Trusted Virtual Datacenter Radically simplified security management



Similar documents
Security for the cloud infrastructure: Trusted virtual data center implementation

A Virtualized Linux Integrity Subsystem for Trusted Cloud Computing

Virtual Machine Security

Management of the Access Control Module through the Xen-API

Trusted Virtual Machine Management for Virtualization in Critical Environments

IOS110. Virtualization 5/27/2014 1

Building Blocks Towards a Trustworthy NFV Infrastructure

Security Challenges in Virtualized Environments

Survey On Hypervisors

Security Considerations for Virtual Platform Provisioning

SECURITY IN OPEN SOURCE VIRTUALIZATION

vtpm: Virtualizing the Trusted Platform Module

The Art of Virtualization with Free Software

Virtualization Technologies and Blackboard: The Future of Blackboard Software on Multi-Core Technologies

A M D DA S 1. 0 For the Manageability, Virtualization and Security of Embedded Solutions

Overview of Windows 10 Requirements for TPM, HVCI and SecureBoot

Virtualization Technology

RED HAT ENTERPRISE VIRTUALIZATION FOR SERVERS: COMPETITIVE FEATURES

Virtualization. Types of Interfaces

Full and Para Virtualization

Windows Server Virtualization & The Windows Hypervisor

Virtualization and the U2 Databases

Virtualisation Without a Hypervisor in Cloud Infrastructures: An Initial Analysis

Hypervisors. Introduction. Introduction. Introduction. Introduction. Introduction. Credits:

Start building a trusted environment now... (before it s too late) IT Decision Makers

Virtualization. Dr. Yingwu Zhu

CPET 581 Cloud Computing: Technologies and Enterprise IT Strategies. Virtualization of Clusters and Data Centers

Virtualization. Jukka K. Nurminen

Lecture Embedded System Security Dynamic Root of Trust and Trusted Execution

managing the risks of virtualization

How To Stop A Malicious Process From Running On A Hypervisor

How to Secure Infrastructure Clouds with Trusted Computing Technologies

Establishing and Sustaining System Integrity via Root of Trust Installation

Virtual Machines.

Distributed and Cloud Computing

Survey on virtual machine security

VMWARE Introduction ESX Server Architecture and the design of Virtual Machines

Chapter 14 Virtual Machines

Virtualization Security and Best Practices. Rob Randell, CISSP Senior Security Specialist SE

Data Centers and Cloud Computing

Data Firewall: A TPM-based Security Framework for Protecting Data in Thick Client Mobile Environment

APPLICATION OF SERVER VIRTUALIZATION IN PLATFORM TESTING

Virtualization. Pradipta De

COS 318: Operating Systems. Virtual Machine Monitors

CSE 501 Monday, September 09, 2013 Kevin Cleary

What is virtualization

RPM Brotherhood: KVM VIRTUALIZATION TECHNOLOGY

Container-based operating system virtualization: a scalable, high-performance alternative to hypervisors

Virtualization with Windows

Professional Xen Visualization

SUSE Linux Enterprise 10 SP2: Virtualization Technology Support

Week Overview. Installing Linux Linux on your Desktop Virtualization Basic Linux system administration

Virtualization. Introduction to Virtualization Virtual Appliances Benefits to Virtualization Example Virtualization Products

Software Execution Protection in the Cloud

OPEN SOURCE VIRTUALIZATION TRENDS. SYAMSUL ANUAR ABD NASIR Warix Technologies / Fedora Community Malaysia

Server and Storage Virtualization. Virtualization. Overview. 5 Reasons to Virtualize

vtpm: Virtualizing the Trusted Platform Module

RED HAT ENTERPRISE VIRTUALIZATION

Virtualization. Jia Rao Assistant Professor in CS

Network Access Control in Virtual Environments. Technical Note

VMware Security Briefing. Rob Randell, CISSP Senior Security Specialist SE

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken

Chapter 16: Virtual Machines. Operating System Concepts 9 th Edition

Virtualization System Security

SecureSwitch: BIOS-Assisted Isolation and Switch between Trusted and Untrusted Commodity OSes!

Virtual Switching Without a Hypervisor for a More Secure Cloud

Virtualizare sub Linux: avantaje si pericole. Dragos Manac

Patterns for Secure Boot and Secure Storage in Computer Systems

VMware Server 2.0 Essentials. Virtualization Deployment and Management

Basics in Energy Information (& Communication) Systems Virtualization / Virtual Machines

A Survey on Virtual Machine Security

CS 155 Spring TCG: Trusted Computing Architecture

Cloud Computing for a Smarter Planet Virtualization

Installing & Using KVM with Virtual Machine Manager COSC 495

The future is in the management tools. Profoss 22/01/2008

Satish Mohan. Head Engineering. AMD Developer Conference, Bangalore

Building a MAC-Based Security Architecture for the Xen Open-Source Hypervisor

nanohub.org An Overview of Virtualization Techniques

Virtual Machine Monitors. Dr. Marc E. Fiuczynski Research Scholar Princeton University

Control your corner of the cloud.

