SlideShare a Scribd company logo
1 of 21
Download to read offline
Network Enhancements on
BitVisor
2024/03/29 @ BitVisor Summit 12
Chen Chuang Jung
Agenda
- Mbed-TLS LTS support
- Brief intro Mbed-TLS
- Advantages for BitVisor
- Changes to adopt Mbed-TLS on BitVisor
- WireGuard support
- Brief intro WireGuard
- Advantages for BitVisor
- Changes to adopt WireGuard on BitVisor
- WireGuard for Guest OS
- Brief intro WireGuard for GuestOS
- Advantages for BitVisor
- Code change
- DEMO
1
Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
Mbed-TLS LTS support
- Brief intro Mbed-TLS
- Open-source and Lightweight
- Enables easy and low-impact integration.
- Designed for Embedded Systems
- Ideal for low-resource settings, less demanding than typical
SSL/TLS.
- User-friendly API
- Easily adds security to apps, no deep crypto knowledge needed.
- Support for Latest Crypto Standards
- Keeps data safe, private, and verified during communication.
- Long Term Support (LTS) Version 2.28
2
Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
Mbed-TLS LTS support
- Advantages for BitVisor
- Able to pick the libraries to compile
- LWIP stack compatible
- Customized items in header file for platform to select:
- HAVE_TIME,HAVE_TIME_DATE,
MBEDTLS_PLATFORM_TIME_MACRO,MBEDTLS_PLATFORM_C,
MBEDTLS_ENTROPY_HARDWARE_ALT,…
- Support for TLS Extensions :
- MBEDTLS_SSL_MAX_FRAGMENT_LENGTH,
MBEDTLS_SSL_SESSION_TICKETS,
MBEDTLS_SSL_SERVER_NAME_INDICATION,
MBEDTLS_SSL_RENEGOTIATION,...
3
Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
Mbed-TLS LTS support
- Changes to adopt Mbed-TLS on BitVisor
- New defconfig items:
- CA_Certification
- Server_Certification
- Server_key
4
Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
.tls = {
.ca_cert =
"-----BEGIN CERTIFICATE-----n"
"MIIDQjCCAiqgAwIBAgIUbdMMHizhHnz+psFMmF6Vs4h7wdMwDQYJKoZIhvcNAQELn"
...
"IngZtsfFXq+U8z6sMxaOSJg2/XEHvA==n"
"-----END CERTIFICATE-----n",
.srv_cert =
"-----BEGIN CERTIFICATE-----n"
"MIIC6TCCAdECFDiiW/aGv3Nm+qFpVKxyECyQeH/OMA0GCSqGSIb3DQEBCwUAMBExn"
...
"F7HKk0oI0ZjNOOUjPgWnqgwyYVDP2WyCr5g2cMs=n"
"-----END CERTIFICATE-----n",
.srv_key =
"-----BEGIN PRIVATE KEY-----n"
"MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAn"
...
"6JN9j0Vy/3SCNjleJ3rkVBQ+SmNNi8iyTjl94d+51elwsosY0lMouDJixUN3yvzsn"
"1PABsGsU4X//Us+1DL7/0J4=n"
"-----END PRIVATE KEY-----n",
},
Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
Mbed-TLS LTS support
- Changes to adopt Mbed-TLS on BitVisor
- Add two versions of the random number generator:
- random_num_hw and random_num_sw implement the rand()
function. In random_num_hw, the rdrand instruction is
utilized.
- Used to generate the NONCE for handshaking.
- EPOCH time
- During boot, the time is retrieved once from UEFI and stored
in a static variable. Afterwards, each time a request for the
time is received, it is calculated based on the static variable
using CPU time/ACPI.
- Used to calculate the certificate's validity period.
- Echoctl
- Separate out the common features of Echoctl to allow the
future expansion for different protocols.
5
Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
Mbed-TLS LTS support
- Changes to adopt Mbed-TLS on BitVisor
- Introduce TLS version echoctl applications
- TLS-ECHO-CLIENT
- TLS-ECHO-SERVER
- Documentation is ready
- Available at /docs/Mbed-TLS.md
