Xen is a mature enterprise-grade virtual machine with many advanced security features which are unique to Xen. For this reason it's the hypervisor of choice for the NSA, the DoD, and the new QubesOS Secure Desktop project. While much of the security of Xen is inherent in its design, many of the advanced security features, such as stub domains, driver domains, XSM, and so on are not enabled by default. This session will describe all of the advanced security features of Xen, and the best way to configure them for the Cloud environment. When the audience leaves, they should have a general framework to evaluate the security of their system, know the key security features of Xen, and have a basic framework of knowledge to help them make sense of the documentation. This talk will *not* go into mind-numbing detail about specific commands to type or configuration options.
7. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Goal
Tools to think about security in Xen
Know some key security features of Xen
Equipped with the knowledge to get them working
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
4 / 33
11. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Outline
Overview of the Xen architecture
Brief introduction to principles of security analysis
Consider some attack surfaces
Xen features we can use to make them more secure
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
5 / 33
12. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Outline
Overview of the Xen architecture
Brief introduction to principles of security analysis
Consider some attack surfaces
Xen features we can use to make them more secure
Driver domains
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
5 / 33
13. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Outline
Overview of the Xen architecture
Brief introduction to principles of security analysis
Consider some attack surfaces
Xen features we can use to make them more secure
Driver domains
pvgrub
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
5 / 33
14. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Outline
Overview of the Xen architecture
Brief introduction to principles of security analysis
Consider some attack surfaces
Xen features we can use to make them more secure
Driver domains
pvgrub
stub domains
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
5 / 33
15. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Outline
Overview of the Xen architecture
Brief introduction to principles of security analysis
Consider some attack surfaces
Xen features we can use to make them more secure
Driver domains
pvgrub
stub domains
PV vs HVM
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
5 / 33
16. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Outline
Overview of the Xen architecture
Brief introduction to principles of security analysis
Consider some attack surfaces
Xen features we can use to make them more secure
Driver domains
pvgrub
stub domains
PV vs HVM
FLASK example policy
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
5 / 33
17. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Xen Architecture
dom 0
device model
(qemu)
toolstack
Hardware
Drivers
netback
blkback
Paravirtualized
(PV)
Domain
netfront
blkfront
Fully
Virtualized
(HVM)
Domain
Xen Hypervisor
I/O Devices
Edinburgh – 21-23 October, 2013
CPU
Memory
Hardware
Securing your cloud with Xen’s advanced security features
6 / 33
24. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security Overview
Security considerations
How much code is accessible?
What is the interface like?
Defense-in-depth
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
8 / 33
27. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Example System
Hardware setup
Two networks: control network, guest network
IOMMU with interrupt remapping (AMD or Intel VT-d v2)
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
9 / 33
28. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Example System
Hardware setup
Two networks: control network, guest network
IOMMU with interrupt remapping (AMD or Intel VT-d v2)
Default configuration
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
9 / 33
29. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Example System
Hardware setup
Two networks: control network, guest network
IOMMU with interrupt remapping (AMD or Intel VT-d v2)
Default configuration
Network drivers in dom0
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
9 / 33
30. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Example System
Hardware setup
Two networks: control network, guest network
IOMMU with interrupt remapping (AMD or Intel VT-d v2)
Default configuration
Network drivers in dom0
PV guests with pygrub
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
9 / 33
31. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Example System
Hardware setup
Two networks: control network, guest network
IOMMU with interrupt remapping (AMD or Intel VT-d v2)
Default configuration
Network drivers in dom0
PV guests with pygrub
HVM guests with qemu running in domain 0
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
9 / 33
32. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Network path
dom 0
toolstack
Domain
netfront
iptables
bridge
Rogue
Domain
NIC
Driver
netback
netfront
Xen Hypervisor
Control NIC
Guest NIC
Hardware
How to break in?
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
10 / 33
33. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Network path
dom 0
toolstack
Domain
netfront
iptables
bridge
Rogue
Domain
NIC
Driver
netback
netfront
Xen Hypervisor
Control NIC
Guest NIC
Hardware
How to break in?
