Trusted Virtual Datacenter and Trusted Computing

Transcription

1 IBM T J Watson Research Center Trusted Virtual Datacenter and Trusted Computing What about Cryptography? Reiner Sailer <> IBM Thomas J Watson Research Center, Hawthorne, NY Joint work with: Stefan Berger, Ramón Cáceres, Kenneth Goldman, Dimitrios Pendarakis, Ronald Perez, Josyula R Rao, Wayne Schildhauer, Eran Rom, Deepa Srinivasan, Sivan Tal, Ray Valdez 2008 IBM Corporation High Utilization Benefits Power Consumption Relative Power Consumption: Lowest at High Server Utilization RPC Virtualization 0% 100% 2 1

2 Collocating Customers Raises Isolation Concerns Complication: Moving different customers onto the same platform raises concerns related to their isolation Just pretend I m not here Customer feedback suggests that insufficient isolation can be a disruptive force hindering virtualization 3 We Must Strengthen Isolation Three-fold! Trusted Virtual Datacenter = Adding controls on data sharing between VMs to improve isolation TVD admin TVD admin Continuously monitoring isolation mechanisms and configurations + Automating security management to account for increasing dynamics of Cloud Computing + 4 2

3 Virtualization-based Security Management Virtual Resources IHS Blue Workload DB2 Green Workload IHS DB2 Physical Resources 5 Isolation Mechanisms Holistic workload protection Virtual Domain View Run-time isolation Isolate VMs of different colors Network isolation Isolate traffic of different colors Storage isolation Isolate storage of different colors Management isolation Separate tenant administrators responsible for different colors 6 3

4 Cryptography Offers Decisive Advantages For Isolation Cryptography can can translate a communications // storage security problem into into a key key management problem Hypervisor Three major challenges for cryptography in virtualized environments Side-channels can leak keys from Secure VMs Credentials must be virtualized and automatically managed Integrity of key-keeping VMs must be managed effectively 7 TVDc: Orchestrating Server, Network & Storage Isolation System/Service Management Solutions Data Center Administrator IHS DB2 SVC SVC Blue Trusted Virtual Domain Dom U Dom U Dom U Dom 0 Green Bridge XenAPI Blue Bridge Virtual IO Server Mgmt Green Bridge Blue Bridge LPAR LPAR LPAR Xen/sHype System x w. Xen Blue VLAN Blue VLAN PHYP/sHype System P Green VLAN Green VLAN System x (Xen) System P (PHYP) 8 4

5 Cryptography Usage Where cryptography is used in the data center (list is not exhaustive) Run-time: Crypto service VMs (credential management, virtual crypto hardware) Networking Layer-2: additional protection beyond logical virtual LANs Layer-3: bridging public networks between data-center locations (IPSEC) layer: protecting access to DC services from external clients (SSL) Storage Block-level encryption to protect from theft of storage devices File system-level encryption as close to the consumer processes as possible Credentials required for VMs accessing storage devices Virtualization Platform Management: Authentication, Key Management 9 Crypto Requirement: Side Channel Resistance Security Services and related keys move from Guests into specialized Security VM Complication: Keys can still leak through side-channels Perfect confinement of VMs is problematic E.g., I/D Cache on Intel/AMD, Hypervisor storage and timing channels Crypto Opportunity: Secure VM can help protect keys by decoupling resource usage from the key Frequent re-keying Crypto hardware can protect keys even if the trusted VM becomes corrupt Guest VM Hypervisor Hypervisor Secure VM 10 5

6 TVDc Centralized Policy-Driven Storage Isolation Purely Physical Access Attribute Logical credentials bound to physical attributes Purely Logical Credentials + can migrate - abusable if leaked SAN Storage System 11 Capability based Secure Access Control to Networked Storage Devices 2 CreateVM(label,privKey) 3 Integrated Manager MapVolume(uuid,vol_id) Policy Guest VM 7 I/O Xen / shype Mgmt VM (Dom0) ACM VBD SCSI driver StartVM(uuid) Authenticate, request credential Credential CreateVolume(secretKey) 1 HBA IO request IO request I/O request SVC LUN 12 6