- Create The Needed Keys And Certification
- Generate Root Certificate Authority Certificates
- Generate Server Certificates
- BitVisor As The Server
- BitVisor As The Client
6
Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
Mbed-TLS
BitVisor
Network
LWIP
LWIP
BitVisor
Application
7
netif->input
ethernet_input
ip_input
altcp_mbedtls_lower_recv
mbedtls_ssl_read
altcp_mbedtls_pass_rx_data
tls_echo_recv
etharp_input
etharp_update_
arp_entry
nicfunc->net_recv_callback
netif->linkoutput
nicfunc->send
etharp_output
ethernet_output
altcp_mbedtls_write
tls_echo_send
mbedtls_ssl_write
altcp_output
etharp_ request
etharp_query
ARP
Response
ETH+IP packet
ARP packet
Found in ARP
table
Mbed-TLS LTS support
BitVisor
Network
Driver
Linux system
eth0:10.16.165.1
TCP/IP OpenSSL Client
TLS-ECHO-SERVER
Host A
Host B
net_main
vm0:10.16.2.15
Plant text
TLS
Encrypted
packet
Mbed-TLS LTS support
Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
- Demo
LWIP
LWIP
Mbed-TLS Stack
WireGuard support
- Brief intro WireGuard
- A modern VPN protocol: simple and secure.
- Efficient Performance: Beats traditional VPNs with less
overhead.
- State-of-the-Art Security: Uses the latest cryptographic
techniques for enhanced privacy.
- Ease of Use: Simple to set up and manage. There are
existing websites that help generate a key pair.
- Cross-Platform: Works seamlessly across various
devices and operating systems.
9
Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
WireGuard support
- Advantages for BitVisor
- There is a ready-to-use lwIP compatible package available
on Github.
- The total size of the source code files is only 270k bytes.
- Low Latency and lightweight
- Consumes minimal system resources.
- After BitVisor is ready, WireGuard starts working immediately.
- A Tunnel Between BitVisor and the WireGuard Server
- Allowing selective routing of packets through or not through
this tunnel as needed.
10
Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
WireGuard support
- Changes to adopt WireGuard on BitVisor
- LWIP compatible package wireguard-lwip
- EPOCH time
- To prevent replay attacks during the initial handshake, a
TAI64N timestamp is included in the first message.
- New defconfig items:
- WG Network parameters
- IP address, netmask, gateway
- allowed ip/netmask
- listening port
- Private key
- Wireguard peer parameters
- IP address (external)
- Public key
11
Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
WireGuard support
- Changes to adopt WireGuard on BitVisor
- Use case for BitVisor
- ECHO-CLIENT
- ECHO-SERVER
- Documentation is ready
- Available at /docs/wireguard.md
- Setup wireguard on linux server
- Setup wireguard on BitVisor
- Start handshaking
- Sending message by telnet application
12
Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
WireGuard
BitVisor
Network
LWIP
LWIP
BitVisor
Application
13
netif->input
ethernet_input
udp_input
wireguard_decrypt_packet
ip_input
tcp_input
echo_client_recv
etharp_input
etharp_update_
arp_entry
nicfunc->net_recv_callback
netif->linkoutput
nicfunc->send
wireguardif_peer_output
ethernet_output
tcp_output
echo_client_send
ip_output
wireguard_encrypt_packet
etharp_ request
etharp_query
ARP
Response
ETH+IP packet
ARP packet
Found in ARP
table
Encrypted packet
Decrypted packet
Encrypted packet