Bugs in hardware driver
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
10 / 33
34. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Network path
dom 0
toolstack
Domain
netfront
iptables
bridge
Rogue
Domain
NIC
Driver
netback
netfront
Xen Hypervisor
Control NIC
Guest NIC
Hardware
How to break in?
Bugs in hardware driver
Bugs in bridging / filtering
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
10 / 33
35. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Network path
dom 0
toolstack
Domain
netfront
iptables
bridge
Rogue
Domain
NIC
Driver
netback
netfront
Xen Hypervisor
Control NIC
Guest NIC
Hardware
How to break in?
Bugs in hardware driver
Bugs in bridging / filtering
Bugs in netback via the ring protocol
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
10 / 33
36. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Network path
dom 0
toolstack
Domain
netfront
iptables
bridge
Rogue
Domain
NIC
Driver
netback
netfront
Xen Hypervisor
Control NIC
Guest NIC
Hardware
What does it buy you?
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
11 / 33
37. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Network path
dom 0
toolstack
Domain
netfront
iptables
bridge
Rogue
Domain
NIC
Driver
netback
netfront
Xen Hypervisor
Control NIC
Guest NIC
Hardware
What does it buy you?
Control of domain 0 kernel
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
11 / 33
38. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Network path
dom 0
toolstack
Domain
netfront
iptables
bridge
Rogue
Domain
NIC
Driver
netback
netfront
Xen Hypervisor
Control NIC
Guest NIC
Hardware
What does it buy you?
Control of domain 0 kernel
Pretty much control of the whole system
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
11 / 33
39. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: Driver Domains
dom 0
Domain
toolstack
netfront
Driver Domain
iptables
NIC
Driver
NIC
Driver
bridge
netback
Rogue
Domain
netfront
Xen Hypervisor
Control NIC
Guest NIC
Hardware
What is it?
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
12 / 33
40. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: Driver Domains
dom 0
Domain
toolstack
netfront
Driver Domain
iptables
NIC
Driver
NIC
Driver
bridge
netback
Rogue
Domain
netfront
Xen Hypervisor
Control NIC
Guest NIC
Hardware
What is it?
Unprivileged VM which drives hardware, provides access to
guests
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
12 / 33
41. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: Driver Domains
dom 0
Domain
toolstack
netfront
Driver Domain
iptables
NIC
Driver
NIC
Driver
bridge
netback
Rogue
Domain
netfront
Xen Hypervisor
Control NIC
Guest NIC
Hardware
Now an exploit buys you:
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
13 / 33
42. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: Driver Domains
dom 0
Domain
toolstack
netfront
Driver Domain
iptables
NIC
Driver
NIC
Driver
bridge
netback
Rogue
Domain
netfront
Xen Hypervisor
Control NIC
Guest NIC
Hardware
Now an exploit buys you:
Control of a PV VM (PV hypercall interface)
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
13 / 33
43. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: Driver Domains
dom 0
Domain
toolstack
netfront
Driver Domain
iptables
NIC
Driver
NIC
Driver
bridge
netback
Rogue
Domain
netfront
Xen Hypervisor
Control NIC
Guest NIC
Hardware
Now an exploit buys you:
Control of a PV VM (PV hypercall interface)
Guest network traffic
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
13 / 33
44. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: Driver Domains
dom 0
Domain
toolstack
netfront
Driver Domain
iptables
NIC
Driver
NIC
Driver
bridge
netback
Rogue
Domain
netfront
Xen Hypervisor
Control NIC
Guest NIC
Hardware
Now an exploit buys you:
Control of a PV VM (PV hypercall interface)
Guest network traffic
Control of NIC
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
13 / 33
45. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: Driver Domains
dom 0
Domain
toolstack
netfront
Driver Domain
iptables
NIC
Driver
NIC
Driver
bridge
netback
Rogue
Domain
netfront
Xen Hypervisor
Control NIC
Guest NIC
Hardware
Now an exploit buys you:
Control of a PV VM (PV hypercall interface)
Guest network traffic
Control of NIC
Opportunity to attack netfront of other guests
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
13 / 33
48. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: Driver Domains
Create a VM with appropriate drivers
Any distro supporting dom0 should do
Install the xen-related hotplug scripts
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
14 / 33
49. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: Driver Domains
Create a VM with appropriate drivers
Any distro supporting dom0 should do
Install the xen-related hotplug scripts
Just installing the xen tools in the VM is usually good enough
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
14 / 33
50. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: Driver Domains
Create a VM with appropriate drivers
Any distro supporting dom0 should do
