sVirt: Hardening Linux Virtualization with Mandatory Access Control

•

5 likes•1,990 views

sVirt talk given at Linux.conf.au, Hobart, 2009. Video of the talk: http://video.google.com.au/videoplay?docid=5750618585157629496

sVirt: Hardening Linux
Virtualization with Mandatory
Access Control

James Morris
Red Hat Security Engineering

Linux.conf.au 2009
Hobart, Australia

Goal:

Improve security for Linux
virtualization

Linux Virtualization:

Where the “hypervisor” is a normal
Linux process

Host Userspace

Guest Guest Guest
Userspace Userspace Userspace

Guest Guest Guest
Kernel Kernel Kernel

Host Kernel

Host Hardware

Utilize existing process-based
security mechanisms

DAC is not enough:

Subjects can modify own security
policy

Mandatory Access Control
(MAC):

Subjects cannot bypass security
policy

Virtualization Threat Model

(work in progress)

Virtualization introduces new
security risks

Flawed hypervisor:

Malicious guest breaks out, attacks
other guests or host

Before virtualization:

Systems were physically separated,
damage limited to network attacks

Host Userspace Host Userspace

Web Server DNS Server

Host Kernel Host Kernel

Host Hardware Host Hardware

Attack

Local Network

After virtualization:

Guest systems running on same
server, possibly as same UID

Host Userspace

Guest Userspace Guest Userspace

Guest
Web Server Guest
DNS Server
Userspace Userspace

Guest
Guest local Guest
Guest
Kernel
Kernel exploits Kernel
Kernel

Host Kernel

Host Hardware memory,
storage, etc.

Malicious or compromised guests
can now attack other guests via
local mechanisms

Hypervisor vulnerabilities:

Not theoretical

Evolving field

Potentially huge payoffs

sVirt in a nutshell:

Isolate guests using MAC security
policy

Contain hypervisor breaches

libvirt:

Virtualization API by Daniel Veillard

Abstraction layer for managing
different virt schemes

Xen, KVM, LXC, OpenVZ

Simplified libvirt architecture

drivers host
node
hypervisors storage hypervisor

Xen iSCSI
KVM NFS guest

OpenVZ logical guest
LXC fs
guest
UML disk

API

storage
virsh virt-manager

sVirt design:

Pluggable security framework for
libvirt

Supports MAC security schemes
(SELinux, SMACK)

sVirt design:

Security “driver” manages MAC
labeling of guests and resources

MAC policy enforced by host kernel

Simplified libvirt architecture w/ SVirt

drivers host
node
hypervisors storage security hypervisor

Xen iSCSI SELinux *
KVM NFS etc. guest

OpenVZ logical guest
LXC fs
guest
UML disk

*

API
* security labels

* *

storage
virsh virt-manager

sVirt design:

Reuse of proven code and security
models

Coherent and complete system
policy

Reduced complexity and cost

sVirt design:

Must be usable and useful with
demonstrable value

sVirt v1.0:

Provide simple isolation of guests

Zero configuration

Debuggable

SELinux Policy:

Guests and resources uniquely
labeled

virtd_isolated_t:<UUID>

SELinux Policy:

Coarse rules for all isolated guests
applied to virtd_isolated_t

SELinux Policy:

For simple isolation: all accesses
between different UUIDs are denied

Host Userspace

virtd_isolated_t:1 virtd_isolated_t:2

Guest
Web Server Guest
DNS Server
Userspace Userspace

Guest
Guest Guest
Guest
Kernel
Kernel Kernel
Kernel

Host Kernel

SELinux

Host Hardware

virt_image_t:1 virt_image_t:2

Future enhancements:

Different types of isolated guests

virtd_isolated_webserver_t

Future enhancements:

Virtual network security

Controlled flow between guests

Distributed guest security

Multilevel security

Related work:

Labeled NFS

Labeled Networking

XACE

Similar work:

XSM (port of Flask to Xen)

Several proprietary schemes

Current status:

Low-level libvirt integration done

Can launch labeled guest

Basic label support in virsh

sVirt project page:

http://selinuxproject.org/page/SVirt

EmbeddedXEN is a particularly efficient virtualization framework tailored to ARM-based core embedded systems. While security and OS isolation are key features of conventional virtualizuation frameworks, the main concerns for EmbeddedXEN are device heterogeneity and realtime aspects, which are particularly important in the embedded world. EmbeddedXEN mainly relies on the original XEN architecture but with major differences in the way guest OS are handled: the hypervisor has been simplified, and only two guest OS (dom0 and domU) can run simultaneously; while dom0 is used to manage the native OS with drivers (original and backend splitted drivers), a paravirtualized OS (domU) can be cross-compiled on a different ARM device, and user applications can run seamlessly on the (virtualized) host device. Another important difference is that no user space tools are required to manage the VMs; the framework produces a compact single binary image containing both dom0 and domU guests, which can be easily deployed. The Xenbus architecture has been adapted to that context. EmbeddedXEN therefore allows the porting of an OS and its applications from an ARM embedded device to last generation ARM hardware, such as HTC Smartphone for example.

