub domains Make sure that you have the stubdom image: ioemu-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Specify stub domains in your guest config device model stubdomain override = 1 http://wiki.xen.org/wiki/Device Model Stub Domains Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Emulated platform devices: APIC, HPET, PIT Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Emulated platform devices: APIC, HPET, PIT Nested virtualization Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Emulated platform devices: APIC, HPET, PIT Nested virtualization PV guests Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Emulated platform devices: APIC, HPET, PIT Nested virtualization PV guests PV Hypercalls Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Emulated platform devices: APIC, HPET, PIT Nested virtualization PV guests PV Hypercalls Shared address space Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Emulated platform devices: APIC, HPET, PIT Nested virtualization PV guests PV Hypercalls Shared address space Survey of security updates looks statistically similar Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
Intro Network path Bootloader Device model Xen Conclusion Attack Surface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Emulated platform devices: APIC, HPET, PIT Nested virtualization PV guests PV Hypercalls Shared address space Survey of security updates looks statistically similar Security practice: If you can’t use stub domains, use PV VMs Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What is FLASK? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 28 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What is FLASK? Xen Security Module (XSM): Xen equivalent of LSM Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 28 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What is FLASK? Xen Security Module (XSM): Xen equivalent of LSM FLASK: Framework for XSM developed by NSA Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 28 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What is FLASK? Xen Security Module (XSM): Xen equivalent of LSM FLASK: Framework for XSM developed by NSA Xen Equivalent of SELinux Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 28 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What is FLASK? Xen Security Module (XSM): Xen equivalent of LSM FLASK: Framework for XSM developed by NSA Xen Equivalent of SELinux Uses same concepts, tools as SELinux Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 28 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What is FLASK? Xen Security Module (XSM): Xen equivalent of LSM FLASK: Framework for XSM developed by NSA Xen Equivalent of SELinux Uses same concepts, tools as SELinux Allows a policy to restrict hypercalls Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 28 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What can FLASK do? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 29 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What can FLASK do? Basic: Restricts hypercalls to those needed by a particular guest Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 29 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What can FLASK do? Basic: Restricts hypercalls to those needed by a particular guest Advanced: Allows more fine-grained granting of privileges Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 29 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What can FLASK do? Basic: Restricts hypercalls to those needed by a particular guest Advanced: Allows more fine-grained granting of privileges FLASK example policy Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 29 / 33
Intro Network path Bootloader Device model Xen Conclusion Security feature: FLASK example policy What can FLASK do? Basic: Restricts hypercalls to those needed by a particular guest Advanced: Allows more fine-grained granting of privileges FLASK example policy This contains example roles for dom0, domU, stub domains, driver domains, &c Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 29 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: Use the example FLASK policy Build Xen with XSM enabled Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: Use the example FLASK policy Build Xen with XSM enabled Build the example policy Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: Use the example FLASK policy Build Xen with XSM enabled Build the example policy Add the appropriate label to guest config files Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: Use the example FLASK policy Build Xen with XSM enabled Build the example policy Add the appropriate label to guest config files seclabel=[foo] Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: Use the example FLASK policy Build Xen with XSM enabled Build the example policy Add the appropriate label to guest config files seclabel=[foo] stubdom label=[foo] Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: Use the example FLASK policy Build Xen with XSM enabled Build the example policy Add the appropriate label to guest config files seclabel=[foo] stubdom label=[foo] http://wiki.xen.org/wiki/Xen Security Modules : XSMFLASK Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
Intro Network path Bootloader Device model Xen Conclusion HowTo: Use the example FLASK policy Build Xen with XSM enabled Build the example policy Add the appropriate label to guest config files seclabel=[foo] stubdom label=[foo] http://wiki.xen.org/wiki/Xen Security Modules : XSMFLASK WARNING: In 4.3, the example policy not extensively tested. Use with care! Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains pvgrub Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains pvgrub stub domains Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains pvgrub stub domains PV vs HVM Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
Intro Network path Bootloader Device model Xen Conclusion Outline Overview of the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains pvgrub stub domains PV vs HVM FLASK example policy Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
Intro Network path Bootloader Device model Xen Conclusion Goal Tools to think about security in Xen Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 32 / 33
Intro Network path Bootloader Device model Xen Conclusion Goal Tools to think about security in Xen Know some key security features of Xen Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 32 / 33
Intro Network path Bootloader Device model Xen Conclusion Goal Tools to think about security in Xen Know some key security features of Xen Equipped with the knowledge to get them working Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 32 / 33
Intro Network path Bootloader Device model Xen Conclusion Questions Questions? More info at http://wiki.xen.org/wiki/Securing Xen Check out our blog: http://blog.xen.org/ Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 33 / 33

More Related Content

PDF
OWF: Xen - Open Source Hypervisor Designed for Clouds
byThe Linux Foundation
 
PDF
LF Collaboration Summit: Xen Project 4 4 Features and Futures
byThe Linux Foundation
 
PDF
Xen, XenServer, and XAPI: What’s the Difference?-XPUS13 Bulpin,Pavlicek
byThe Linux Foundation
 
PDF
Erlang on Xen: Redefining the cloud software stack
byViktor Sovietov
 
PPTX
LinuxCon Japan 13 : 10 years of Xen and Beyond
byThe Linux Foundation
 
PDF
Xen Project Hypervisor for the Cloud
byThe Linux Foundation
 
PPTX
Linuxcon EU : Virtualization in the Cloud featuring Xen and XCP
byThe Linux Foundation
 