Install the xen-related hotplug scripts
Just installing the xen tools in the VM is usually good enough
Give the VM access to the physical NIC with PCI pass-through
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
14 / 33
51. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: Driver Domains
Create a VM with appropriate drivers
Any distro supporting dom0 should do
Install the xen-related hotplug scripts
Just installing the xen tools in the VM is usually good enough
Give the VM access to the physical NIC with PCI pass-through
Configure the network topology in the driver domain
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
14 / 33
52. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: Driver Domains
Create a VM with appropriate drivers
Any distro supporting dom0 should do
Install the xen-related hotplug scripts
Just installing the xen tools in the VM is usually good enough
Give the VM access to the physical NIC with PCI pass-through
Configure the network topology in the driver domain
Just like you would for dom0
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
14 / 33
53. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: Driver Domains
Create a VM with appropriate drivers
Any distro supporting dom0 should do
Install the xen-related hotplug scripts
Just installing the xen tools in the VM is usually good enough
Give the VM access to the physical NIC with PCI pass-through
Configure the network topology in the driver domain
Just like you would for dom0
Configure the guest vif to use the new domain ID
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
14 / 33
54. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: Driver Domains
Create a VM with appropriate drivers
Any distro supporting dom0 should do
Install the xen-related hotplug scripts
Just installing the xen tools in the VM is usually good enough
Give the VM access to the physical NIC with PCI pass-through
Configure the network topology in the driver domain
Just like you would for dom0
Configure the guest vif to use the new domain ID
Add backend=domnet to vif declaration
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
14 / 33
55. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: Driver Domains
Create a VM with appropriate drivers
Any distro supporting dom0 should do
Install the xen-related hotplug scripts
Just installing the xen tools in the VM is usually good enough
Give the VM access to the physical NIC with PCI pass-through
Configure the network topology in the driver domain
Just like you would for dom0
Configure the guest vif to use the new domain ID
Add backend=domnet to vif declaration
vif = [ ’type=pv, bridge=xenbr0, backend=domnet’ ]
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
14 / 33
56. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: Driver Domains
Create a VM with appropriate drivers
Any distro supporting dom0 should do
Install the xen-related hotplug scripts
Just installing the xen tools in the VM is usually good enough
Give the VM access to the physical NIC with PCI pass-through
Configure the network topology in the driver domain
Just like you would for dom0
Configure the guest vif to use the new domain ID
Add backend=domnet to vif declaration
vif = [ ’type=pv, bridge=xenbr0, backend=domnet’ ]
http://wiki.xen.org/wiki/Driver Domain
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
14 / 33
57. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Pygrub
dom 0
toolstack
domain
builder
pygrub
Paravirtualized
(PV)
Domain
guest
disk
Xen Hypervisor
What is it?
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
15 / 33
58. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Pygrub
dom 0
toolstack
domain
builder
pygrub
Paravirtualized
(PV)
Domain
guest
disk
Xen Hypervisor
What is it?
grub implementation for PV guests
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
15 / 33
59. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Pygrub
dom 0
toolstack
domain
builder
pygrub
Paravirtualized
(PV)
Domain
guest
disk
Xen Hypervisor
What is it?
grub implementation for PV guests
Python program running in domain 0
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
15 / 33
60. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Pygrub
dom 0
toolstack
domain
builder
pygrub
Paravirtualized
(PV)
Domain
guest
disk
Xen Hypervisor
What is it?
grub implementation for PV guests
Python program running in domain 0
Reads guest FS, parses grub.conf, presents menu
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
15 / 33
61. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Pygrub
dom 0
toolstack
domain
builder
pygrub
Paravirtualized
(PV)
Domain
guest
disk
Xen Hypervisor
What is it?
grub implementation for PV guests
Python program running in domain 0
Reads guest FS, parses grub.conf, presents menu
Passes resulting kernel image to domain builder
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
15 / 33
62. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Pygrub
dom 0
toolstack
domain
builder
pygrub
Paravirtualized
(PV)
Domain
guest
disk
Xen Hypervisor
How to break in?