Find the netif
wireguardif_network_rx
udp_sendto
WireGuard support
BitVisor
WireGuard Stack
Network
Driver WireGuard
Tunnel
WireGuard Supported OS
eth0:10.16.165.1
wg0:192.168.3.1
TCP/IP Server
TCP/IP
Client
Host A
Host B
LWIP
net_main
vm0:10.16.2.15
wg1:192.168.3.2
Plant text
Encrypted
packet
WireGuard support
Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
- Demo
WireGuard Stack
WireGuard for GuestOS
- Brief intro WireGuard for GuestOS
- Unlike the previous network setting where 'ip=pass', we
now route all IN/OUT IP packets of the Guest OS
through the WireGuard tunnel.
- BitVisor replies with customized ARP and DHCP packets
to the Guest OS, so that the remote WireGuard server is
treated as the gateway.
- There's no need for configuration efforts on the Guest
OS; In other words, a basic OS installation is sufficient.
15
Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
BitVisor
Network
Driver WireGuard
Tunnel
WireGuard Supported OS
eth0:10.16.165.1
wg0:192.168.3.1
Guest OS
eth0:192.168.3.3
Host A
Host B
net_main_wg + LWIP
❏ Reply to the ARP
request for gateway
requesting.
❏ Reply to the the
DHCP request, make
the Guest OS believe
that HOST B is the
default gateway.
DHCP & ARP agent
net_main
vm0:10.16.2.15
wg1:192.168.3.2
Plant text
Encrypted
packet
WireGuard for GuestOS
Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
WireGuard Stack
- Brief intro WireGuard for GuestOS
WireGuard for GuestOS
- Advantages for BitVisor
- Security
- Any data sent out by the Guest OS is encrypted, which
helps protect against snooping. This setup also blocks
VPN setting changes without the right permission.
- Isolation
- The Guest OS receives a private IP, which keeps it
separate from other networks.
- Ease of Management :
- It's easier to handle and watch over network traffic at the
VMM level and to enforce security rules.
17
Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
WireGuard for GuestOS
- Code change :
- Input Output :
- Leverage the LWIP existed Hook function.
- Injecting packets into the wireguard lwip netif instance.
- DHCP/ARP agent in wg_net_main.c
- New defconfig items:
- WG Network parameters
- Guest OS ip address, dns, mac_gateway
- Documentation is ready:
- Available at /docs/wireguard_guest_os.md
- Setup WireGuard on Linux server
- Setup WireGuard on BitVisor
- Observe handshaking in the log
- Observe the network traffic of the guest OS
18
Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
LWIP
WireGuard
BitVisor
Network
LWIP
net_main_wg
BitVisor
Network
19
netif->input
ethernet_input
wireguard_decrypt_packet
ip_input
wg_ip4_input_hook
net_main_send_virt
etharp_input
etharp_update_
arp_entry
nicfunc->net_recv_callback
netif->linkoutput
nicfunc->send
ethernet_output
wg_gos_routing
net_ip_virt_recv
send_to_wg
wireguard_encrypt_packet
etharp_ request
etharp_query
ARP
Response
ETH+IP packet
ARP packet
Found in ARP
table
Encrypted packet
Decrypted packet
Encrypted packet
Inject to wg netif
wireguardif_network_rx
reply_arp
reply_dhcp
wireguardif_peer_output
udp_sendto
udp_input
WireGuard for GuestOS
DEMO
- Mbed-TLS
- BitVisor as an echo server interact with openssl
- WireGuard
- BitVisor as an echo client
- WireGuard Guest OS
- All the input/output packets are through the tunnel
20
Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.