PDF
Rootlinux17: An introduction to Xen Project Virtualisation
byThe Linux Foundation
 
OWF: Xen - Open Source Hypervisor Designed for Clouds
byThe Linux Foundation
 
LF Collaboration Summit: Xen Project 4 4 Features and Futures
byThe Linux Foundation
 
Xen, XenServer, and XAPI: What’s the Difference?-XPUS13 Bulpin,Pavlicek
byThe Linux Foundation
 
Erlang on Xen: Redefining the cloud software stack
byViktor Sovietov
 
LinuxCon Japan 13 : 10 years of Xen and Beyond
byThe Linux Foundation
 
Xen Project Hypervisor for the Cloud
byThe Linux Foundation
 
Linuxcon EU : Virtualization in the Cloud featuring Xen and XCP
byThe Linux Foundation
 
Rootlinux17: An introduction to Xen Project Virtualisation
byThe Linux Foundation
 

What's hot

PDF
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicek
bybuildacloud
 
PDF
XPDS14: Xen and the Art of Certification - Nathan Studer & Robert VonVossen, ...
byThe Linux Foundation
 
PDF
Securing your cloud with Xen's advanced security features
byThe Linux Foundation
 
PDF
OSCON14: Mirage 2.0
byThe Linux Foundation
 
PDF
BSDcon Asia 2015: Xen on FreeBSD
byThe Linux Foundation
 
PDF
Aplura virtualization slides
byThe Linux Foundation
 
PPTX
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
byThe Linux Foundation
 
PDF
Why xen slides
byThe Linux Foundation
 
PDF
Securing Your Cloud with Xen (CloudOpen NA 2013)
byRussell Pavlicek
 
PDF
Xen time machine
byThe Linux Foundation
 
PDF
Using and Understanding Xen4Centos
byThe Linux Foundation
 
PPTX
BACD July 2012 : The Xen Cloud Platform
byThe Linux Foundation
 
PPTX
Getting Started with XenServer and OpenStack.pptx
byOpenStack Foundation
 
PDF
Performance Tuning Xen
byThe Linux Foundation
 
PPTX
LFCOLLAB15: Xen 4.5 and Beyond
byThe Linux Foundation
 
PDF
Xen 10th anniversary Status Report (at SELF 2013)
byRussell Pavlicek
 
PDF
XPDDS19: Argo and Hypervisor-Mediated Data eXchange (HMX) - Christopher Clark...
byThe Linux Foundation
 
PPTX
XPDDS18: Windows PV Drivers Project: Status and Updates - Paul Durrant, Citri...
byThe Linux Foundation
 
PDF
Linaro Connect Asia 13 : Citrix - Xen on ARM plenary session
byThe Linux Foundation
 
ODP
S4 xen hypervisor_20080622
byTodd Deshane
 
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicek
bybuildacloud
 
XPDS14: Xen and the Art of Certification - Nathan Studer & Robert VonVossen, ...
byThe Linux Foundation
 
Securing your cloud with Xen's advanced security features
byThe Linux Foundation
 
OSCON14: Mirage 2.0
byThe Linux Foundation
 
BSDcon Asia 2015: Xen on FreeBSD
byThe Linux Foundation
 
Aplura virtualization slides
byThe Linux Foundation
 
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
byThe Linux Foundation
 
Why xen slides
byThe Linux Foundation
 
Securing Your Cloud with Xen (CloudOpen NA 2013)
byRussell Pavlicek
 
Xen time machine
byThe Linux Foundation
 
Using and Understanding Xen4Centos
byThe Linux Foundation
 
BACD July 2012 : The Xen Cloud Platform
byThe Linux Foundation
 
Getting Started with XenServer and OpenStack.pptx
byOpenStack Foundation
 
Performance Tuning Xen
byThe Linux Foundation
 
LFCOLLAB15: Xen 4.5 and Beyond
byThe Linux Foundation
 
Xen 10th anniversary Status Report (at SELF 2013)
byRussell Pavlicek
 
XPDDS19: Argo and Hypervisor-Mediated Data eXchange (HMX) - Christopher Clark...
byThe Linux Foundation
 
XPDDS18: Windows PV Drivers Project: Status and Updates - Paul Durrant, Citri...
byThe Linux Foundation
 
Linaro Connect Asia 13 : Citrix - Xen on ARM plenary session
byThe Linux Foundation
 
S4 xen hypervisor_20080622
byTodd Deshane
 

Similar to LCEU13: Securing your cloud with Xen's advanced security features - George Dunlap, Citrix

PDF
Securing your Cloud with Xen - SUSECon 2013
byThe Linux Foundation
 
PDF
Scale 12x Securing Your Cloud with The Xen Hypervisor
byThe Linux Foundation
 
PDF
Build-a-Cloud Day - Securing Your Cloud with Xen
byThe Linux Foundation
 
PDF
LFNW2014 Advanced Security Features of Xen Project Hypervisor
byThe Linux Foundation
 
PPS
Xen Euro Par07
bycongvc
 
PDF
XPDS13: SecureServe - A Multi-level Secure Server Virtualization Platform on ...
byThe Linux Foundation
 
PPT
Cloud Security
byRashmi Agale
 
PDF
Fosdem 18: Securing embedded Systems using Virtualization
byThe Linux Foundation
 
PPTX
Hypervisor Security - OpenStack Summit Hong Kong
byRobert Clark
 
PDF
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
byIJERD Editor
 
PDF
Safety-Certifying Open Source Software: The Case of the Xen Hypervisor
byStefano Stabellini
 