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
16 / 33
63. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Pygrub
dom 0
toolstack
domain
builder
pygrub
Paravirtualized
(PV)
Domain
guest
disk
Xen Hypervisor
How to break in?
Bugs in file system parser
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
16 / 33
64. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Pygrub
dom 0
toolstack
domain
builder
pygrub
Paravirtualized
(PV)
Domain
guest
disk
Xen Hypervisor
How to break in?
Bugs in file system parser
Bugs in menu parser
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
16 / 33
65. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Pygrub
dom 0
toolstack
domain
builder
pygrub
Paravirtualized
(PV)
Domain
guest
disk
Xen Hypervisor
How to break in?
Bugs in file system parser
Bugs in menu parser
Bugs in kernel / initrd image parsers
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
16 / 33
66. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Pygrub
dom 0
toolstack
domain
builder
pygrub
kernel
Paravirtualized
(PV)
Domain
guest
disk
Xen Hypervisor
What does it buy you?
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
17 / 33
67. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Pygrub
dom 0
toolstack
domain
builder
pygrub
kernel
Paravirtualized
(PV)
Domain
guest
disk
Xen Hypervisor
What does it buy you?
Control of domain 0 user space
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
17 / 33
68. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Pygrub
dom 0
toolstack
domain
builder
pygrub
kernel
Paravirtualized
(PV)
Domain
guest
disk
Xen Hypervisor
What does it buy you?
Control of domain 0 user space
Pretty much control of the whole system
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
17 / 33
69. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security practice: Fixed kernels
dom 0
kernel
image
toolstack
domain
builder
Paravirtualized
(PV)
Domain
guest
disk
Xen Hypervisor
What is it?
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
18 / 33
70. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security practice: Fixed kernels
dom 0
kernel
image
toolstack
domain
builder
Paravirtualized
(PV)
Domain
guest
disk
Xen Hypervisor
What is it?
Passing a known-good kernel from domain 0
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
18 / 33
71. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security practice: Fixed kernels
dom 0
kernel
image
toolstack
domain
builder
Paravirtualized
(PV)
Domain
guest
disk
Xen Hypervisor
What is it?
Passing a known-good kernel from domain 0
Removes attacker avenue to domain builder
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
18 / 33
72. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security practice: Fixed kernels
dom 0
kernel
image
toolstack
domain
builder
Paravirtualized
(PV)
Domain
guest
disk
Xen Hypervisor
Disadvantages
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
19 / 33
73. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security practice: Fixed kernels
dom 0
kernel
image
toolstack
domain
builder
Paravirtualized
(PV)
Domain
guest
disk
Xen Hypervisor
Disadvantages
Host admin must keep up with kernel updates
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
19 / 33
74. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security practice: Fixed kernels
dom 0
kernel
image
toolstack
domain
builder
Paravirtualized
(PV)
Domain
guest
disk
Xen Hypervisor
Disadvantages
Host admin must keep up with kernel updates
Guest admin can’t pass kernel parameters, custom kernels,
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
19 / 33
76. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: pvgrub
dom 0
toolstack
domain
builder
pvgrub
MiniOS
guest
disk
Xen Hypervisor
What is it?
MiniOS + pv port of grub running in a guest context
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
20 / 33
77. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: pvgrub
dom 0
toolstack
domain
builder
pvgrub
MiniOS
guest
disk
Xen Hypervisor
What is it?
MiniOS + pv port of grub running in a guest context
PV equivalent of HVM “BIOS + grub”
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
20 / 33
78. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: pvgrub
dom 0
toolstack
domain
builder
pvgrub
MiniOS
guest
disk
Xen Hypervisor
What is it?
