Operating Systems Virtualisation and Security - Modern Aspects and an Open Trusted Computing Project

Transcription

1 Operating Systems Virtualisation and Security - Modern Aspects and an Open Trusted Computing Project Ivanov Ivan Evgeniev, Gueorguiev Vesselin Technical University of Sofia, Sofia, Bulgaria Abstract The lack of platform security in today's computers has given rise to waves of successful attacks, resulting in severe damages to enterprises and potential failure of critical infrastructures. Trusted Computing aims at increasing the security of the core Operating Systems. This begins at the lowest level of the platform with a controlled loading (in virtual environment) of an operating system and goes on level by level, verifying the process after each level. New security features like isolation integrity check, security policies, risk scenarios and hardware virtualisation support will be presented. Keywords: virtualisation, security, trusted platform. 1. INTRODUCTION This paper is focused only on virtualization technologies for x86 platforms (IA32 architecture), because it is felt that this is the field where a security analysis is most needed. In fact, the mass-market of cheap and widespread x86 platforms is at the heart of the current renaissance in virtualization technologies. Especially the Open Trusted Computing FP6 project is presented as one of the biggest European initiatives in this area. Both server and desktop applications of virtualization technologies are discussed. The concept of virtual machine (VM) lies on the idea that some software layer supports desired architecture and doing so, a VM presents real machine compatibility. A virtual machine was originally defined by Popek and Goldberg in 1974 as an efficient, isolated duplicate of a real machine. Virtual machine monitors (VMM) (or hypervisor) is a software system that partitions a single physical machine into multiple virtual machines. System virtual machines are presenting full replica of the underlying physical machine. A hypervisor can run on bare hardware (native VM) or on top of an operating system (hosted VM). Multiple VMs run their own operating system (guest operating system). VMMs are based on two concepts full virtualization and paravirtualization. Full virtualization means that the VM layer simulates a stand-alone instance of a computer, all the way down to the IO ports, DMA channels, and Interrupts. In true full virtualization all CPU operations are reproduced by the virtual processor. The overhead for handling all CPU instructions, however, makes true full virtualization of x86 processors impractical, if not impossible. Instead, virtual machines that provide a robust enough representation of the underlying hardware to allow guest operating systems to run without modification can be considered to provide full virtualization. Unlike full-virtualization, paravirtualization requires some modification of the guest OS to operate. Such guests are considered to be aware or enlightened, due to their knowledge that they are operating in a virtual environment.

2 2. HISTORICAL AND TODAY S PERSPECTIVES Virtual Machine Monitors have been first announced in early 1970s. They have been oriented to those days presented computers mainframes. Virtualization made possible to run in parallel multiple operating systems thus increase the workload of the expensive hardware up to 100%. First advantages of virtual machines have been identified in [1]. The desire to run multiple operating systems was the original motivation for virtual machines, as it allowed time-sharing a single computer between several singletasking OSes. Low-cost computers abolished the need for virtualization. Some hardware support was still available under V8086 mode of Intel processors. The first new successive virtual machines were VMware s platform and Virtual PC in late 1990s. Nowadays many leading hardware and software companies are developing virtualization strategies or build hardware elements supporting virtualisation. This list includes Intel, AMD, Sun Microsystems, IBM, Microsoft. At 1999 a Trusted Computer Group has been established. Now it includes more than 110 members and all market hardware and software leaders. This group is working for realizing Trusted Computing on different platforms. Unfortunately, although the TCG standardized security services of the hardware, it did not define an open standard on how to leverage this hardware for protecting operating systems. Modern computers (and especially servers) are incomparably less expensive and more powerful than their predecessors - mainframes. This led to computer pervasiveness. As result the total cost of ownership started to increase. This cost includes many parts but some of them are administration and security defence. As presented above leading hardware vendors Intel and AMD started to support virtualization in their current processor. Building on the traditional x86 ring model, hardware supported virtualization creates the ability to establish a trusted root mode and an untrusted non-root mode, each with their own rings 0-3. Special virtualization instructions, called hypercalls, allow the guest operating systems to call out to the hypervisor for resource allocation, device interaction, or processing requests. In addition to all previous general observations George Lawton presented very deep analysis [2] about increasing growth of computers power consumption and pointed as one of possible solutions for power consumption reduction to be virtualisation and based on this workload increase for every installed computer. This discussion is out of scope of this paper but it presents one more reason for extensive research in the area of computer virtualisation. 3. THREATS AND VULNERABILITIES ANALYSIS Security is vital to the development of new e-society. The main challenges arise from the complexity of future computer usage in different environments. Totally new areas of threat are emerging from new societal applications: the protection of all citizens against violation of ITC related privacy, authentication and identification topics has become an area for which strategic research on security and trust is required. ITC equipment has already today a growing tendency for storing personal and private information, which can also be endangered by today s threat. Trustworthy embedded systems become a present in new products from cars to mobile phones. One of the most quoted phrases in computer science is David Wheeler s comment that any problem in computer science can be solved by another layer of indirection. Virtualization is one of those examples that look to confirm this sentence. Unfortunately