Xen and Client Virtualization: the case of XenClient XT

The Linux Foundation

This talk will discuss the challenges of client virtualization and introduce at a technical level XenClient XT, a security-oriented client virtualization product by Citrix. By describing XenClient XT architecture and features, it will be shown how the unique Xen's design and its support for modern x86 platform hardware can increase security and isolation among VMs. Disaggregation of services provided by the platform will be a key of this talk. It will also be shown how third party software components can provide services to VMs in a secure and controlled way.

µ-Xen

Lars Kurth

This talk with discuss the design and implementation of a new type of hypervisor derived from the Xen code base. µ-Xen has been built and optimized for modern CPUs and chipsets, and thus assumes the presence of CPU and IO MMUs that are virtualization capable. µ-Xen borrows extensively from the production-proven and tuned Xen code base, but removal of support for older hardware and PV-MMU guests has enabled significant simplification of the code. µ-Xen supports optimizations in support of running large numbers of very similar virtual machines, through the support of a native 'vmfork' optimization and efficient re-merging of shareable pages. The primary goal of µ-Xen has been to run as a late-load hypervisor on an existing OS. It has a narrow and well-defined interface to the services it expects from the underlying OS, which makes it easy to port to other OSes, or to enable it to run on bare metal. During initialisation, µ-Xen can de-privilege the running host OS into a VM container, enabling it to establish itself as the most privileged software component in the system. Thus, µ-Xen enforces the privacy and integrity of itself and VMs that it is running, against a faulty or malicious host OS, while co-operating with the host OS on the actual allocation of physical resources.

The kvm virtualization way

Francisco Gonçalves

Building a Distributed Block Storage System on XenThe Linux Foundation

Kvm

Bert Desmet

Virtualization with KVM (Kernel-based Virtual Machine)

Novell

As a technical preview, SUSE Linux Enterprise Server 11 contains KVM, which is the next-generation virtualization software delivered with the Linux kernel. In this technical session we will demonstrate how to set up SUSE Linux Enterprise Server 11 for KVM, install some virtual machines and deal with different storage and networking setups. To demonstrate live migration we will also show a distributed replicated block device (DRBD) setup and a setup based on iSCSI and OCFS2, which are included in SUSE Linux Enterprise Server 11 and SUSE Linux Enterprise 11 High Availability Extension.

Lightweight Virtualization in Linux

Sadegh Dorri N.

امروزه مجازی‌سازی یکی از روش‌های پرطرفدار برای پیاده‌سازی کارگزاران وب است. این فناوری موجب کاهش هزینه‌های تجارت‌های کوچک می‌شود. مجازی‌سازی یکی از جنبه‌های مهم ارائه خدمات ابری است که حتی برای تجارت‌های بزرگ نیز از جذابیت زیادی برخوردار است. در این سخنرانی به امکاناتی همچون Control Groups و Containers که در نسخه‌های جدیدتر هسته سیستم عامل لینوکس پیاده‌سازی شده است می‌پردازیم. هرچند این امکانات مجازی‌سازی کامل را به ارمغان نمی‌آورند، اما بسیاری از مزایای آن را با سربار بسیار کم در سطح هسته فراهم می‌کنند. راه حل‌هایی همچون LXC و Docker بر اساس این امکانات توانسته‌اند به نتایج خوبی برسند که هم از لحاظ تجاری در خور توجه هستند و هم تبعات و کاربردهای امنیتی دارند.

Virtual machines are generally considered secure. At least, secure enough to power highly multi-tenant, large-scale public clouds, where a single physical machine can host a large number of virtual instances belonging to different customers. Containers have many advantages over virtual machines: they boot faster, have less performance overhead, and use less resources. However, those advantages also stem from the fact that containers share the kernel of their host, instead of abstracting a new independent environment. This sharing has significant security implications, as kernel exploits can now lead to host-wide escalations. We will show techniques to harden Linux Containers; including kernel capabilities, mandatory access control, hardened kernels, user namespaces, and more, and discuss the remaining attack surface.