MiniOS + pv port of grub running in a guest context
PV equivalent of HVM “BIOS + grub”
Now an exploit buys you:
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
20 / 33
79. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: pvgrub
dom 0
toolstack
domain
builder
pvgrub
MiniOS
guest
disk
Xen Hypervisor
What is it?
MiniOS + pv port of grub running in a guest context
PV equivalent of HVM “BIOS + grub”
Now an exploit buys you:
Control of your own VM
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
20 / 33
82. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: pvgrub
Make sure that you have the pvgrub image
pvgrub-$ARCH.gz
Normally lives in /usr/lib/xen/boot
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
21 / 33
83. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: pvgrub
Make sure that you have the pvgrub image
pvgrub-$ARCH.gz
Normally lives in /usr/lib/xen/boot
Included in Fedora Xen packages
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
21 / 33
84. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: pvgrub
Make sure that you have the pvgrub image
pvgrub-$ARCH.gz
Normally lives in /usr/lib/xen/boot
Included in Fedora Xen packages
Debian-based: need to build yourself
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
21 / 33
85. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: pvgrub
Make sure that you have the pvgrub image
pvgrub-$ARCH.gz
Normally lives in /usr/lib/xen/boot
Included in Fedora Xen packages
Debian-based: need to build yourself
Use appropriate pvgrub as kernel in guest config
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
21 / 33
86. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: pvgrub
Make sure that you have the pvgrub image
pvgrub-$ARCH.gz
Normally lives in /usr/lib/xen/boot
Included in Fedora Xen packages
Debian-based: need to build yourself
Use appropriate pvgrub as kernel in guest config
kernel=”/usr/lib/xen/boot/pvgrub-x86 32.gz”
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
21 / 33
87. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: pvgrub
Make sure that you have the pvgrub image
pvgrub-$ARCH.gz
Normally lives in /usr/lib/xen/boot
Included in Fedora Xen packages
Debian-based: need to build yourself
Use appropriate pvgrub as kernel in guest config
kernel=”/usr/lib/xen/boot/pvgrub-x86 32.gz”
http://wiki.xen.org/wiki/Pvgrub
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
21 / 33
88. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Device model (qemu)
dom 0
device model
(qemu)
toolstack
Hardware
Drivers
Fully
Virtualized
(HVM)
Domain
Xen Hypervisor
How to break in?
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
22 / 33
89. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Device model (qemu)
dom 0
device model
(qemu)
toolstack
Fully
Virtualized
(HVM)
Domain
Hardware
Drivers
Xen Hypervisor
How to break in?
Bugs in NIC emulator parsing packets
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
22 / 33
90. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Device model (qemu)
dom 0
device model
(qemu)
toolstack
Fully
Virtualized
(HVM)
Domain
Hardware
Drivers
Xen Hypervisor
How to break in?
Bugs in NIC emulator parsing packets
Bugs in emulation of virtual devices
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
22 / 33
91. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Device model (qemu)
dom 0
device model
(qemu)
toolstack
Fully
Virtualized
(HVM)
Domain
Hardware
Drivers
Xen Hypervisor
What does it buy you?
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
23 / 33
92. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Device model (qemu)
dom 0
device model
(qemu)
toolstack
Fully
Virtualized
(HVM)
Domain
Hardware
Drivers
Xen Hypervisor
What does it buy you?
Domain 0 privileged userspace
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
23 / 33
93. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Device model (qemu)
dom 0
device model
(qemu)
toolstack
Fully
Virtualized
(HVM)
Domain
Hardware
Drivers
Xen Hypervisor
What does it buy you?
Domain 0 privileged userspace
Pretty much control of the whole system
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
23 / 33
94. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Device model (qemu)
dom 0
device model
(qemu)
toolstack
Fully
Virtualized
(HVM)
Domain
Hardware
Drivers
Xen Hypervisor
What does it buy you?