More Related Content

Similar to Network Enhancements on BitVisor for BitVisor Summit 12

Embedded devices - Big opportunities in tiny packages
Embedded devices - Big opportunities in tiny packagesEmbedded devices - Big opportunities in tiny packages
Embedded devices - Big opportunities in tiny packages
team-WIBU
 
Nio100 product guide 20150520
Nio100 product guide 20150520Nio100 product guide 20150520
Nio100 product guide 20150520
和得 王
 
Enabling embedded security for the Internet of Things
Enabling embedded security for the Internet of ThingsEnabling embedded security for the Internet of Things
Enabling embedded security for the Internet of Things
team-WIBU
 
SynTrust Solution Presentaion file-V16
SynTrust Solution Presentaion file-V16SynTrust Solution Presentaion file-V16
SynTrust Solution Presentaion file-V16
Jason Chuang
 

Similar to Network Enhancements on BitVisor for BitVisor Summit 12 (20)

Ip tunneling and vpns
Ip tunneling and vpnsIp tunneling and vpns
Ip tunneling and vpns
 
Ip tunnelling and_vpn
Ip tunnelling and_vpnIp tunnelling and_vpn
Ip tunnelling and_vpn
 
RISC-V 30906 hex five multi_zone iot firmware
RISC-V 30906 hex five multi_zone iot firmwareRISC-V 30906 hex five multi_zone iot firmware
RISC-V 30906 hex five multi_zone iot firmware
 
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ SwarmRevolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
 
A better connected world - Beijer Sales Kit 2017
A better connected world - Beijer Sales Kit 2017A better connected world - Beijer Sales Kit 2017
A better connected world - Beijer Sales Kit 2017
 
FortiGate-200B
FortiGate-200BFortiGate-200B
FortiGate-200B
 
Embedded devices - Big opportunities in tiny packages
Embedded devices - Big opportunities in tiny packagesEmbedded devices - Big opportunities in tiny packages
Embedded devices - Big opportunities in tiny packages
 
ENSA_Module_8.pptx
ENSA_Module_8.pptxENSA_Module_8.pptx
ENSA_Module_8.pptx
 
IBM z/OS Communications Server z/OS Encryption Readiness Technology (zERT)
IBM z/OS Communications Server z/OS Encryption Readiness Technology (zERT)IBM z/OS Communications Server z/OS Encryption Readiness Technology (zERT)
IBM z/OS Communications Server z/OS Encryption Readiness Technology (zERT)
 
Presentation cisco data center security deep dive
Presentation   cisco data center security deep divePresentation   cisco data center security deep dive
Presentation cisco data center security deep dive
 
Nio100 product guide 20150520
Nio100 product guide 20150520Nio100 product guide 20150520
Nio100 product guide 20150520
 
IP security and VPN presentation
IP security and VPN presentation IP security and VPN presentation
IP security and VPN presentation
 
Networking Concepts and Tools for the Cloud
Networking Concepts and Tools for the CloudNetworking Concepts and Tools for the Cloud
Networking Concepts and Tools for the Cloud
 
Enabling embedded security for the Internet of Things
Enabling embedded security for the Internet of ThingsEnabling embedded security for the Internet of Things
Enabling embedded security for the Internet of Things
 
PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hyperv...
PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure -  from Hyperv...PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure -  from Hyperv...
PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hyperv...
 
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
 
Virtualization of motes, gateways and networks new.pptx
Virtualization of motes, gateways and networks new.pptxVirtualization of motes, gateways and networks new.pptx
Virtualization of motes, gateways and networks new.pptx
 
SynTrust Solution Presentaion file-V16
SynTrust Solution Presentaion file-V16SynTrust Solution Presentaion file-V16
SynTrust Solution Presentaion file-V16
 
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 4
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 4CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 4
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 4
 
Module 8 - Ccna - Pre.pptx
Module 8 - Ccna - Pre.pptxModule 8 - Ccna - Pre.pptx
Module 8 - Ccna - Pre.pptx
 

Recently uploaded

Online crime reporting system project.pdf
Online crime reporting system project.pdfOnline crime reporting system project.pdf
Online crime reporting system project.pdf
Kamal Acharya
 
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Lovely Professional University
 

Recently uploaded (20)

Linux Systems Programming: Semaphores, Shared Memory, and Message Queues
Linux Systems Programming: Semaphores, Shared Memory, and Message QueuesLinux Systems Programming: Semaphores, Shared Memory, and Message Queues
Linux Systems Programming: Semaphores, Shared Memory, and Message Queues
 
Lab Manual Arduino UNO Microcontrollar.docx
Lab Manual Arduino UNO Microcontrollar.docxLab Manual Arduino UNO Microcontrollar.docx
Lab Manual Arduino UNO Microcontrollar.docx
 
Research Methodolgy & Intellectual Property Rights Series 1
Research Methodolgy & Intellectual Property Rights Series 1Research Methodolgy & Intellectual Property Rights Series 1
Research Methodolgy & Intellectual Property Rights Series 1
 
Online crime reporting system project.pdf
Online crime reporting system project.pdfOnline crime reporting system project.pdf
Online crime reporting system project.pdf
 