7 Crypto Requirement: Automatic Credential Management Virtualizing physical attributes that are used for security is complicated physical attribute are shared by multiple guests keys / credentials become invalid after VM migration Example case: Channel-bound Storage Access Credentials Virtualization management migrates VMs to optimize availability, utilization, Updating physical attributes (e.g., Port-Zoning, LUN-Masking) is complicated Purely logical credentials introduce risk of abuse of leaked credentials Risk Mitigation: Re-issue credentials associated with physical attributes after migration Introduce validation period for credentials 13 Secure Secure VM VM Hypervisor 14 7

8 Trusted Computing Integrity Measurement Architecture Attesting System Measurements Verifying System Deduce System Properties Data Config data Boot- Process TCG Grub Kernel Real System Program... IMA Kernel module SHA1(Boot Process) SHA1(Kernel) SHA1(Kernel Modules) SHA1(Program) SHA1(Libraries) SHA1(Configurations) SHA1(Structured data) TPM-Signed PCR Integrity Value Analysis Inferred System Known Fingerprints 15 (1) Measurement (2) Attestation (3) Verification VMM Integrity Verification Example (Xen) VMM VMM Measurement Measurement List List Fingerprint Fingerprint DB DB ===============================================+============================ ===============================================+============================ #000: #000: BC55F0AFE013C3402F00E0AA11EE6CFAA2B4D2AB BC55F0AFE013C3402F00E0AA11EE6CFAA2B4D2AB aggregate aggregate (bios (bios + + grub grub stages) stages) #001: #001: A8A865C7203F2565DDEB511480B0A2289F7D035B A8A865C7203F2565DDEB511480B0A2289F7D035B grub.conf grub.conf (boot (boot configuration) configuration) #002: #002: 1238AD50C652C88D139EA2E9987D06A99A2A22D1 1238AD50C652C88D139EA2E9987D06A99A2A22D1 xen.gz xen.gz #003: #003: 84ABD CA4A448E0D2C9364B4E1725BDA4F 84ABD CA4A448E0D2C9364B4E1725BDA4F isolation_policy.bin isolation_policy.bin #004: #004: 9ECF02F90A2EE2080D DE47968C8A1BE3D 9ECF02F90A2EE2080D DE47968C8A1BE3D linux xen linux xen #317: #317: BC55F0AFE013C3402F00E0AA11EE6CFAA2B4D2AB BC55F0AFE013C3402F00E0AA11EE6CFAA2B4D2AB /bin/login /bin/login #318: Hypervisor #318: A8A865C7203F2565DDEB511480B0A2289F7D035B A8A865C7203F2565DDEB511480B0A2289F7D035B /usr/bin/httpd /usr/bin/httpd #319: #319: 1238AD50C652C88D139EA2E9987D06A99A2A22D1 1238AD50C652C88D139EA2E9987D06A99A2A22D1 /usr/bin/java /usr/bin/java #320: #320: 84ABD CA4A448E0D2C9364B4E1725BDA4F 84ABD CA4A448E0D2C9364B4E1725BDA4F /usr/bin/sshd /usr/bin/sshd #321: #321: 9ECF02F90A2EE2080D DE47968C8A1BE3D 9ECF02F90A2EE2080D DE47968C8A1BE3D /usr/bin/python /usr/bin/python Hypervisor Secure Secure VM VM Known Fingerprints = Acceptable + Malicious + Out of Policy 16 8

9 Crypto Req: Commutative Fingerprint Aggregation TPM protects measurement list against insertion, deletion, re-ordering A C D D B B B C PCR new := SHA1(PCR old, M) where M = Hash(Program) C A C B If system yielded same PCR value for same set of fingerprints Property verification and comparison would be greatly simplified Anomalies would be easier to identify D D A A Summary Virtualization driven by energy saving potential TVDc / Trusted Computing can mitigate the risk of collocating customers Improving on isolation between workloads Continuous integrity monitoring and anomaly detection Simplified and policy-driven data center security configuration Cryptography is essential but also faces challenges (opportunities) Side-channel resistant cryptographic implementations Scalable and autonomic key / credential management supporting VM migration Effective integrity management for VMM and Secure VMs 18 9