LXC, Docker, security: is it safe to run applications in Linux Containers?

Jérôme Petazzoni

Scale 12x Securing Your Cloud with The Xen Hypervisor

The Linux Foundation

Introduction to linux containers

Google

Lxc – next gen virtualization for cloud intro (cloudexpo)

Boden Russell

S4 xen hypervisor_20080622Todd Deshane

LOAD BALANCING OF APPLICATIONS USING XEN HYPERVISOR

Vanika Kapoor

Linux Container Technology 101

inside-BigData.com

Christian Kniep from Docker Inc. gave this talk at the Stanford HPC Conference. "This talk will recap the history of and what constitutes Linux Containers, before laying out how the technology is employed by various engines and what problems these engines have to solve. Afterward, Christian will elaborate on why the advent of standards for images and runtimes moved the discussion from building and distributing containers to orchestrating containerized applications at scale. In conclusion, attendees will get an update on what problems still hinder the adoption of containers for distributed high performance workloads and how Docker is addressing these issues." Christian Kniep is a Technical Account Manager at Docker, Inc. With a 10 year journey rooted in the HPC parts of the german automotive industry, Christian Kniep started to support CAE applications and VR installations. When told at a conference that HPC can not learn anything from the emerging Cloud and BigData companies, he became curious and was leading the containerization effort of the cloud-stack at Playstation Now. Christian joined Docker Inc in 2017 to help push the adoption forward and be part of the innovation instead of an external bystander. During the day he helps Docker customers in the EMEA region to fully utilize the power of containers; at night he likes to explore new emerging trends by containerizing them first and seek application in the nebulous world of DevOps. Watch the video: https://wp.me/p3RLHQ-i4X Learn more: http://docker.com and http://hpcadvisorycouncil.com Sign up for our insideHPC Newsletter: http://insidehpc.com

LCA13: Xen on ARM

Linaro

Container security

Anthony Chow

XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems

The Linux Foundation

The OpenXT Project is an Open Source community producing a Xen-based platform for client devices with a focus on providing strong security properties. The different primary use cases of this project versus server-based Xen systems have motivated notable technical differences and consequently OpenXT should be of interest to anyone seeking to understand the full set of capabilities on offer within the Xen ecosystem. In this presentation, Christopher Clark will describe the technical architecture of OpenXT, its current status and development activity within the project and its engagement with the upstream OpenEmbedded and Xen projects. This will include an overview of OpenXT's differentiating features such as Measured Launch, Virtual TPMs, Linux-based stubdoms, a specialized input layer and a distinct PV USB stack for Windows and Linux.

XPDDS18: LCC18: Xen Project: After 15 years, What's Next? - George Dunlap, C...

The Linux Foundation

The Xen Hypervisor is 15 years old, but like Linux, it is still undergoing significant upgrades and improvements. This talk will cover recent and upcoming developments in Xen on the x86 architecture, including the newly-released 'PVH' guest virtualization mode, the future of PV mode, qemu deprivileging, and more. We will cover why these new features are important for a wide range of environments, from cloud to embedded.

Docker, Linux Containers, and Security: Does It Add Up?

Jérôme Petazzoni

Containers are becoming increasingly popular. They have many advantages over virtual machines: they boot faster, have less performance overhead, and use less resources. However, those advantages also stem from the fact that containers share the kernel of their host, instead of abstracting an new independent environment. This sharing has significant security implications, as kernel exploits can now lead to host-wide escalations. In this presentation, we will: - Review the actual security risks, in particular for multi-tenant environments running arbitrary applications and code - Discuss how to mitigate those risks - Focus on containers as implemented by Docker and the libcontainer project, but the discussion also stands for plain containers as implemented by LXC

Linux Container Brief for IEEE WG P2302

Boden Russell

A brief into to Linux Containers presented to IEEE working group P2302 (InterCloud standards and portability). This deck covers: - Definitions and motivations for containers - Container technology stack - Containers vs Hypervisor VMs - Cgroups - Namespaces - Pivot root vs chroot - Linux Container image basics - Linux Container security topics - Overview of Linux Container tooling functionality - Thoughts on container portability and runtime configuration - Container tooling in the industry - Container gaps - Sample use cases for traditional VMs Overall, a bulk of this deck is covered in other material I have posted here. However there are a few new slides in this deck, most notability some thoughts on container portability and runtime config.

XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix

The Linux Foundation

As the first ARM servers and microservers hit the market, Xen on ARM is becoming more mature, stable and reaching feature parity with x86. This talk will present the current status of the project, will describe the latest improvements, the gaps that still need to be filled and the roadmap going forward. ARMv8 silicon is now available for purchase: we can measure how well Xen on ARM 64-bit is performing on real hardware and compare the performance figures with other hypervisors. The presentation will show these results, it will measure the overhead introduced by Xen on ARM and will compare it with the overhead introduced by Xen and KVM on x86. The talk will explain the reasons behind performance shortfalls and present ideas on how to address them in the future. The performance results will be used to determine when it makes sense to use Xen on ARM and what are the best use cases for it.

BACD July 2012 : The Xen Cloud Platform

The Linux Foundation

Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy

Boden Russell

Evoluation of Linux Container Virtualization

Imesh Gunaratne

Container security

Anthony Chow

Windsor: Domain 0 Disaggregation for XenServer and XCP

The Linux Foundation

In a traditional Xen configuration domain 0 is used for a large number of different functions including running the toolstack(s), backends for network and disk I/O, running the QEMU device model instances, driving the physical devices in the system, handling guest console/framebuffer I/O and miscellaneous monitoring and management functions. Having all these functions in one domain produces a complex environment which is susceptible to shared fate on the failure of any one function, has complex interactions between functions (including resource contention) which makes it difficult to predict performance, and has limited flexibility (such as requiring the same kernel for all device drivers). ""Domain 0 disaggregation"" has been discussed for some time as a way to break out domain 0's functions into separate domains. Doing this enables each domain to be tailored to its function such as using a different kernel or operating system to drive different physical devices. Splitting functions into separate domains removes some of the unintentional interactions such as in-domain resource contention and reduces the system impact of the failure of a single function such as a device driver crash. Although domain 0 disaggregation is not new it is seldom used in practise and much of its use is focussed on providing enhanced security. Citrix XenServer will be moving towards a disaggregated domain 0 in order to provide better security, scalability, performance, reliability, supportability and flexibility. This talk will describe XenServer's “Windsor” architecture and explain how it will provide the above benefits to customers and users. We will present an overview of the architecture and some early experimental measurements showing the benefits.

Xen and Apache cloudstack

The Linux Foundation

CloudStack, the world's leading open-source cloud infrastructure platform, was recently donated to the Apache Foundation, and is now an incubated Apache project. Ewan Mellor, Director of Engineering in the Citrix Cloud Platforms Group will describe the CloudStack project and explain why Xen is the pre-eminent hypervisor in public clouds today. He will describe the changes coming in CloudStack in the next 12 months, and how they are going to change the way that Xen is consumed in public and private clouds next year.

What's hot

Virtunoid: Breaking out of KVM

Nelson Elhage

Docker, Linux Containers (LXC), and security

Jérôme Petazzoni

LXC, Docker, security: is it safe to run applications in Linux Containers?

Jérôme Petazzoni

Scale 12x Securing Your Cloud with The Xen Hypervisor

The Linux Foundation

Introduction to linux containers

Google

Lxc – next gen virtualization for cloud intro (cloudexpo)

Boden Russell

S4 xen hypervisor_20080622Todd Deshane

LOAD BALANCING OF APPLICATIONS USING XEN HYPERVISOR

Vanika Kapoor

Linux Container Technology 101

inside-BigData.com

LCA13: Xen on ARM

Linaro

Container security

Anthony Chow

XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems

The Linux Foundation

XPDDS18: LCC18: Xen Project: After 15 years, What's Next? - George Dunlap, C...

The Linux Foundation

Docker, Linux Containers, and Security: Does It Add Up?

Jérôme Petazzoni

Linux Container Brief for IEEE WG P2302

Boden Russell

XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix

The Linux Foundation

BACD July 2012 : The Xen Cloud Platform

The Linux Foundation

Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy

Boden Russell

Evoluation of Linux Container Virtualization

Imesh Gunaratne

Container security

Anthony Chow

What's hot (20)

Virtunoid: Breaking out of KVM

Docker, Linux Containers (LXC), and security

LXC, Docker, security: is it safe to run applications in Linux Containers?

