Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cloud Security with LibVMI

1,898 views

Published on

Presentation at BigTechDay8

Published in: Software
  • Be the first to comment

Cloud Security with LibVMI

  1. 1. Outline ● What is the Cloud? ● Looking at HW based security ● Virtual Machine Introspection ● LibVMI ● Demos ● What’s next?
  2. 2. What is the Cloud? Big Tech Technician End user Management Developers Researcher
  3. 3. Cloud Security ● Mainly an issue for the cloud providers ● They need to monitor their virtual hardware ● And for enterprise cloud applications ● They need to monitor their database and webapp ● An end user can only change his password ● He has no access to the underlying hardware/software
  4. 4. Cloud Security ● Co-resident/breakout attacks ● Possible ● Network based attacks ● Probable ● Attackers will go after the low-hanging fruit ● We need to leverage Cloud defense mechanisms
  5. 5. Why should you care? ● The technology powering the Cloud is also available on end-user systems ● on your phone, PC, tablets.. ● Defense mechanisms that work for the Cloud will work for you!
  6. 6. Non-comprehensive History of HW Security ..in 5 minutes
  7. 7. Before 1982 Real Mode
  8. 8. 1982: Protected mode Ring2 Ring1 Ring3 Ring0
  9. 9. 1982: Protected mode Ring2 Ring1 Ring3 Ring0 Application Operating System Unused
  10. 10. 1982: Protected mode Ring2 Ring1 Ring3 Ring0 Application Operating System UnusedMore privilege
  11. 11. Ring3Ring3 1982: Protected mode Ring2 Ring1 Ring3 Ring0 Applications Operating System Unused
  12. 12. Ring3Ring3 Ring3Ring3 2003: Xen Ring2 Ring3 Ring0 Applications Xen Unused Operating SystemsRing1
  13. 13. Ring3Ring3 2003: x86-64 Ring2 Ring1 Ring3 Ring0 Applications Operating System Disabled
  14. 14. Ring3Ring3 2003: Xen on x86-64 Ring2 Ring1 Ring3 Ring0 OS/Applications Xen Disabled
  15. 15. 2006: VT-x & AMD-V Ring2 Ring1 Ring3 Ring0 App Operating System Disabled/Unused Ring-1 Hypervisor
  16. 16. 2006: VT-x & AMD-V Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 VMX root OS/Hypervisor VMX non-root Virtual Machine More privilege
  17. 17. 2006: VT-x & AMD-V Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 VMX root OS/Hypervisor VMX non-root Virtual Machines
  18. 18. Psst.. I’m here too (since ‘93)! Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 VMX root OS/Hypervisor VMX non-root Virtual Machines Ring-2 System Management Mode
  19. 19. Psst.. I’m here too (since ‘93)! Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 VMX root OS/Hypervisor VMX non-root Virtual Machines System Management Mode Ring2 Ring1 Ring3 Ring0
  20. 20. 2006?: Intel Dual-monitor SMM Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Secure Transfer Monitor (STM)
  21. 21. 2008: Intel Management Engine Ring-3 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Intel ME
  22. 22. 2008: Intel Management Engine User Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Kernel ARC 600(?)
  23. 23. 2008: Intel Management Engine User Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel ARC 600(?)
  24. 24. 2013: Nested virtualization! Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Nested Hypervisor User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel
  25. 25. 201x: Intel SGX Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring0 SGX Ring3 User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel
  26. 26. 201x: Intel SGX Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring0 SGX Ring3 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring0 SGX Ring3 SGX Ring3 User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel
  27. 27. Oh yea, we have these too.. Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring0 SGX Ring3 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring0 SGX Ring3 SGX Ring3 User Supervisor User Supervisor User Supervisor ARM CPUs in your harddrive, NIC, etc. User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel
  28. 28. The Cloud in 2015 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 VMX root OS/Hypervisor VMX non-root Virtual Machines
  29. 29. Securing Virtual Machines ● Security based on the Hypervisor ● Move security stack outside of the OS! ● Monitor o VM Memory o Virtual Hardware state
  30. 30. Virtual Machine Introspection
  31. 31. What is VMI ● View and control virtual machine from an external perspective ● Including o Network o Disk o Memory o vCPU
  32. 32. VMI - The 3 aspects 1. Isolation 2. Interpretation 3. Interposition
  33. 33. Isolation ● Move security component outside of the guest operating system ● Hypervisor exposes a smaller attack surface ● Increasingly harder to tamper with or disable security system
  34. 34. Interposition ● Step into the execution of the machine ● Prevent attacks from modifying the system (repair hooks, privileges, etc.) ● Needs to be fast, reliable, and stealthy ● Based directly on hardware events
  35. 35. VMI - The 3 aspects 1. Isolation → Hypervisor 2. Interpretation → LibVMI / Volatility 3. Interposition → Intel
  36. 36. LibVMI
  37. 37. Use cases ● System-level debugging ● Timeline or trend analysis ● Runtime security ● OS Integrity ● Malware analysis ● Forensics
  38. 38. Core features ● Read and write VM memory ● Virtual Memory Translation (Paging) o Using various methods (DTB, PID, Kernel Symbol) ● Find and map guest OS data structures ● Place monitoring event-hooks into the guest o Exceptions, Page Faults
  39. 39. Events on Xen with Intel CPUs ● Intel Extended Page Tables (EPT) ● Register write events ([X]CR0/3/4, MSRs) ● Software breakpoint interrupts (INT3) ● Single-stepping (MTF)
  40. 40. What’s next with LibVMI?
  41. 41. Future directions ● More guest OS support: o Android, BSD, etc. ● More (and better) hypervisor support: o KVM events, VirtualBox, Hyper-V, ESXi, etc. ● More events support on more platforms: o AMD, ARM, Intel
  42. 42. What’s next in the Cloud?
  43. 43. Future directions in the Cloud ● Software developed with Cloud in mind ● Scalable Applications and Separation of Tasks ● Enable VMI in the cloud o The Software and Hardware is already available o Cloud Providers do not provide access
  44. 44. Thanks! Tamas K Lengyel tamas@tklengyel.com tlengyel@novetta.com @tklengyel Thomas Kittel kittel@sec.in.tum.de LibVMI http://libvmi.com DRAKVUF http://drakvuf.com

×