Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

XPDS16: Making Migration More Secure - John Shackleton, Adventium Labs


Published on

Live virtual machine migration is a crucial operation in the day-to-day management of modern cloud environments. For systems with the highest security requirements, standard migration protocols must be ammended to protect against a number of failure or cyberattack scenarios. In this presentation, we explore these scenarios and discuss extensions to various Xen toolstacks to protect against potential vulnerabilities.

Published in: Technology
  • Login to see the comments

  • Be the first to like this

XPDS16: Making Migration More Secure - John Shackleton, Adventium Labs

  1. 1. Making  Migra)on  More  Secure   John  Shackleton   Adven0um  Labs   August  25,  2016   8/16/16   ©  Adven0um  Labs  2016   Approved  for  Public  Release;  Distribu0on  Unlimited:  88ABW-­‐2016-­‐3682  &  20160726   1   This  material  based  upon  work  supported  by  the  United  States  Air  Force  under  Contract  No.  FA8750-­‐10-­‐ D-­‐0197/0012.  Any  opinions,  findings  and  conclusions  or  recommenda0ons  expressed  in  this  material  are  those   of  the  author  and  do  not  necessarily  reflect  the  views  of  he  United  States  Air  Force.  
  2. 2. Live  Migra0on   8/16/16   ©  Adven0um  Labs  2016   Approved  for  Public  Release;  Distribu0on  Unlimited:  88ABW-­‐2016-­‐3682  &  20160726   2   Hypervisor   Guest   VM   Hypervisor   Server  A   Server  B   •  Perhaps  most  fundamental  of  cloud  opera0ons.   •  Focus  has  been  on  FAST  and  RELIABLE.   Pu0ng  efficiency  above  security  may  ul)mately  lead   to  reduced  efficiency.  
  3. 3. Different  Storage  Configura0ons   8/16/16   ©  Adven0um  Labs  2016   Approved  for  Public  Release;  Distribu0on  Unlimited:  88ABW-­‐2016-­‐3682  &  20160726   3   Shared  Disk   Replicated  Disk   Remote  Referencing   Shared  Nothing   Server  A   Server  B   VM   Server  A   Server  B   VM   VM   Server  A   Server  B   VM   NBD   Server  A   Server  B   VM   COPY   COPY  
  4. 4. Basic  Migra0on  Process   8/16/16   ©  Adven0um  Labs  2016   Approved  for  Public  Release;  Distribu0on  Unlimited:  88ABW-­‐2016-­‐3682  &  20160726   4   Server  A   Server  B   4)  Resume  VM   6)  Release  old  VM  footprint   2)  Pause  VM   1)  Create  mirror   3)  Transfer  State  and  Metadata   5)  Remove  mirror  
  5. 5. Advanced  Cyberadack  Examples   •  Spoofing:  Mimicking  a  server  to  gain  unauthorized  access.   •  Thrashing:  A  sophis0cated  DOS  adack.   •  Smash  and  Grab:  Forcing  source  or  des0na0on  VM  image  into  a   bad  state.   •  Bait  and  Switch:  Crea0ng  a  deliberate  failure  to  create  shadow  copy   of  the  source  VM.   8/16/16   ©  Adven0um  Labs  2016   Approved  for  Public  Release;  Distribu0on  Unlimited:  88ABW-­‐2016-­‐3682  &  20160726   5   Server  A   Server  B   Many  aBacks  seek  to  disrupt  the  system  or  exfiltrate   informa)on.    
  6. 6. Other  Migra0on  Challenges   8/16/16   ©  Adven0um  Labs  2016   Approved  for  Public  Release;  Distribu0on  Unlimited:  88ABW-­‐2016-­‐3682  &  20160726   6   Hypervisor   Hypervisor   Storage   Domain   Network   Domain   Server  A   Server  B   Guest   VM   MAC   Policy   MAC   Policy   Crypto   Keys   Crypto   Keys   Dele0on   Certainty   Migra0on   Policy  
  7. 7. Hypervisor   Migra0on  of  Service  Domains   8/16/16   ©  Adven0um  Labs  2016   Approved  for  Public  Release;  Distribu0on  Unlimited:  88ABW-­‐2016-­‐3682  &  20160726   7   Hypervisor   Storage   Domain   Network   Domain   Guest   VM   disk   NIC   Device   Pass-­‐through   There  is  a  need  to  support  group  migra)ons  or     refined  pre/post  migra)on  customiza)on  
  8. 8. Details  of  Migra0on  and  Device  Pass-­‐Through   8/16/16   ©  Adven0um  Labs  2016   Approved  for  Public  Release;  Distribu0on  Unlimited:  88ABW-­‐2016-­‐3682  &  20160726   8   Hypervisor   Dom0   Storage   Domain   VM   Virtual   Disk   Physical  Storage   PCI   pass-­‐ through   Storage   Repository   Physical   Block   Device   Guest   VM   Storage   Driver   Domain   UUID   Storage   Repository   UUID   Reference   Maintained  in   Migra0on   Reference   Broken  in   Migra0on   XenServer  
  9. 9. Migra0on  of  Crypto  Keys   8/16/16   ©  Adven0um  Labs  2016   Approved  for  Public  Release;  Distribu0on  Unlimited:  88ABW-­‐2016-­‐3682  &  20160726   9   Hypervisor   Storage   Domain   Network   Domain   Guest   VM   There  is  no  industry  standard  for  key  management,  and   hence  no  industry  standard  for  key  migra)on.   Crypto   Keys   ?   •  Networked  key   management  (KMIP)   •  Local  cer0ficate   authori0es   •  Migrate  local  keys  with   the  VM   •  Manual  key  management   •  vTPM  migra0on  
  10. 10. Migra0on  of  MAC  Policies   8/16/16   ©  Adven0um  Labs  2016   Approved  for  Public  Release;  Distribu0on  Unlimited:  88ABW-­‐2016-­‐3682  &  20160726   10   Hypervisor   Storage   Domain   Network   Domain   Guest   VM   XSM  Policies  must  be  wriBen  to  enforce  authorized   migra)on  and  to  accommodate  migra)ng  guests.   MAC   policy   ?   •  XSM  policies  are  sta0c.   •  Consequently  XSM  policies   must  be  well  designed  and   consistent  between  servers   (and  server  pools).   •  Run-­‐0me  enforcement  of   consistent  policies  is   advantageous.   •  It  is  largely  the  administrator’s   responsibility  to  coordinate   XSM  policies  of  migra0ng  VMs.  
  11. 11. Extensions  to  Xen-­‐based  Migra0on  that   Would  Enhance  Security   •  Customiza)on:  Support  pre-­‐  and  post-­‐migra0on  scripts  to  handle   specific  device  pass-­‐through  issues.   •  MAC  Policy  Enforcement:  At  both  source  and  des0na0on  servers,   enforced  defined  policies  regarding  who  can  move  which  VMs.   •  Group  Migra)ons:  Handle  groups  of  VM  together  to  support   associated  service  VMs.   •  Atomicity  and  Robust  Error  Handling:  Provide  comprehensive  roll-­‐ back  if  errors  occur  during  migra0on.   •  Dele)on  Certainty:  Provide  op0on  to  zeroize  contents  and   associated  data  of  source  VM  footprint  to  ensure  security.   •  Migra)on  Policy:  At  both  source  and  des0na0on  servers,  support   defined  policies  regarding  when  and  where  a  VM  is  allowed  to   migrate.   8/16/16   ©  Adven0um  Labs  2016   Approved  for  Public  Release;  Distribu0on  Unlimited:  88ABW-­‐2016-­‐3682  &  20160726   11