3 the quote is not full. Its full text is Any problem in computer science can be solved by another layer of indirection. But that usually will create another problem. This text presents in better details what happens in virtualized environments. Great features need great analyzes and increased security strategies. Hereafter are discussed three possible scenarios where features will become threats. (Analyses are based on Internet materials). Using a single computer for low-security and high-security tasks Consolidation of services onto fewer physical computers Using common hardware platform to host multiple OSes. All these scenarios have been discussed as major targets for virtualisation. And they are. Unfortunately there are the following possible threats: Some reported VMs do not provide isolation at all giving the guest full access to host s resources. These VMs are providing environment to run an application designed for one architecture onto another one. Here isolation is simply omitted. The host presents availability to share date among VMs via clipboard. System logs can be accessed in some cases by guest OSes. The VMM s goal is to facilitate some kind of communication between VMs. All these possibilities are based on the user s belief that VMs are: Absolutely isolated each other. A break-in in one VM does not provide access to the other. The host is always unbreakable (and invisible). The abovementioned assumptions are not definite and in most cases unattainable. The security society has a very good postulate An application cannot be more secure than the OS it runs on. And from historical point view it is clear that no one system can be implemented free of design and implementation bugs. Some of possible security break-ins are listed below: Because of some bugs in VM environment an application that cannot access any resource belonging to the host or other VM in normal case bypasses VM and obtains full access to all privileged resources. Security is fully compromised. Any kind of resource allocation that is not correctly handled by VM can cause this situation. Data traffic monitoring by host is potential weak point. A possibility to one VM to monitor another one. This breaks the main rule that VMs are fully independent. Resource allocation is based on a limited list of physical resources. In some situations simultaneous attempts to access some resources can lead to starvation for some VM. Modification of a VM or even the VMM by some kind of virus or other malware. Starting root-kits before the VMM. All these problems are targeted in the FP6 Open Trusted Computing project. Some public targets and results will be provided in the next section. 4. OPEN TRUSTED SECURITY PROJECT Open Trusted Security project is targeting to implement Open Trusted platform based on the cost-efficient and widely deployed Trusted Platform Module (TPM) specified by the Trusted Computing Group (TCG) and the new generation of x86 CPUs from Intel and AMD. The aim of the project is to solve all envisaged in the previous section problems, to work for standardization and harmonization of legislation regarding trusted