PDF
Xen: Hypervisor for the Cloud - CCC13
byThe Linux Foundation
 
PPTX
Scale17x: Thinking outside of the conceived tech comfort zone
byThe Linux Foundation
 
PDF
Xen community update
byThe Linux Foundation
 
PPTX
Xen and the art of virtualization
byAbdul417101
 
PDF
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
byThe Linux Foundation
 
PDF
Xen Project 15 Years down the Line
byThe Linux Foundation
 
PDF
Oscon 2012 : From Datacenter to the Cloud - Featuring Xen and XCP
byThe Linux Foundation
 
PDF
Platform Security Summit 18: Xen Security Weather Report 2018
byThe Linux Foundation
 
PDF
Ina Pratt Fosdem Feb2008
byThe Linux Foundation
 
Securing your Cloud with Xen - SUSECon 2013
byThe Linux Foundation
 
Scale 12x Securing Your Cloud with The Xen Hypervisor
byThe Linux Foundation
 
Build-a-Cloud Day - Securing Your Cloud with Xen
byThe Linux Foundation
 
LFNW2014 Advanced Security Features of Xen Project Hypervisor
byThe Linux Foundation
 
Xen Euro Par07
bycongvc
 
XPDS13: SecureServe - A Multi-level Secure Server Virtualization Platform on ...
byThe Linux Foundation
 
Cloud Security
byRashmi Agale
 
Fosdem 18: Securing embedded Systems using Virtualization
byThe Linux Foundation
 
Hypervisor Security - OpenStack Summit Hong Kong
byRobert Clark
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
byIJERD Editor
 
Safety-Certifying Open Source Software: The Case of the Xen Hypervisor
byStefano Stabellini
 
Xen: Hypervisor for the Cloud - CCC13
byThe Linux Foundation
 
Scale17x: Thinking outside of the conceived tech comfort zone
byThe Linux Foundation
 
Xen community update
byThe Linux Foundation
 
Xen and the art of virtualization
byAbdul417101
 
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
byThe Linux Foundation
 
Xen Project 15 Years down the Line
byThe Linux Foundation
 
Oscon 2012 : From Datacenter to the Cloud - Featuring Xen and XCP
byThe Linux Foundation
 
Platform Security Summit 18: Xen Security Weather Report 2018
byThe Linux Foundation
 
Ina Pratt Fosdem Feb2008
byThe Linux Foundation
 

More from The Linux Foundation

PDF
ELC2019: Static Partitioning Made Simple
byThe Linux Foundation
 
PDF
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
byThe Linux Foundation
 
PDF
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
byThe Linux Foundation
 
PDF
XPDDS19 Keynote: Unikraft Weather Report
byThe Linux Foundation
 
PDF
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
byThe Linux Foundation
 
PDF
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
byThe Linux Foundation
 
PDF
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
byThe Linux Foundation
 
PDF
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
byThe Linux Foundation
 
PPTX
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
byThe Linux Foundation
 
PPTX
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
byThe Linux Foundation
 
PDF
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
byThe Linux Foundation
 
PDF
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
byThe Linux Foundation
 
PDF
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
byThe Linux Foundation
 
PDF
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
byThe Linux Foundation
 
PDF
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
byThe Linux Foundation
 
PDF
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
byThe Linux Foundation
 
PDF
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
byThe Linux Foundation
 
PDF
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
byThe Linux Foundation
 
PDF
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
byThe Linux Foundation
 
PDF
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
byThe Linux Foundation
 
ELC2019: Static Partitioning Made Simple
byThe Linux Foundation
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
byThe Linux Foundation
 
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
byThe Linux Foundation
 
XPDDS19 Keynote: Unikraft Weather Report
byThe Linux Foundation
 
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
byThe Linux Foundation
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
byThe Linux Foundation
 
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
byThe Linux Foundation
 
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
byThe Linux Foundation
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
byThe Linux Foundation
 
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
byThe Linux Foundation
 
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
byThe Linux Foundation
 
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
byThe Linux Foundation
 
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
byThe Linux Foundation
 
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
byThe Linux Foundation
 
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
byThe Linux Foundation
 
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
byThe Linux Foundation
 
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
byThe Linux Foundation
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
byThe Linux Foundation
 
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
byThe Linux Foundation
 
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
byThe Linux Foundation
 

Recently uploaded

PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
AI Technology important knowledge ......
byutkarshj2007
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PPTX
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
The Landscape of Computer Software Development Companies
byYash Singh
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
AI Technology important knowledge ......
byutkarshj2007
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
The year in review - MarvelClient in 2025
bypanagenda
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 

LCEU13: Securing your cloud with Xen's advanced security features - George Dunlap, Citrix