Domain 0 privileged userspace
Pretty much control of the whole system
Not hypothetical
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
23 / 33
95. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Attack surface: Device model (qemu)
dom 0
device model
(qemu)
toolstack
Fully
Virtualized
(HVM)
Domain
Hardware
Drivers
Xen Hypervisor
What does it buy you?
Domain 0 privileged userspace
Pretty much control of the whole system
Not hypothetical
Three exploitable bugs found in qemu last 2 years
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
23 / 33
96. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: qemu stub domains
dom 0
toolstack
Stub Domain
Hardware
Drivers
device
model
minios
Fully
Virtualized
(HVM)
Domain
Xen Hypervisor
What is it?
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
24 / 33
97. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: qemu stub domains
dom 0
toolstack
Stub Domain
Hardware
Drivers
device
model
minios
Fully
Virtualized
(HVM)
Domain
Xen Hypervisor
What is it?
Stub domain: a small “service” domain running just one
application
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
24 / 33
98. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: qemu stub domains
dom 0
toolstack
Stub Domain
Hardware
Drivers
device
model
minios
Fully
Virtualized
(HVM)
Domain
Xen Hypervisor
What is it?
Stub domain: a small “service” domain running just one
application
qemu stub domain: run each qemu in its own domain
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
24 / 33
99. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: qemu stub domains
dom 0
toolstack
Stub Domain
device
model
Hardware
Drivers
minios
Fully
Virtualized
(HVM)
Domain
Xen Hypervisor
Now an exploit buys you:
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
25 / 33
100. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: qemu stub domains
dom 0
toolstack
Stub Domain
device
model
Hardware
Drivers
minios
Fully
Virtualized
(HVM)
Domain
Xen Hypervisor
Now an exploit buys you:
Control of the stubom VM
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
25 / 33
101. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: qemu stub domains
dom 0
toolstack
Stub Domain
device
model
Hardware
Drivers
minios
Fully
Virtualized
(HVM)
Domain
Xen Hypervisor
Now an exploit buys you:
Control of the stubom VM
Access to PV interfaces
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
25 / 33
104. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: qemu stub domains
Make sure that you have the stubdom image:
ioemu-$ARCH.gz
Normally lives in /usr/lib/xen/boot
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
26 / 33
105. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: qemu stub domains
Make sure that you have the stubdom image:
ioemu-$ARCH.gz
Normally lives in /usr/lib/xen/boot
Included in Fedora Xen packages
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
26 / 33
106. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: qemu stub domains
Make sure that you have the stubdom image:
ioemu-$ARCH.gz
Normally lives in /usr/lib/xen/boot
Included in Fedora Xen packages
Debian-based: need to build yourself
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
26 / 33
107. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: qemu stub domains
Make sure that you have the stubdom image:
ioemu-$ARCH.gz
Normally lives in /usr/lib/xen/boot
Included in Fedora Xen packages
Debian-based: need to build yourself
Specify stub domains in your guest config
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
26 / 33
108. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: qemu stub domains
Make sure that you have the stubdom image:
ioemu-$ARCH.gz
Normally lives in /usr/lib/xen/boot
Included in Fedora Xen packages
Debian-based: need to build yourself
Specify stub domains in your guest config
device model stubdomain override = 1
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
26 / 33
109. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: qemu stub domains
Make sure that you have the stubdom image:
ioemu-$ARCH.gz
Normally lives in /usr/lib/xen/boot
Included in Fedora Xen packages
Debian-based: need to build yourself
Specify stub domains in your guest config
device model stubdomain override = 1
http://wiki.xen.org/wiki/Device Model Stub Domains
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
26 / 33
122. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: FLASK example policy
What is FLASK?
Xen Security Module (XSM): Xen equivalent of LSM
FLASK: Framework for XSM developed by NSA
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
28 / 33
123. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: FLASK example policy
What is FLASK?
Xen Security Module (XSM): Xen equivalent of LSM
FLASK: Framework for XSM developed by NSA
Xen Equivalent of SELinux
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
28 / 33
124. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: FLASK example policy
What is FLASK?