4 platforms and to provide stable example of open source solution for virtualization and trust platforms. The architecture is based on security mechanisms provided by low level operating system layers with isolation properties and interfaces to Trusted Computing hardware. These layers allow leveraging enhanced trust and security properties of the platform for standard operating systems, middleware, and applications. The suggested architecture is applicable to a wide range of platform types, e.g. servers, GRID technology, mobile phones and industrial automation. It provides basic building blocks for complex, distributed scenarios with inherent, multilateral trust and security capabilities. Trusted Computing (TC) aims at increasing the security of the core Operating System (OS). This begins at the very lowest level of the platform, with a controlled loading of an operating system and goes on level by level. The procedure is verified after each level by using data integrity measurements. If this is done without errors, we know that we have a correctly loaded OS, in which the functions and different parts of the system (e.g. drivers) can be verified at run time. Project development is based on a hardware root of trust. This is a security hardware module to support the integrity checks mentioned above, as well as the secure storage of keys and other data in a protected chip. This chip is referred to as Trusted Platform Module (TPM) and is the central security kernel. This hardware has been specified by the Trusted Computing Group (TCG) and is commercially available and deployed in a large scale. The project also assumes the availability of secure hardware architecture. This is a platform processor (CPU) and peripherals architecture that removes some well-known security architecture deficits. This includes mechanisms for policing memory access (including DMA, Direct Memory Access) as well as novel features supporting privileged execution and interception. These features are prerequisites for separating sensitive parts of the OS kernel. This will be developed outside the project by AMD and is expected to be available for project use by the time the project begins. We are already able to emulate the hardware function with existing software. Given the existence of the trusted hardware and secure architecture, Open_TC will aim at the following three objectives: production a secure operating system together with the secure operating system development a related protocol software prototype applications. The first two main objectives are targeted as follows Secure and trusted OS Based on novel architectural principles the targeted secure and trusted OS leverages hardware features from the TPM and the security enhanced processor for establishing a trusted and secure system. Current minimal version contains the following features: Universal virtualisation layers Trusted Software Stack (TSS) for Linux TC and TPM management software Software protocols The project targets to develop management infrastructures and software protocols for Trusted Computing in the following areas:

5 Policy management, including distributed policy enforcement Security state monitoring and management Network management Configuration management State-of-the-art extension One approach to define trustworthiness of software components is to digitally sign the binary code of a module. However, the Trusted Computing Group has not defined any procedure of validating the actual trustworthiness of these components. Assuming a process of an open security evaluation, the issue of software trustworthiness might be more easily to be resolved by OSS -based systems. The missing part for a trusted system however is still the operation system and details and interfacing of security enhanced processors (586 class). This project helps to make also OS as well as processors security principles available in a condensed and tested version (complete trusted OS on Linux). Therefore the most needed component to construct trusted platforms and systems is the development or availability of trusted operating systems because this is the point where the work of the TCG ends Software validation and verification It was discussed above that many problems affecting security due to program bugs and design mistakes. To point the challenge Open Trusted Computing project established special work package with only task for software validation and verification (V&V). The aim of this work package is to generate models, methodologies and process organization. Together with this main task this work package exploits and extends available methodologies for risk analyses, software static analyses, security testing scenarios and security metrics methodologies and applications. The members of this work package develop novel and complementary methods and methodologies to cope with the V&V problems in open-source projects. The main challenges lie in the complexity of the targeted application and its novelty with respect to the state of the art V&V techniques. Current results of this task confirmed that even in proven construction implementation bugs, low level of programming discipline and bad working templates can lead to all security flaws enumerated in paragraph CONCLUSION Current e-society requirements for privacy, security, mobility and connectivity insist for new approaches. Virtualization, hardware trusted modules and trustworthiness OSes can make solving these new challenges easier. 6. REFERENCES [1] Goldberg, R.P. (1974) Survey of Virtual Machine Research, Computer, June, [2] Lawton, G. (2007) Powering Down the Computer Infrastructure, Computer, vol. 40, 2, 16-19

6 [3] Uhlig. R. and other (2005) Intel Virtualization Technology, Computer, vol. 38, 5, [4] [5] Kirch. J. (ed.) (2007) Virtual Machine Security Guidelines, [6]