Theory for How to calculation capacitor bank
Theory for How to calculation capacitor bankTheory for How to calculation capacitor bank
Theory for How to calculation capacitor bank
 
Electrostatic field in a coaxial transmission line
Electrostatic field in a coaxial transmission lineElectrostatic field in a coaxial transmission line
Electrostatic field in a coaxial transmission line
 
Insurance management system project report.pdf
Insurance management system project report.pdfInsurance management system project report.pdf
Insurance management system project report.pdf
 
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdfInstruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
 
Research Methodolgy & Intellectual Property Rights Series 2
Research Methodolgy & Intellectual Property Rights Series 2Research Methodolgy & Intellectual Property Rights Series 2
Research Methodolgy & Intellectual Property Rights Series 2
 
Intelligent Agents, A discovery on How A Rational Agent Acts
Intelligent Agents, A discovery on How A Rational Agent ActsIntelligent Agents, A discovery on How A Rational Agent Acts
Intelligent Agents, A discovery on How A Rational Agent Acts
 
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdfInvolute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
 
Fabrication Of Automatic Star Delta Starter Using Relay And GSM Module By Utk...
Fabrication Of Automatic Star Delta Starter Using Relay And GSM Module By Utk...Fabrication Of Automatic Star Delta Starter Using Relay And GSM Module By Utk...
Fabrication Of Automatic Star Delta Starter Using Relay And GSM Module By Utk...
 
RM&IPR M5 notes.pdfResearch Methodolgy & Intellectual Property Rights Series 5
RM&IPR M5 notes.pdfResearch Methodolgy & Intellectual Property Rights Series 5RM&IPR M5 notes.pdfResearch Methodolgy & Intellectual Property Rights Series 5
RM&IPR M5 notes.pdfResearch Methodolgy & Intellectual Property Rights Series 5
 
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
 
Operating System chapter 9 (Virtual Memory)
Operating System chapter 9 (Virtual Memory)Operating System chapter 9 (Virtual Memory)
Operating System chapter 9 (Virtual Memory)
 
Seismic Hazard Assessment Software in Python by Prof. Dr. Costas Sachpazis
Seismic Hazard Assessment Software in Python by Prof. Dr. Costas SachpazisSeismic Hazard Assessment Software in Python by Prof. Dr. Costas Sachpazis
Seismic Hazard Assessment Software in Python by Prof. Dr. Costas Sachpazis
 
Software Engineering - Modelling Concepts + Class Modelling + Building the An...
Software Engineering - Modelling Concepts + Class Modelling + Building the An...Software Engineering - Modelling Concepts + Class Modelling + Building the An...
Software Engineering - Modelling Concepts + Class Modelling + Building the An...
 
Geometric constructions Engineering Drawing.pdf
Geometric constructions Engineering Drawing.pdfGeometric constructions Engineering Drawing.pdf
Geometric constructions Engineering Drawing.pdf
 
Introduction to Arduino Programming: Features of Arduino
Introduction to Arduino Programming: Features of ArduinoIntroduction to Arduino Programming: Features of Arduino
Introduction to Arduino Programming: Features of Arduino
 
E-Commerce Shopping using MERN Stack where different modules are present
E-Commerce Shopping using MERN Stack where different modules are presentE-Commerce Shopping using MERN Stack where different modules are present
E-Commerce Shopping using MERN Stack where different modules are present
 