  • 1.
    Intro Network path Bootloader Device model Xen Conclusion Securingyour cloud with Xen’s advanced security features George Dunlap Edinburgh – 21-23 October, 2013
  • 2.
    Intro Network path Bootloader Device model Xen Conclusion Xen:an open-source, enterprise-grade, type I hypervisor Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 2 / 33
  • 3.
    Intro Network path Bootloader Device model Xen Conclusion Builtfor the Cloud before it was called the Cloud Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 2 / 33
  • 4.
    Intro Network path Bootloader Device model Xen Conclusion Advancedsecurity features Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 3 / 33
  • 5.
    Intro Network path Bootloader Device model Xen Conclusion Goal Toolsto think about security in Xen Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 4 / 33
  • 6.
    Intro Network path Bootloader Device model Xen Conclusion Goal Toolsto think about security in Xen Know some key security features of Xen Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 4 / 33
  • 7.
    Intro Network path Bootloader Device model Xen Conclusion Goal Toolsto think about security in Xen Know some key security features of Xen Equipped with the knowledge to get them working Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 4 / 33
  • 8.
    Intro Network path Bootloader Device model Xen Conclusion Outline Overviewof the Xen architecture Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
  • 9.
    Intro Network path Bootloader Device model Xen Conclusion Outline Overviewof the Xen architecture Brief introduction to principles of security analysis Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
  • 10.
    Intro Network path Bootloader Device model Xen Conclusion Outline Overviewof the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
  • 11.
    Intro Network path Bootloader Device model Xen Conclusion Outline Overviewof the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
  • 12.
    Intro Network path Bootloader Device model Xen Conclusion Outline Overviewof the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
  • 13.
    Intro Network path Bootloader Device model Xen Conclusion Outline Overviewof the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains pvgrub Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
  • 14.
    Intro Network path Bootloader Device model Xen Conclusion Outline Overviewof the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains pvgrub stub domains Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
  • 15.
    Intro Network path Bootloader Device model Xen Conclusion Outline Overviewof the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains pvgrub stub domains PV vs HVM Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
  • 16.
    Intro Network path Bootloader Device model Xen Conclusion Outline Overviewof the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains pvgrub stub domains PV vs HVM FLASK example policy Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 5 / 33
  • 17.
    Intro Network path Bootloader Device model Xen Conclusion XenArchitecture dom 0 device model (qemu) toolstack Hardware Drivers netback blkback Paravirtualized (PV) Domain netfront blkfront Fully Virtualized (HVM) Domain Xen Hypervisor I/O Devices Edinburgh – 21-23 October, 2013 CPU Memory Hardware Securing your cloud with Xen’s advanced security features 6 / 33
  • 18.
    Intro Network path Bootloader Device model Xen Conclusion SecurityOverview Threat Model Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 7 / 33
  • 19.
    Intro Network path Bootloader Device model Xen Conclusion SecurityOverview Threat Model Attacker can access guest network Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 7 / 33
  • 20.
    Intro Network path Bootloader Device model Xen Conclusion SecurityOverview Threat Model Attacker can access guest network Attacker controls one guest OS Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 7 / 33
  • 21.
    Intro Network path Bootloader Device model Xen Conclusion SecurityOverview Security considerations How much code is accessible? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 8 / 33
  • 22.
    Intro Network path Bootloader Device model Xen Conclusion SecurityOverview Security considerations How much code is accessible? What is the interface like? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 8 / 33
  • 23.
    Intro Network path Bootloader Device model Xen Conclusion SecurityOverview Security considerations How much code is accessible? What is the interface like? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 8 / 33
  • 24.
    Intro Network path Bootloader Device model Xen Conclusion SecurityOverview Security considerations How much code is accessible? What is the interface like? Defense-in-depth Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 8 / 33
  • 25.
    Intro Network path Bootloader Device model Xen Conclusion ExampleSystem Hardware setup Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
  • 26.
    Intro Network path Bootloader Device model Xen Conclusion ExampleSystem Hardware setup Two networks: control network, guest network Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
  • 27.
    Intro Network path Bootloader Device model Xen Conclusion ExampleSystem Hardware setup Two networks: control network, guest network IOMMU with interrupt remapping (AMD or Intel VT-d v2) Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
  • 28.
    Intro Network path Bootloader Device model Xen Conclusion ExampleSystem Hardware setup Two networks: control network, guest network IOMMU with interrupt remapping (AMD or Intel VT-d v2) Default configuration Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
  • 29.
    Intro Network path Bootloader Device model Xen Conclusion ExampleSystem Hardware setup Two networks: control network, guest network IOMMU with interrupt remapping (AMD or Intel VT-d v2) Default configuration Network drivers in dom0 Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
  • 30.
    Intro Network path Bootloader Device model Xen Conclusion ExampleSystem Hardware setup Two networks: control network, guest network IOMMU with interrupt remapping (AMD or Intel VT-d v2) Default configuration Network drivers in dom0 PV guests with pygrub Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
  • 31.
    Intro Network path Bootloader Device model Xen Conclusion ExampleSystem Hardware setup Two networks: control network, guest network IOMMU with interrupt remapping (AMD or Intel VT-d v2) Default configuration Network drivers in dom0 PV guests with pygrub HVM guests with qemu running in domain 0 Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 9 / 33
  • 32.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Network path dom 0 toolstack Domain netfront iptables bridge Rogue Domain NIC Driver netback netfront Xen Hypervisor Control NIC Guest NIC Hardware How to break in? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 10 / 33
  • 33.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Network path dom 0 toolstack Domain netfront iptables bridge Rogue Domain NIC Driver netback netfront Xen Hypervisor Control NIC Guest NIC Hardware How to break in? Bugs in hardware driver Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 10 / 33
  • 34.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Network path dom 0 toolstack Domain netfront iptables bridge Rogue Domain NIC Driver netback netfront Xen Hypervisor Control NIC Guest NIC Hardware How to break in? Bugs in hardware driver Bugs in bridging / filtering Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 10 / 33
