ZeroVM backgroud: Introduction to some of the concept behind zerovm. Little discussion of google native client project, Software based fault isolation is also provided.
Breaking the Kubernetes Kill Chain: Host Path Mount
Zerovm backgroud
1. 11World-Leading Research with Real-World Impact!
ZeroVM Backgroud
Prosunjit Biswas
Institute for Cyber Security
University of Texas at San Antonio
April 23, 2014
Institute of Cyber Security, ICS @ UTSA
Institute for Cyber Security
2. 22World-Leading Research with Real-World Impact!
Motivation Behind ZeroVM
Institute for Cyber Security
1. In Amazon map/reduces a
considerable amount of overhead
was due to fetching the data from
s3 to EC2 Instances and put it
back to s3.
2. The overhead was hurting when
the customers need to remake to
cluster and do the map/reduce
again.
3. A significant amount of customer’s
money was spent due to moving
the data back and forth.
3. 33World-Leading Research with Real-World Impact!
Motivation Behind ZeroVM(continued)
Institute for Cyber Security
1. can we bring to Application to
the data(very limited I/O
overhead)?
2. How can we ensure no harm
even if the application is
malicious?
Challenge with High I/O
Challenge with Application
Isolation
4. 44World-Leading Research with Real-World Impact!
What is ZeroVM
Institute for Cyber Security
ZeroVM is an open–source
lightweight virtualization
platform based on the
Chromium Native Client
project.
5. 55World-Leading Research with Real-World Impact!
ZeroVM Properties
Institute for Cyber Security
1. ZeroVM virtualizes Application not
Operating System.
2. Single threaded (thus deterministic)
execution
3. Constraint Resource
Channel based I/O
Predefine socket port / network
Restricted Memory Access
Limited Read/ Write (in bytes)
Limited life time / Predefined
timeout
6. 66World-Leading Research with Real-World Impact!
ZeroVM Properties
Institute for Cyber Security
1. ZeroVM virtualizes Application not
Operating System.
2. Single threaded (thus deterministic)
execution
3. Constraint Resource
Channel based I/O
Predefine socket port / network
Restricted Memory Access
Limited Read/ Write (in bytes)
Limited life time / Predefined
timeout
7. 77World-Leading Research with Real-World Impact!
Popular Virtualizations
Institute for Cyber Security
1. ZeroVM virtualizes Application not
Operating System.
2. Does zeroVM uses process level
virtualization ?
OS Level Virtualization Process Level Virtualization
No
8. 88World-Leading Research with Real-World Impact!
Popular Virtualizations
Institute for Cyber Security
OS Level Virtualization
Process Level Virtualization
Pros:
1.Complete Isolation
Dedicated V. Memory
Dedicated V. Storage
Dedicated V. CPU
2. Flexible Architecture
Almost all OS is supported
3. Fault Tolerance
Cons:
1.High Resource Overhead
2.High Maintenance Cost.
Pros:
1.Easy to maintain
2. Comparative low overhead.
Cons:
1.Single Large Fault domain
a. One malicious app
may crush the whole
system.
2.No Complete isolation.
9. 99World-Leading Research with Real-World Impact!
ZeroVM Virtualization
Institute for Cyber Security
Process Level Virtualization
Pros:
1.Nearly Complete Isolation
- Uses Google Native
Client (NaCl) Project
2.Low Resource overhead.
3. Fault Tolerant
Cons:
1.Run Only special
executables/ binary.
2.Very limited support for
existing Application
10. 1010World-Leading Research with Real-World Impact!
ZeroVM Properties
Institute for Cyber Security
1. ZeroVM virtualizes Application not
Operating System.
2. Single threaded (thus deterministic)
execution
3. Constraint Resource
Channel based I/O
Predefine socket port / network
Restricted Memory Access
Limited Read/ Write (in bytes)
Limited life time / Predefined
timeout
11. 1111World-Leading Research with Real-World Impact!
ZeroVM Properties
Institute for Cyber Security
1. ZeroVM virtualizes Application not
Operating System.
2. Single threaded (thus deterministic)
execution
3. Constraint Resource
Channel based I/O
Predefine socket port / network
Restricted Memory Access
Limited Read/ Write (in bytes)
Limited life time / Predefined
timeout
Single Threaded Execution:
1.No Fork
2.No Context Switch
3.No Fault due to concurrency
12. 1212World-Leading Research with Real-World Impact!
ZeroVM Properties
Institute for Cyber Security
1. ZeroVM virtualizes Application not
Operating System.
2. Single threaded (thus deterministic)
execution
3. Constraint Resource
Channel based I/O
Predefine socket port / network
Restricted Memory Access
Limited Read/ Write (in bytes)
Limited life time / Predefined
timeout
13. 1313World-Leading Research with Real-World Impact!
Channel Based Input / Output
Institute for Cyber Security
1. ZeroVM virtualizes Application not
Operating System.
2. Single threaded (thus deterministic)
execution
3. Constraint Resource
Channel based I/O
Predefine socket port / network
Restricted Memory Access
Limited Read/ Write (in bytes)
Limited life time / Predefined
timeout
Before execution ZeroVM is given a manifest/ configuration
file which specify predefined Resources through Channel.