10 References and Related Work TVDc: Managing Security in the Trusted Virtual Datacenter. Stefan Berger, Ramón Cáceres, Dimitrios Pendarakis, Ronald Perez, Reiner Sailer, Wayne Schildhauer, Deepa Srinivasan, Enriquillo Valdez. ACM SIGOPS Operating Systems Review, Vol 42, Issue 1, January Retrofitting the IBM POWER Hypervisor to Support Mandatory Access Control. Enriquillo Valdez, Reiner Sailer, Ronald Perez. 23rd Annual Computer Security s Conference (ACSAC), Florida, December Capability based Secure Access Control to Networked Storage Devices. Michael Factor, Dalit Naor, Eran Rom, Julian Satran, Sivan Tal. Mass Storage Systems and Technologies, MSST th IEEE Conference on Volume, Issue, Sept Page(s): Shamon -- A System for Distributed Mandatory Access Control. Jonathan M McCune, Stefan Berger, Ramón Cáceres, Trent Jaeger, Reiner Sailer. 22nd Annual Computer Security s Conference (ACSAC), Miami Beach, Florida, December 2006 vtpm: Virtualizing the Trusted Platform Module. Stefan Berger, Ramón Cáceres, Kenneth Goldman, Ronald Perez, Reiner Sailer, Leendert van Doorn. 15th USENIX Security Symposium, Vancouver, Canada, July Building a MAC-based Security Architecture for the Xen Opensource Hypervisor. Reiner Sailer, Trent Jaeger, Enriquillo Valdez, Ramón Cáceres, Ronald Perez, Stefan Berger, John Griffin, Leendert van Doorn. 21st Annual Computer Security s Conference (ACSAC), Tucson, Arizona, December Design and Implementation of a TCG-based Integrity Measurement Architecture. Reiner Sailer, Xiaolan Zhang, Trent Jaeger, Leendert van Doorn.13th Usenix Security Symposium, San Diego, California, August, In the interest of space, please refer to the references of the cited papers for further related work. 19 BACKUP 20 10

11 BACKUP 21 Trusted Computing and Virtualization Timeline IBM IMA for Linux MS NGSCB 1.. IBM shype IBM vtpm NAC MS Vista Bitlocker TCG TPM1.1 SRTM TCG TPM1.2 DRTM AMD SVM SKINIT Intel LT SENTER

12 shype: Enabling Trusted Virtual Datacenters TVDc (manages) Workload Isolation + Integrity Integrated isolation management across networking/storage resources Radically Simplified WL-Management Managed Services Human Coalition Resources Payroll shype (controls sharing) Work Load Xen VMM (virtualizes + isolates) VM Core Root of Trust TPM + HSM Hypervisor Hypervisor Hypervisor 23 Trusted Virtual Data Center Value Proposition Radically simplifies security Management Reduces the risk of security exposures through consistent, policy-driven enforcement Isolation Management Integrity Management Enforces restrictions on administration and data sharing Who can manage what Which customers can run together How virtual machines can share data Maintains software inventory and acts as early warning system for anomalies What is running in each VM If VMs/Systems are correctly configured If VMs are up-to-date with patches 24 12

13 Secure Hypervisor Architecture (shype) VM Auditing, Monitoring, Metering, Linux MS Windows Secure Services Secure (isolated) services e.g. Policy Management Resource control and metering Access control between partitions Xen / shype Hardware Isolation between partitions Attested boot and run-time (TCG/TPM, IMA) Sailer, Sailer, Jaeger, Jaeger, Valdez, Valdez, Cáceres, Cáceres, Perez, Perez, Berger, Berger, Griffin, Griffin, van van Doorn: Doorn: Building Building a a MAC-based MAC-based Security Security Architecture Architecture for for the the Xen Xen Opensource Opensource Hypervisor. Hypervisor st st ACSAC, ACSAC, shype Access Control Architecture (Example: Xen) 26 VM Linux Xen / shype Hardware Hypervisor security hooks MS Windows Callbacks Dom0 Secure (Management) Services ACM Flexible framework: Supports Multiple Policies Access Control Module Implements Policy Model Hypervisor Security Hooks mediate inter-vm communication + resource access interact with ACM for access decision Implemented for Xen, PHYP, rhype in various stages 13

14 2. Distributed Isolation Enforcement at Run-time (Secure hypervisor extensions shype/acm) 1. Control Sharing 2. Control what a system can run 3. Enforce rules for anti-collocation Xen: Xen: Integrated Integrated into into Open-source Open-source distribution distribution PHYP PHYP Access Access Control Control Module Module (research (research prototype) prototype) Anti-Collocation:{, } t 27 Berger, Berger, Cáceres, Cáceres, Goldman, Goldman, Perez, Perez, Sailer, Sailer, van van Doorn Doorn vtpm: vtpm: Virtualizing Virtualizing the the Trusted Trusted Platform Platform Module. Module. 15th 15th USENIX USENIX Security Security Symposium, Symposium, July July Virtual TPMs Enable VM Integrity Attestation IMA-enabled IMA-enabled Guest Kernel OS IMA-enabled IMA-enabled IMA-enabled Guest Kernel OS Virtual TPMs Support current IMA via vtpms (flexible, scalable) Policy Manager Measure HW, hypervisor, and critical services Secure Hypervisor ACM Hardware Core Root of Trust 28 14