  • 35.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Network path dom 0 toolstack Domain netfront iptables bridge Rogue Domain NIC Driver netback netfront Xen Hypervisor Control NIC Guest NIC Hardware How to break in? Bugs in hardware driver Bugs in bridging / filtering Bugs in netback via the ring protocol Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 10 / 33
  • 36.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Network path dom 0 toolstack Domain netfront iptables bridge Rogue Domain NIC Driver netback netfront Xen Hypervisor Control NIC Guest NIC Hardware What does it buy you? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 11 / 33
  • 37.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Network path dom 0 toolstack Domain netfront iptables bridge Rogue Domain NIC Driver netback netfront Xen Hypervisor Control NIC Guest NIC Hardware What does it buy you? Control of domain 0 kernel Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 11 / 33
  • 38.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Network path dom 0 toolstack Domain netfront iptables bridge Rogue Domain NIC Driver netback netfront Xen Hypervisor Control NIC Guest NIC Hardware What does it buy you? Control of domain 0 kernel Pretty much control of the whole system Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 11 / 33
  • 39.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: Driver Domains dom 0 Domain toolstack netfront Driver Domain iptables NIC Driver NIC Driver bridge netback Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware What is it? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 12 / 33
  • 40.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: Driver Domains dom 0 Domain toolstack netfront Driver Domain iptables NIC Driver NIC Driver bridge netback Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware What is it? Unprivileged VM which drives hardware, provides access to guests Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 12 / 33
  • 41.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: Driver Domains dom 0 Domain toolstack netfront Driver Domain iptables NIC Driver NIC Driver bridge netback Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware Now an exploit buys you: Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 13 / 33
  • 42.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: Driver Domains dom 0 Domain toolstack netfront Driver Domain iptables NIC Driver NIC Driver bridge netback Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware Now an exploit buys you: Control of a PV VM (PV hypercall interface) Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 13 / 33
  • 43.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: Driver Domains dom 0 Domain toolstack netfront Driver Domain iptables NIC Driver NIC Driver bridge netback Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware Now an exploit buys you: Control of a PV VM (PV hypercall interface) Guest network traffic Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 13 / 33
  • 44.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: Driver Domains dom 0 Domain toolstack netfront Driver Domain iptables NIC Driver NIC Driver bridge netback Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware Now an exploit buys you: Control of a PV VM (PV hypercall interface) Guest network traffic Control of NIC Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 13 / 33
  • 45.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: Driver Domains dom 0 Domain toolstack netfront Driver Domain iptables NIC Driver NIC Driver bridge netback Rogue Domain netfront Xen Hypervisor Control NIC Guest NIC Hardware Now an exploit buys you: Control of a PV VM (PV hypercall interface) Guest network traffic Control of NIC Opportunity to attack netfront of other guests Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 13 / 33
  • 46.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:Driver Domains Create a VM with appropriate drivers Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
  • 47.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
  • 48.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
  • 49.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Just installing the xen tools in the VM is usually good enough Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
  • 50.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Just installing the xen tools in the VM is usually good enough Give the VM access to the physical NIC with PCI pass-through Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
  • 51.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Just installing the xen tools in the VM is usually good enough Give the VM access to the physical NIC with PCI pass-through Configure the network topology in the driver domain Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
  • 52.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Just installing the xen tools in the VM is usually good enough Give the VM access to the physical NIC with PCI pass-through Configure the network topology in the driver domain Just like you would for dom0 Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
  • 53.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Just installing the xen tools in the VM is usually good enough Give the VM access to the physical NIC with PCI pass-through Configure the network topology in the driver domain Just like you would for dom0 Configure the guest vif to use the new domain ID Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
  • 54.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Just installing the xen tools in the VM is usually good enough Give the VM access to the physical NIC with PCI pass-through Configure the network topology in the driver domain Just like you would for dom0 Configure the guest vif to use the new domain ID Add backend=domnet to vif declaration Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
  • 55.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Just installing the xen tools in the VM is usually good enough Give the VM access to the physical NIC with PCI pass-through Configure the network topology in the driver domain Just like you would for dom0 Configure the guest vif to use the new domain ID Add backend=domnet to vif declaration vif = [ ’type=pv, bridge=xenbr0, backend=domnet’ ] Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
  • 56.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:Driver Domains Create a VM with appropriate drivers Any distro supporting dom0 should do Install the xen-related hotplug scripts Just installing the xen tools in the VM is usually good enough Give the VM access to the physical NIC with PCI pass-through Configure the network topology in the driver domain Just like you would for dom0 Configure the guest vif to use the new domain ID Add backend=domnet to vif declaration vif = [ ’type=pv, bridge=xenbr0, backend=domnet’ ] http://wiki.xen.org/wiki/Driver Domain Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 14 / 33
  • 57.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor What is it? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 15 / 33
  • 58.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor What is it? grub implementation for PV guests Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 15 / 33
  • 59.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor What is it? grub implementation for PV guests Python program running in domain 0 Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 15 / 33
  • 60.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor What is it? grub implementation for PV guests Python program running in domain 0 Reads guest FS, parses grub.conf, presents menu Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 15 / 33
  • 61.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor What is it? grub implementation for PV guests Python program running in domain 0 Reads guest FS, parses grub.conf, presents menu Passes resulting kernel image to domain builder Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 15 / 33