Scale 12x Securing Your Cloud with The Xen Hypervisor

Introduction to linux containers

Lxc – next gen virtualization for cloud intro (cloudexpo)

S4 xen hypervisor_20080622

LOAD BALANCING OF APPLICATIONS USING XEN HYPERVISOR

Linux Container Technology 101

LCA13: Xen on ARM

Container security

XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems

XPDDS18: LCC18: Xen Project: After 15 years, What's Next? - George Dunlap, C...

Docker, Linux Containers, and Security: Does It Add Up?

Linux Container Brief for IEEE WG P2302

XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix

BACD July 2012 : The Xen Cloud Platform

Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy

Evoluation of Linux Container Virtualization

Container security

Similar to sVirt: Hardening Linux Virtualization with Mandatory Access Control

Windsor: Domain 0 Disaggregation for XenServer and XCP

The Linux Foundation

Xen and Apache cloudstack

The Linux Foundation

Xen Project Update LinuxCon BrazilThe Linux Foundation

Improvements in Failover Clustering in Windows Server 2012

Microsoft TechNet - Belgium and Luxembourg

Windows server 2012 failover clustering improvements

Susantha Silva

Security Best Practices For Hyper V And Server Virtualizationrsnarayanan

Virtualization Primer for Java Developers

Richard McDougall

12 christian ferber xen_server_advancedDigicomp Academy AG

Look Into Libvirt Osier Yang

OpenCity Community

CSA Presentation 26th May Virtualization securityv2vivekbhat

Linux container & docker

ejlp12

Linuxcon EU : Virtualization in the Cloud featuring Xen and XCP

The Linux Foundation

The Xen Hypervisor was built for the Cloud from the outset: when Xen was designed, we anticipated a world, which today is known as cloud computing. Today, Xen powers the largest clouds in production. This talk explores success criteria, architecture, trade-offs and challenges for cloudy hypervisors. It is intended for users and developers and starts with a brief introduction to Xen and XCP, their architecture, shine some light on common challenges for KVM and Xen, such as the NUMA performance tax and securing the cloud. It will introduce the concept of domain disaggregation as an approach to increase security, robustness and scalability: all important factors for building clouds at scale. The talk will conclude with an update on Xen support in Linux, Xen for ARM servers and other exciting developments in the Xen community and their implications for building open source clouds.

Nova for Physicalization and Virtualization compute modelsopenstackindia

LinuxCon NA 2012: Virtualization in the cloud featuring xenThe Linux Foundation

Windows 2008 R2 Virtualization

Eduardo Castro

Linux virtualization

Google

The virtualization can be described in a generic way as a separation of the service request from the underlying physical delivery of that service. In computer virtualization, an additional layer called hypervisor is typically added between the hardware and the operating system. The hypervisor layer is responsible for both sharing of hardware resource and the enforcement of mandatory access control rules based on the available hardware resources. There are three types of virtualization: full virtualization, para-virtualization and operating system level (OS-level) virtualization.

淺談探索 Linux 系統設計之道 National Cheng Kung University

Virtualization in the Cloud @ Build a Cloud Day SFO May 2012The Linux Foundation

Virtualization in the cloudCloudStack - Open Source Cloud Computing Project

Virtualization securityv2

vivekbhat

Similar to sVirt: Hardening Linux Virtualization with Mandatory Access Control (20)

Windsor: Domain 0 Disaggregation for XenServer and XCP

Xen and Apache cloudstack

Xen Project Update LinuxCon Brazil

Improvements in Failover Clustering in Windows Server 2012

Windows server 2012 failover clustering improvements

Security Best Practices For Hyper V And Server Virtualization

Virtualization Primer for Java Developers

12 christian ferber xen_server_advanced

Look Into Libvirt Osier Yang

CSA Presentation 26th May Virtualization securityv2

Linux container & docker

Linuxcon EU : Virtualization in the Cloud featuring Xen and XCP

Nova for Physicalization and Virtualization compute models

LinuxCon NA 2012: Virtualization in the cloud featuring xen

Windows 2008 R2 Virtualization

Linux virtualization

淺談探索 Linux 系統設計之道

Virtualization in the Cloud @ Build a Cloud Day SFO May 2012

Virtualization in the cloud

Virtualization securityv2

More from James Morris

Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats

sVirt: Hardening Linux Virtualization with Mandatory Access Control

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to sVirt: Hardening Linux Virtualization with Mandatory Access Control

Similar to sVirt: Hardening Linux Virtualization with Mandatory Access Control (20)

More from James Morris

More from James Morris (17)

Recently uploaded

Recently uploaded (20)

sVirt: Hardening Linux Virtualization with Mandatory Access Control