Network Enhancements on BitVisor for BitVisor Summit 12

  • 1. Network Enhancements on BitVisor 2024/03/29 @ BitVisor Summit 12 Chen Chuang Jung
  • 2. Agenda - Mbed-TLS LTS support - Brief intro Mbed-TLS - Advantages for BitVisor - Changes to adopt Mbed-TLS on BitVisor - WireGuard support - Brief intro WireGuard - Advantages for BitVisor - Changes to adopt WireGuard on BitVisor - WireGuard for Guest OS - Brief intro WireGuard for GuestOS - Advantages for BitVisor - Code change - DEMO 1 Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
  • 3. Mbed-TLS LTS support - Brief intro Mbed-TLS - Open-source and Lightweight - Enables easy and low-impact integration. - Designed for Embedded Systems - Ideal for low-resource settings, less demanding than typical SSL/TLS. - User-friendly API - Easily adds security to apps, no deep crypto knowledge needed. - Support for Latest Crypto Standards - Keeps data safe, private, and verified during communication. - Long Term Support (LTS) Version 2.28 2 Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
  • 4. Mbed-TLS LTS support - Advantages for BitVisor - Able to pick the libraries to compile - LWIP stack compatible - Customized items in header file for platform to select: - HAVE_TIME,HAVE_TIME_DATE, MBEDTLS_PLATFORM_TIME_MACRO,MBEDTLS_PLATFORM_C, MBEDTLS_ENTROPY_HARDWARE_ALT,… - Support for TLS Extensions : - MBEDTLS_SSL_MAX_FRAGMENT_LENGTH, MBEDTLS_SSL_SESSION_TICKETS, MBEDTLS_SSL_SERVER_NAME_INDICATION, MBEDTLS_SSL_RENEGOTIATION,... 3 Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
  • 5. Mbed-TLS LTS support - Changes to adopt Mbed-TLS on BitVisor - New defconfig items: - CA_Certification - Server_Certification - Server_key 4 Copyright© 2024 IGEL Co., Ltd. All Rights Reserved. .tls = { .ca_cert = "-----BEGIN CERTIFICATE-----n" "MIIDQjCCAiqgAwIBAgIUbdMMHizhHnz+psFMmF6Vs4h7wdMwDQYJKoZIhvcNAQELn" ... "IngZtsfFXq+U8z6sMxaOSJg2/XEHvA==n" "-----END CERTIFICATE-----n", .srv_cert = "-----BEGIN CERTIFICATE-----n" "MIIC6TCCAdECFDiiW/aGv3Nm+qFpVKxyECyQeH/OMA0GCSqGSIb3DQEBCwUAMBExn" ... "F7HKk0oI0ZjNOOUjPgWnqgwyYVDP2WyCr5g2cMs=n" "-----END CERTIFICATE-----n", .srv_key = "-----BEGIN PRIVATE KEY-----n" "MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAn" ... "6JN9j0Vy/3SCNjleJ3rkVBQ+SmNNi8iyTjl94d+51elwsosY0lMouDJixUN3yvzsn" "1PABsGsU4X//Us+1DL7/0J4=n" "-----END PRIVATE KEY-----n", }, Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
  • 6. Mbed-TLS LTS support - Changes to adopt Mbed-TLS on BitVisor - Add two versions of the random number generator: - random_num_hw and random_num_sw implement the rand() function. In random_num_hw, the rdrand instruction is utilized. - Used to generate the NONCE for handshaking. - EPOCH time - During boot, the time is retrieved once from UEFI and stored in a static variable. Afterwards, each time a request for the time is received, it is calculated based on the static variable using CPU time/ACPI. - Used to calculate the certificate's validity period. - Echoctl - Separate out the common features of Echoctl to allow the future expansion for different protocols. 5 Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
  • 7. Mbed-TLS LTS support - Changes to adopt Mbed-TLS on BitVisor - Introduce TLS version echoctl applications - TLS-ECHO-CLIENT - TLS-ECHO-SERVER - Documentation is ready - Available at /docs/Mbed-TLS.md - Create The Needed Keys And Certification - Generate Root Certificate Authority Certificates - Generate Server Certificates - BitVisor As The Server - BitVisor As The Client 6 Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
  • 9. BitVisor Network Driver Linux system eth0:10.16.165.1 TCP/IP OpenSSL Client TLS-ECHO-SERVER Host A Host B net_main vm0:10.16.2.15 Plant text TLS Encrypted packet Mbed-TLS LTS support Copyright© 2024 IGEL Co., Ltd. All Rights Reserved. - Demo LWIP LWIP Mbed-TLS Stack
  • 10. WireGuard support - Brief intro WireGuard - A modern VPN protocol: simple and secure. - Efficient Performance: Beats traditional VPNs with less overhead. - State-of-the-Art Security: Uses the latest cryptographic techniques for enhanced privacy. - Ease of Use: Simple to set up and manage. There are existing websites that help generate a key pair. - Cross-Platform: Works seamlessly across various devices and operating systems. 9 Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