  • 62.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor How to break in? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 16 / 33
  • 63.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor How to break in? Bugs in file system parser Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 16 / 33
  • 64.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor How to break in? Bugs in file system parser Bugs in menu parser Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 16 / 33
  • 65.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Pygrub dom 0 toolstack domain builder pygrub Paravirtualized (PV) Domain guest disk Xen Hypervisor How to break in? Bugs in file system parser Bugs in menu parser Bugs in kernel / initrd image parsers Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 16 / 33
  • 66.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Pygrub dom 0 toolstack domain builder pygrub kernel Paravirtualized (PV) Domain guest disk Xen Hypervisor What does it buy you? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 17 / 33
  • 67.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Pygrub dom 0 toolstack domain builder pygrub kernel Paravirtualized (PV) Domain guest disk Xen Hypervisor What does it buy you? Control of domain 0 user space Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 17 / 33
  • 68.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Pygrub dom 0 toolstack domain builder pygrub kernel Paravirtualized (PV) Domain guest disk Xen Hypervisor What does it buy you? Control of domain 0 user space Pretty much control of the whole system Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 17 / 33
  • 69.
    Intro Network path Bootloader Device model Xen Conclusion Securitypractice: Fixed kernels dom 0 kernel image toolstack domain builder Paravirtualized (PV) Domain guest disk Xen Hypervisor What is it? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 18 / 33
  • 70.
    Intro Network path Bootloader Device model Xen Conclusion Securitypractice: Fixed kernels dom 0 kernel image toolstack domain builder Paravirtualized (PV) Domain guest disk Xen Hypervisor What is it? Passing a known-good kernel from domain 0 Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 18 / 33
  • 71.
    Intro Network path Bootloader Device model Xen Conclusion Securitypractice: Fixed kernels dom 0 kernel image toolstack domain builder Paravirtualized (PV) Domain guest disk Xen Hypervisor What is it? Passing a known-good kernel from domain 0 Removes attacker avenue to domain builder Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 18 / 33
  • 72.
    Intro Network path Bootloader Device model Xen Conclusion Securitypractice: Fixed kernels dom 0 kernel image toolstack domain builder Paravirtualized (PV) Domain guest disk Xen Hypervisor Disadvantages Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 19 / 33
  • 73.
    Intro Network path Bootloader Device model Xen Conclusion Securitypractice: Fixed kernels dom 0 kernel image toolstack domain builder Paravirtualized (PV) Domain guest disk Xen Hypervisor Disadvantages Host admin must keep up with kernel updates Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 19 / 33
  • 74.
    Intro Network path Bootloader Device model Xen Conclusion Securitypractice: Fixed kernels dom 0 kernel image toolstack domain builder Paravirtualized (PV) Domain guest disk Xen Hypervisor Disadvantages Host admin must keep up with kernel updates Guest admin can’t pass kernel parameters, custom kernels, Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 19 / 33
  • 75.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: pvgrub dom 0 toolstack domain builder pvgrub MiniOS guest disk Xen Hypervisor What is it? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 20 / 33
  • 76.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: pvgrub dom 0 toolstack domain builder pvgrub MiniOS guest disk Xen Hypervisor What is it? MiniOS + pv port of grub running in a guest context Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 20 / 33
  • 77.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: pvgrub dom 0 toolstack domain builder pvgrub MiniOS guest disk Xen Hypervisor What is it? MiniOS + pv port of grub running in a guest context PV equivalent of HVM “BIOS + grub” Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 20 / 33
  • 78.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: pvgrub dom 0 toolstack domain builder pvgrub MiniOS guest disk Xen Hypervisor What is it? MiniOS + pv port of grub running in a guest context PV equivalent of HVM “BIOS + grub” Now an exploit buys you: Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 20 / 33
  • 79.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: pvgrub dom 0 toolstack domain builder pvgrub MiniOS guest disk Xen Hypervisor What is it? MiniOS + pv port of grub running in a guest context PV equivalent of HVM “BIOS + grub” Now an exploit buys you: Control of your own VM Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 20 / 33
  • 80.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:pvgrub Make sure that you have the pvgrub image Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
  • 81.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:pvgrub Make sure that you have the pvgrub image pvgrub-$ARCH.gz Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
  • 82.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:pvgrub Make sure that you have the pvgrub image pvgrub-$ARCH.gz Normally lives in /usr/lib/xen/boot Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
  • 83.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:pvgrub Make sure that you have the pvgrub image pvgrub-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
  • 84.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:pvgrub Make sure that you have the pvgrub image pvgrub-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
  • 85.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:pvgrub Make sure that you have the pvgrub image pvgrub-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Use appropriate pvgrub as kernel in guest config Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
  • 86.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:pvgrub Make sure that you have the pvgrub image pvgrub-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Use appropriate pvgrub as kernel in guest config kernel=”/usr/lib/xen/boot/pvgrub-x86 32.gz” Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
  • 87.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:pvgrub Make sure that you have the pvgrub image pvgrub-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Use appropriate pvgrub as kernel in guest config kernel=”/usr/lib/xen/boot/pvgrub-x86 32.gz” http://wiki.xen.org/wiki/Pvgrub Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 21 / 33
  • 88.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Device model (qemu) dom 0 device model (qemu) toolstack Hardware Drivers Fully Virtualized (HVM) Domain Xen Hypervisor How to break in? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 22 / 33
  • 89.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Device model (qemu) dom 0 device model (qemu) toolstack Fully Virtualized (HVM) Domain Hardware Drivers Xen Hypervisor How to break in? Bugs in NIC emulator parsing packets Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 22 / 33
  • 90.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Device model (qemu) dom 0 device model (qemu) toolstack Fully Virtualized (HVM) Domain Hardware Drivers Xen Hypervisor How to break in? Bugs in NIC emulator parsing packets Bugs in emulation of virtual devices Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 22 / 33