Xen Security Module (XSM): Xen equivalent of LSM
FLASK: Framework for XSM developed by NSA
Xen Equivalent of SELinux
Uses same concepts, tools as SELinux
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
28 / 33
125. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: FLASK example policy
What is FLASK?
Xen Security Module (XSM): Xen equivalent of LSM
FLASK: Framework for XSM developed by NSA
Xen Equivalent of SELinux
Uses same concepts, tools as SELinux
Allows a policy to restrict hypercalls
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
28 / 33
127. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: FLASK example policy
What can FLASK do?
Basic: Restricts hypercalls to those needed by a particular
guest
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
29 / 33
128. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: FLASK example policy
What can FLASK do?
Basic: Restricts hypercalls to those needed by a particular
guest
Advanced: Allows more fine-grained granting of privileges
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
29 / 33
129. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: FLASK example policy
What can FLASK do?
Basic: Restricts hypercalls to those needed by a particular
guest
Advanced: Allows more fine-grained granting of privileges
FLASK example policy
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
29 / 33
130. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Security feature: FLASK example policy
What can FLASK do?
Basic: Restricts hypercalls to those needed by a particular
guest
Advanced: Allows more fine-grained granting of privileges
FLASK example policy
This contains example roles for dom0, domU, stub domains,
driver domains, &c
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
29 / 33
133. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: Use the example FLASK policy
Build Xen with XSM enabled
Build the example policy
Add the appropriate label to guest config files
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
30 / 33
134. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: Use the example FLASK policy
Build Xen with XSM enabled
Build the example policy
Add the appropriate label to guest config files
seclabel=[foo]
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
30 / 33
135. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: Use the example FLASK policy
Build Xen with XSM enabled
Build the example policy
Add the appropriate label to guest config files
seclabel=[foo]
stubdom label=[foo]
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
30 / 33
136. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: Use the example FLASK policy
Build Xen with XSM enabled
Build the example policy
Add the appropriate label to guest config files
seclabel=[foo]
stubdom label=[foo]
http://wiki.xen.org/wiki/Xen Security Modules : XSMFLASK
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
30 / 33
137. Intro
Network path
Bootloader
Device model
Xen
Conclusion
HowTo: Use the example FLASK policy
Build Xen with XSM enabled
Build the example policy
Add the appropriate label to guest config files
seclabel=[foo]
stubdom label=[foo]
http://wiki.xen.org/wiki/Xen Security Modules : XSMFLASK
WARNING: In 4.3, the example policy not extensively tested.
Use with care!
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
30 / 33
141. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Outline
Overview of the Xen architecture
Brief introduction to principles of security analysis
Consider some attack surfaces
Xen features we can use to make them more secure
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
31 / 33
142. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Outline
Overview of the Xen architecture
Brief introduction to principles of security analysis
Consider some attack surfaces
Xen features we can use to make them more secure
Driver domains
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
31 / 33
143. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Outline
Overview of the Xen architecture
Brief introduction to principles of security analysis
Consider some attack surfaces
Xen features we can use to make them more secure
Driver domains
pvgrub
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
31 / 33
144. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Outline
Overview of the Xen architecture
Brief introduction to principles of security analysis
Consider some attack surfaces
Xen features we can use to make them more secure
Driver domains
pvgrub
stub domains
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
31 / 33
145. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Outline
Overview of the Xen architecture
Brief introduction to principles of security analysis
Consider some attack surfaces
Xen features we can use to make them more secure
Driver domains
pvgrub
stub domains
PV vs HVM
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
31 / 33
146. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Outline
Overview of the Xen architecture
Brief introduction to principles of security analysis
Consider some attack surfaces
Xen features we can use to make them more secure
Driver domains
pvgrub
stub domains
PV vs HVM
FLASK example policy
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
31 / 33
149. Intro
Network path
Bootloader
Device model
Xen
Conclusion
Goal
Tools to think about security in Xen
Know some key security features of Xen
Equipped with the knowledge to get them working
Edinburgh – 21-23 October, 2013
Securing your cloud with Xen’s advanced security features
32 / 33