  • 11. WireGuard support - Advantages for BitVisor - There is a ready-to-use lwIP compatible package available on Github. - The total size of the source code files is only 270k bytes. - Low Latency and lightweight - Consumes minimal system resources. - After BitVisor is ready, WireGuard starts working immediately. - A Tunnel Between BitVisor and the WireGuard Server - Allowing selective routing of packets through or not through this tunnel as needed. 10 Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
  • 12. WireGuard support - Changes to adopt WireGuard on BitVisor - LWIP compatible package wireguard-lwip - EPOCH time - To prevent replay attacks during the initial handshake, a TAI64N timestamp is included in the first message. - New defconfig items: - WG Network parameters - IP address, netmask, gateway - allowed ip/netmask - listening port - Private key - Wireguard peer parameters - IP address (external) - Public key 11 Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
  • 13. WireGuard support - Changes to adopt WireGuard on BitVisor - Use case for BitVisor - ECHO-CLIENT - ECHO-SERVER - Documentation is ready - Available at /docs/wireguard.md - Setup wireguard on linux server - Setup wireguard on BitVisor - Start handshaking - Sending message by telnet application 12 Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
  • 15. BitVisor WireGuard Stack Network Driver WireGuard Tunnel WireGuard Supported OS eth0:10.16.165.1 wg0:192.168.3.1 TCP/IP Server TCP/IP Client Host A Host B LWIP net_main vm0:10.16.2.15 wg1:192.168.3.2 Plant text Encrypted packet WireGuard support Copyright© 2024 IGEL Co., Ltd. All Rights Reserved. - Demo WireGuard Stack
  • 16. WireGuard for GuestOS - Brief intro WireGuard for GuestOS - Unlike the previous network setting where 'ip=pass', we now route all IN/OUT IP packets of the Guest OS through the WireGuard tunnel. - BitVisor replies with customized ARP and DHCP packets to the Guest OS, so that the remote WireGuard server is treated as the gateway. - There's no need for configuration efforts on the Guest OS; In other words, a basic OS installation is sufficient. 15 Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
  • 17. BitVisor Network Driver WireGuard Tunnel WireGuard Supported OS eth0:10.16.165.1 wg0:192.168.3.1 Guest OS eth0:192.168.3.3 Host A Host B net_main_wg + LWIP ❏ Reply to the ARP request for gateway requesting. ❏ Reply to the the DHCP request, make the Guest OS believe that HOST B is the default gateway. DHCP & ARP agent net_main vm0:10.16.2.15 wg1:192.168.3.2 Plant text Encrypted packet WireGuard for GuestOS Copyright© 2024 IGEL Co., Ltd. All Rights Reserved. WireGuard Stack - Brief intro WireGuard for GuestOS
  • 18. WireGuard for GuestOS - Advantages for BitVisor - Security - Any data sent out by the Guest OS is encrypted, which helps protect against snooping. This setup also blocks VPN setting changes without the right permission. - Isolation - The Guest OS receives a private IP, which keeps it separate from other networks. - Ease of Management : - It's easier to handle and watch over network traffic at the VMM level and to enforce security rules. 17 Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
  • 19. WireGuard for GuestOS - Code change : - Input Output : - Leverage the LWIP existed Hook function. - Injecting packets into the wireguard lwip netif instance. - DHCP/ARP agent in wg_net_main.c - New defconfig items: - WG Network parameters - Guest OS ip address, dns, mac_gateway - Documentation is ready: - Available at /docs/wireguard_guest_os.md - Setup WireGuard on Linux server - Setup WireGuard on BitVisor - Observe handshaking in the log - Observe the network traffic of the guest OS 18 Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.
  • 21. DEMO - Mbed-TLS - BitVisor as an echo server interact with openssl - WireGuard - BitVisor as an echo client - WireGuard Guest OS - All the input/output packets are through the tunnel 20 Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.