  • 91.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Device model (qemu) dom 0 device model (qemu) toolstack Fully Virtualized (HVM) Domain Hardware Drivers Xen Hypervisor What does it buy you? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 23 / 33
  • 92.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Device model (qemu) dom 0 device model (qemu) toolstack Fully Virtualized (HVM) Domain Hardware Drivers Xen Hypervisor What does it buy you? Domain 0 privileged userspace Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 23 / 33
  • 93.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Device model (qemu) dom 0 device model (qemu) toolstack Fully Virtualized (HVM) Domain Hardware Drivers Xen Hypervisor What does it buy you? Domain 0 privileged userspace Pretty much control of the whole system Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 23 / 33
  • 94.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Device model (qemu) dom 0 device model (qemu) toolstack Fully Virtualized (HVM) Domain Hardware Drivers Xen Hypervisor What does it buy you? Domain 0 privileged userspace Pretty much control of the whole system Not hypothetical Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 23 / 33
  • 95.
    Intro Network path Bootloader Device model Xen Conclusion Attacksurface: Device model (qemu) dom 0 device model (qemu) toolstack Fully Virtualized (HVM) Domain Hardware Drivers Xen Hypervisor What does it buy you? Domain 0 privileged userspace Pretty much control of the whole system Not hypothetical Three exploitable bugs found in qemu last 2 years Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 23 / 33
  • 96.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: qemu stub domains dom 0 toolstack Stub Domain Hardware Drivers device model minios Fully Virtualized (HVM) Domain Xen Hypervisor What is it? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 24 / 33
  • 97.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: qemu stub domains dom 0 toolstack Stub Domain Hardware Drivers device model minios Fully Virtualized (HVM) Domain Xen Hypervisor What is it? Stub domain: a small “service” domain running just one application Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 24 / 33
  • 98.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: qemu stub domains dom 0 toolstack Stub Domain Hardware Drivers device model minios Fully Virtualized (HVM) Domain Xen Hypervisor What is it? Stub domain: a small “service” domain running just one application qemu stub domain: run each qemu in its own domain Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 24 / 33
  • 99.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: qemu stub domains dom 0 toolstack Stub Domain device model Hardware Drivers minios Fully Virtualized (HVM) Domain Xen Hypervisor Now an exploit buys you: Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 25 / 33
  • 100.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: qemu stub domains dom 0 toolstack Stub Domain device model Hardware Drivers minios Fully Virtualized (HVM) Domain Xen Hypervisor Now an exploit buys you: Control of the stubom VM Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 25 / 33
  • 101.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: qemu stub domains dom 0 toolstack Stub Domain device model Hardware Drivers minios Fully Virtualized (HVM) Domain Xen Hypervisor Now an exploit buys you: Control of the stubom VM Access to PV interfaces Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 25 / 33
  • 102.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:qemu stub domains Make sure that you have the stubdom image: Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
  • 103.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:qemu stub domains Make sure that you have the stubdom image: ioemu-$ARCH.gz Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
  • 104.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:qemu stub domains Make sure that you have the stubdom image: ioemu-$ARCH.gz Normally lives in /usr/lib/xen/boot Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
  • 105.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:qemu stub domains Make sure that you have the stubdom image: ioemu-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
  • 106.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:qemu stub domains Make sure that you have the stubdom image: ioemu-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
  • 107.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:qemu stub domains Make sure that you have the stubdom image: ioemu-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Specify stub domains in your guest config Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
  • 108.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:qemu stub domains Make sure that you have the stubdom image: ioemu-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Specify stub domains in your guest config device model stubdomain override = 1 Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
  • 109.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:qemu stub domains Make sure that you have the stubdom image: ioemu-$ARCH.gz Normally lives in /usr/lib/xen/boot Included in Fedora Xen packages Debian-based: need to build yourself Specify stub domains in your guest config device model stubdomain override = 1 http://wiki.xen.org/wiki/Device Model Stub Domains Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 26 / 33
  • 110.
    Intro Network path Bootloader Device model Xen Conclusion AttackSurface: Xen HVM guests Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
  • 111.
    Intro Network path Bootloader Device model Xen Conclusion AttackSurface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
  • 112.
    Intro Network path Bootloader Device model Xen Conclusion AttackSurface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
  • 113.
    Intro Network path Bootloader Device model Xen Conclusion AttackSurface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Emulated platform devices: APIC, HPET, PIT Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
  • 114.
    Intro Network path Bootloader Device model Xen Conclusion AttackSurface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Emulated platform devices: APIC, HPET, PIT Nested virtualization Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
  • 115.
    Intro Network path Bootloader Device model Xen Conclusion AttackSurface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Emulated platform devices: APIC, HPET, PIT Nested virtualization PV guests Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
  • 116.
    Intro Network path Bootloader Device model Xen Conclusion AttackSurface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Emulated platform devices: APIC, HPET, PIT Nested virtualization PV guests PV Hypercalls Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
  • 117.
    Intro Network path Bootloader Device model Xen Conclusion AttackSurface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Emulated platform devices: APIC, HPET, PIT Nested virtualization PV guests PV Hypercalls Shared address space Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
  • 118.
    Intro Network path Bootloader Device model Xen Conclusion AttackSurface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Emulated platform devices: APIC, HPET, PIT Nested virtualization PV guests PV Hypercalls Shared address space Survey of security updates looks statistically similar Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
  • 119.
    Intro Network path Bootloader Device model Xen Conclusion AttackSurface: Xen HVM guests HVM hypercalls (Subset of PV hypercalls) Instruction emulation (MMIO, shadow pagetables) Emulated platform devices: APIC, HPET, PIT Nested virtualization PV guests PV Hypercalls Shared address space Survey of security updates looks statistically similar Security practice: If you can’t use stub domains, use PV VMs Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 27 / 33