Input file, Output file / File System
Network (socket, DNS)
Memory
Channel = /tmp/input.txt, /dev/stdin, 0, 1, 0x1000,
0x1000, 0, 0
Which means :
Zerovm input (/dev/stdin) comes from : /tmp/input.txt of
local filesystem.
0: Only sequential Read / Write is allowed
0x1000: only 1000 bytes is allowed to be read from input
file.
0: 0 bytes can be written to /tmp/input.txt
14. 1414World-Leading Research with Real-World Impact!
An example Manifest file
Institute for Cyber Security
1. ZeroVM virtualizes Application not
Operating System.
2. Single threaded (thus deterministic)
execution
3. Constraint Resource
Channel based I/O
Predefine socket port / network
Restricted Memory Access
Limited Read/ Write (in bytes)
Limited life time / Predefined
timeout
Channel = /dev/null, /dev/stdin, 0, 1, 999999, 999999, 0, 0
Channel = /dev/stdout, /dev/stdout, 0, 1, 0, 0, 999999, 999999
Channel = /dev/stderr, /dev/stderr, 0, 1, 0, 0, 999999, 999999
Version = 20130611
Program = hello.nexe
Memory = 33554432, 1
Timeout = 1
15. 1515World-Leading Research with Real-World Impact!
Binary Support for ZeroVM
Institute for Cyber Security
ZeroVM executables have to be
precompiled in .nexe format.
Currently only C (C99) and python
executables are supported.
Existing C executables and python
interpreter need recompilation to
modify / eliminate sensitive system
calls.
16. 1616World-Leading Research with Real-World Impact!
ZeroVM from a theoretical standpoint
Institute for Cyber Security
ZeroVM
Google Native Client
Software Fault
Isolation
Functional
Dependency
and Security
Feature
17. 1717World-Leading Research with Real-World Impact!
ZeroVM from a theoretical standpoint
Institute for Cyber Security
ZeroVM
Google Native Client
Software Fault
Isolation
Functional
Dependency
and Security
Feature
18. 1818World-Leading Research with Real-World Impact!
Software Fault Isolation
Institute for Cyber Security
Trusted Code
( Ex:
Distributed by Google )
Untrusted
Code
( Ex:
Third party
extensions)
Ex: Google Chrome Browser
Malicious access
Fault Isolation Techniques:
1.Address Space Abstraction by OS
Cons:
1. Communication between address
space is very costly.
Valid access
Ref: Efficient Software-based Fault Isolation
19. 1919World-Leading Research with Real-World Impact!
Software Fault Isolation
Institute for Cyber Security
Fault Domain:
-- Contiguous region of memory.
-- have different code and data segment
-- Code from different trust level have own fault
domain.
Cross Domain Communication:
-- No direct memory access
-- All call are implemented by RPC
Single Domain Restricted Access:
-- the module cannot change Code segment.
(dangerous, self modifying code)
-- Every jump instruction must not pass single domain.
-- Most Jumps are statically verified otherwise
-- verified at run time with help of checking code.
Fault domain1
Distributed code / extensions must
be recompiled/rewritten.
Code
Segme
nt, RO
Data ,
RW
Code
Segme
nt, RO
Data,
RW
Code,RO
Data, RW
Fault Domain2
Fault Domain3
20. 2020World-Leading Research with Real-World Impact!
Google Native Client (NaCl)
Institute for Cyber Security
Adopted from : https://developers.google.com/native-client/dev/overview
21. 2121World-Leading Research with Real-World Impact!
Application Development for Native Client
Institute for Cyber Security
Adopted from : https://developers.google.com/native-client/dev/overview
22. 2222World-Leading Research with Real-World Impact!
Google Native Client (NaCl)
Institute for Cyber Security
NaCl consists of Two parts:
1.Inner Sandbox: Constraint execution environment for native code
to prevent unintended side effects.
2.Outer Sandbox: A Runtime for hosting these native code
extensions through which allowable side effects may occur safely.
Reference: Native Client: A Sandbox for Portable, Untrusted x86 Native Code
23. 2323World-Leading Research with Real-World Impact!
Protection Rule for Inner Sandbox
Institute for Cyber Security
Reference: Native Client: A Sandbox for Portable, Untrusted x86 Native Code
24. 2424World-Leading Research with Real-World Impact!
Sucurity Application for ZeroVM
Institute for Cyber Security
S
Data
Swift
Object Request
Object
S
Swift
Request
Reult
App
Data
zerovm
25. 2525World-Leading Research with Real-World Impact!
Sucurity Application for ZeroVM
Institute for Cyber Security
Application Perspective
1. User Application
2. 3rd
party Application
3. Provider Application
.
Data Perspective:
1. User Data
2. Public Data
3. Protected data
(Data + Access Control)
.
26. 2626World-Leading Research with Real-World Impact!
Security Application for ZeroVM
Institute for Cyber Security
Provider Application:
Authaas - Authorization as a service for object storage ( for JSON Data)
Data owner does not create a new application to restrictively publish his data. Instead just
specify a AC policy and enforcement is done through Authass .
Usecase:
Texas State Library has decided to move their digital contents (book, article and so on) to the
object store. Their digital content is structured in JSON format. The library has readers of various
types (Public, Silver, golden, platinum etc.) and digital contents are also classified into various
types (public, paid , protected , secret etc.).
.