15 vtpm+ima: Focus on Solving Real Problems Configuration Management Configure server classes Verify configuration against software stack Problem Management Automatically detect and isolate real problems Direct intelligence towards those real problems Fix problems efficiently Verify that problems no longer exists System B System A HELP! #000: BC55F0AFE013C...E6CFAA2B4D2AB boot_aggregate (bios + grub stages) #000: BC55F0AFE013C...E6CFAA2B4D2AB boot_aggregate (bios + grub stages) #001: A8A865C7203F2...0A2289F7D035B grub.conf (boot configuration) #001: A8A865C7203F2...0A2289F7D035B grub.conf (boot configuration) #002: 1238AD50C652C...87D06A99A22D1 vmlinuz bk2-lsmtcg #002: 1238AD50C652C...87D06A99A22D1 vmlinuz bk2-lsmtcg #003: 84ABD C B4E5BDA4F init (first process) #003: 84ABD C B4E5BDA4F init (first process) #004: 9ECF02F90A2EE...5DE4798A1BE3D ld so (dynamic linker) #004: 9ECF02F90A2EE...5DE4798A1BE3D ld so (dynamic linker) #005: 1238AD50C652C...87D06A99A22D1 Linux Root Kit #005: 1238AD50C652C...87D06A99A22D1 Linux Root Kit #006: 84ABD C B4E5BDA4F Unknown Program #006: 84ABD C B4E5BDA4F Unknown Program Runs old patch-level #000: BC55F0AFE013C...E6CFAA2B4D2AB boot_aggregate (bios + grub stages) #000: BC55F0AFE013C...E6CFAA2B4D2AB boot_aggregate (bios + grub stages) #001: A8A865C7203F2...0A2289F7D035B grub.conf (boot configuration) #001: A8A865C7203F2...0A2289F7D035B grub.conf (boot configuration) #002: 1238AD50C652C...87D06A99A22D1 vmlinuz bk2-lsmtcg #002: 1238AD50C652C...87D06A99A22D1 vmlinuz bk2-lsmtcg #003: 84ABD C B4E5BDA4F init (first process) #003: 84ABD C B4E5BDA4F init (first process) #004: 9ECF02F90A2EE...5DE4798A1BE3D ld so (dynamic linker) #004: 9ECF02F90A2EE...5DE4798A1BE3D ld so (dynamic linker) #005: 1238AD50C652C...87D06A99A22D1 Illegal Config /etc/http.conf #005: 1238AD50C652C...87D06A99A22D1 Illegal Config /etc/http.conf #006: 84ABD C B4E5BDA4F Old HTTP Server 1.1 #006: 84ABD C B4E5BDA4F Old HTTP Server Weinberg s Second Law of Programming If builders built buildings the way programmers write programs, the first woodpecker to come along would destroy civilization

16 TVDc Centralized Policy-Driven Storage Isolation Purely Physical Access Attribute Logical credentials bound to physical attributes Purely Logical Credentials + can migrate - abusable if leaked Set Credentials SAN Admin Manual Configuration Storage System Create Credentials Security Manager 31 Crypto Requirement: Automatic Credential Management Virtualizing physical attributes that are used for security can be complicated It removes the uniqueness since the attribute is reused by guests It complicates key and credential management across migration since keys / credentials can become invalid after migration due to changing physical attributes Example case: Channel-bound Storage Access Credentials Networked Storage Access Virtualization management migrates VMs to optimize availability, utilization, etc. Storage Access control relying on physical attributes (e.g., Port-Zoning, LUN-Masking) is complicated since those change with migration and are shared between virtual machines Storage Access control based purely on logical credentials introduces risk of unauthorized access through abuse of leaked credentials Risk Mitigation: Credentials associated with physical attributes can be re-issued after migration Credentials with short validity period become invalid after expiration even if leaked 32 16