  • 120.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: FLASK example policy What is FLASK? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 28 / 33
  • 121.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: FLASK example policy What is FLASK? Xen Security Module (XSM): Xen equivalent of LSM Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 28 / 33
  • 122.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: FLASK example policy What is FLASK? Xen Security Module (XSM): Xen equivalent of LSM FLASK: Framework for XSM developed by NSA Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 28 / 33
  • 123.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: FLASK example policy What is FLASK? Xen Security Module (XSM): Xen equivalent of LSM FLASK: Framework for XSM developed by NSA Xen Equivalent of SELinux Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 28 / 33
  • 124.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: FLASK example policy What is FLASK? Xen Security Module (XSM): Xen equivalent of LSM FLASK: Framework for XSM developed by NSA Xen Equivalent of SELinux Uses same concepts, tools as SELinux Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 28 / 33
  • 125.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: FLASK example policy What is FLASK? Xen Security Module (XSM): Xen equivalent of LSM FLASK: Framework for XSM developed by NSA Xen Equivalent of SELinux Uses same concepts, tools as SELinux Allows a policy to restrict hypercalls Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 28 / 33
  • 126.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: FLASK example policy What can FLASK do? Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 29 / 33
  • 127.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: FLASK example policy What can FLASK do? Basic: Restricts hypercalls to those needed by a particular guest Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 29 / 33
  • 128.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: FLASK example policy What can FLASK do? Basic: Restricts hypercalls to those needed by a particular guest Advanced: Allows more fine-grained granting of privileges Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 29 / 33
  • 129.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: FLASK example policy What can FLASK do? Basic: Restricts hypercalls to those needed by a particular guest Advanced: Allows more fine-grained granting of privileges FLASK example policy Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 29 / 33
  • 130.
    Intro Network path Bootloader Device model Xen Conclusion Securityfeature: FLASK example policy What can FLASK do? Basic: Restricts hypercalls to those needed by a particular guest Advanced: Allows more fine-grained granting of privileges FLASK example policy This contains example roles for dom0, domU, stub domains, driver domains, &c Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 29 / 33
  • 131.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:Use the example FLASK policy Build Xen with XSM enabled Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
  • 132.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:Use the example FLASK policy Build Xen with XSM enabled Build the example policy Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
  • 133.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:Use the example FLASK policy Build Xen with XSM enabled Build the example policy Add the appropriate label to guest config files Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
  • 134.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:Use the example FLASK policy Build Xen with XSM enabled Build the example policy Add the appropriate label to guest config files seclabel=[foo] Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
  • 135.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:Use the example FLASK policy Build Xen with XSM enabled Build the example policy Add the appropriate label to guest config files seclabel=[foo] stubdom label=[foo] Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
  • 136.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:Use the example FLASK policy Build Xen with XSM enabled Build the example policy Add the appropriate label to guest config files seclabel=[foo] stubdom label=[foo] http://wiki.xen.org/wiki/Xen Security Modules : XSMFLASK Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
  • 137.
    Intro Network path Bootloader Device model Xen Conclusion HowTo:Use the example FLASK policy Build Xen with XSM enabled Build the example policy Add the appropriate label to guest config files seclabel=[foo] stubdom label=[foo] http://wiki.xen.org/wiki/Xen Security Modules : XSMFLASK WARNING: In 4.3, the example policy not extensively tested. Use with care! Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 30 / 33
  • 138.
    Intro Network path Bootloader Device model Xen Conclusion Outline Overviewof the Xen architecture Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
  • 139.
    Intro Network path Bootloader Device model Xen Conclusion Outline Overviewof the Xen architecture Brief introduction to principles of security analysis Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
  • 140.
    Intro Network path Bootloader Device model Xen Conclusion Outline Overviewof the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
  • 141.
    Intro Network path Bootloader Device model Xen Conclusion Outline Overviewof the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
  • 142.
    Intro Network path Bootloader Device model Xen Conclusion Outline Overviewof the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
  • 143.
    Intro Network path Bootloader Device model Xen Conclusion Outline Overviewof the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains pvgrub Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
  • 144.
    Intro Network path Bootloader Device model Xen Conclusion Outline Overviewof the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains pvgrub stub domains Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
  • 145.
    Intro Network path Bootloader Device model Xen Conclusion Outline Overviewof the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains pvgrub stub domains PV vs HVM Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
  • 146.
    Intro Network path Bootloader Device model Xen Conclusion Outline Overviewof the Xen architecture Brief introduction to principles of security analysis Consider some attack surfaces Xen features we can use to make them more secure Driver domains pvgrub stub domains PV vs HVM FLASK example policy Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 31 / 33
  • 147.
    Intro Network path Bootloader Device model Xen Conclusion Goal Toolsto think about security in Xen Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 32 / 33
  • 148.
    Intro Network path Bootloader Device model Xen Conclusion Goal Toolsto think about security in Xen Know some key security features of Xen Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 32 / 33
  • 149.
    Intro Network path Bootloader Device model Xen Conclusion Goal Toolsto think about security in Xen Know some key security features of Xen Equipped with the knowledge to get them working Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 32 / 33
  • 150.
    Intro Network path Bootloader Device model Xen Conclusion Questions Questions? Moreinfo at http://wiki.xen.org/wiki/Securing Xen Check out our blog: http://blog.xen.org/ Edinburgh – 21-23 October, 2013 Securing your cloud with Xen’s advanced security features 33 / 33