Virtualization Overview

Virtualization. Michael Tsai 2015/06/08

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Ensure that the server where you install the Primary Server software meets the following requirements: Item Requirements Additional Details

Transcription:

IBM T. J. Watson Research Center Trusted Virtual Datacenter Radically simplified security management Stefan Berger, Ramón Cáceres, Dimitrios Pendarakis, Reiner Sailer, Ray Valdez Secure Systems Department, T.J. Watson Research Center 2007 IBM Corporation

Security Opportunity Prologue Significant Challenges Status quo approach to IT and business security is too complex, is not measurable, will not scale Lack of secure foundation for dynamic enterprise environments Synergistic Strategy Leverage emerging trusted computing technologies (TCG) and commoditization of virtualization (Intel / AMD, EMC, Microsoft, IBM) Near-term: stronger guarantees position security as an enabler Longer-term: radically simplified IT security management 2005 IBM Corporation 2

Trusted Computing and Virtualization Timeline IBM IMA for Linux MS NGSCB 1.. IBM shype IBM vtpm NAC MS Vista bitlocker 2002 2003 2004 2005 2006 2007 TCG TPM1.1 SRTM TCG TPM1.2 DRTM AMD SVM SKINIT Intel LT SENTER 3 2005 IBM Corporation 3

Virtualization Landscape at a Glance -level (or middleware-level) virtualization E.g., Java Virtual Machine, Softricity (Microsoft SoftGrid), Thinstall Operating system-level virtualization E.g., Linux VServers, Solaris Containers / Zones, Virtuozzo Hypervisor-based virtualization Type 1: VMware ESX, Microsoft Viridian, Xen, PHYP, PR/SM Type 2: VMware Workstation, Microsoft Virtual PC, KVM 2005 IBM Corporation 4

Classic Type 1 Hypervisor Virtual Machines Guest Kernel Guest Kernel Guest Kernel Hypervisor Hardware Virtualizes hardware CPU and I/O devices 2005 IBM Corporation 5

Virtualization-based Security & Systems Management Virtual Resources Physical Resources Trusted Virtual Data Center (TVDc) Market Analysis Security Underwriting Centralized IT Security management TVD: Grouping of VMs and resources that support common objective (customer workloads, etc.) Abstracting the physical infrastructure (platform independence, scalability) Policy-driven (consistent security configuration and management) Systems View View TVDc View View Distributed Enforcement Very strong, coarse-grain security guarantees cannot be bypassed by VMs Single data center security policy across different platforms and hypervisors Containment (viruses, break-ins) & Trust Hypervisor Hypervisor Hypervisor TVDc 2005 IBM Corporation 6

shype: Enabling Trusted Virtual Datacenters TVDc (manages) Workload Isolation + Integrity Radically Simplified WL-Management Managed Services shype (controls sharing) Human Coalition Resources Payroll Work Load Xen VMM (virtualizes + isolates) VM 2005 IBM Corporation 7

Trusted Virtual Datacenter Simplifies Security Management Systems View Virtual Domain View Guard-VM TVDc Red = Acct. Green = HR. Blue = Dev. Trust Isolation Integrity 2005 IBM Corporation 8

Trusted Virtual Data Center Value Proposition IBM TVDc: Radically Simplified Security Management Isolation Management Integrity Management Enforces restrictions on administration and data sharing: Who manages what: independent admin for Hertz and Avis accounts What can run together: ensure air-gaps between strongly competing workloads Workload and data isolation (malware confinement) Maintains software inventory and acts as an early warning system for anomalies; detect and report: What is running in each VM If VMs/Systems are correctly configured If VMs are up-to-date with patches TVDc reduces the risk of security exposures TVDc enables consistent, policy-driven enforcement 2005 IBM Corporation 9

Secure Hypervisor Architecture (shype) VM Auditing, Monitoring, Metering, Linux MS Windows Secure Services Secure (isolated) services e.g. Policy Management Resource control and metering Access control between partitions Xen / shype Hardware Isolation between partitions Attested boot and run-time (TCG/TPM, IMA) Sailer, Sailer, Jaeger, Jaeger, Valdez, Valdez, Cáceres, Cáceres, Perez, Perez, Berger, Berger, Griffin, Griffin, van van Doorn: Doorn: Building Building a a MAC-based MAC-based Security Security Architecture Architecture for for the the Xen Xen Opensource Opensource Hypervisor. Hypervisor. 21 21 st st ACSAC, ACSAC, 2005. 2005. 2005 IBM Corporation 10

shype Access Control Architecture (Example: Xen) VM Linux Xen / shype Hardware Hypervisor security hooks MS Windows Callbacks Dom0 Secure (Management) Services ACM Flexible framework: Supports Multiple Policies Access Control Module Implements Policy Model Hypervisor Security Hooks mediate inter-vm communication + resource access interact with ACM for access decision Implemented for Xen, PHYP, rhype in various stages 2005 IBM Corporation 11

1. Centralized Isolation Management Policy authoring and management Define security labels and anti-collocation rules Revision-based policy management = Accounting = Human Resources = Development Anti-Collocation:{, },... Labeling Systems, VMs and resources Label-based management Restrict Admins to manage a set of security labels Restrict configuration choices based on policy 2005 IBM Corporation 12

2. Distributed Isolation Enforcement at Run-time (Secure hypervisor extensions shype/acm) 1. Control Sharing 2. Control what a system can run 3. Enforce rules for anti-collocation Xen: Xen: Integrated into into Opensourcsource distribution Open- Anti-Collocation:{, } t PHYP PHYP Access Control Module (research prototype) 2005 IBM Corporation 13

TVDc TVDc Managing Managing Sailer -Security IBM Security T. J. in in Watson the the Trusted Trusted Research Virtual Virtual Datacenter Center Datacenter in in ACM ACM SIGOPS SIGOPS Operating Operating System System Review Review Special: Special: IBM IBM Research. Research. Vol Vol 42, 42, Issue Issue 1, 1, January January 2008. 2008. Berger, Berger, Cáceres, Cáceres, Pendarakis, Pendarakis, Perez, Perez, Sailer, Sailer, Schildhauer, Schildhauer, Srinivasan, Srinivasan, Valdez. Valdez. TVDc Network Isolation Blade 1 Blade 2 VM 1 VM 2 VM VM 3 VM 4 VM 5 VMM X VMM Virtual LAN 1 Virtual LAN 1 Virtual LAN 2 Virtual LAN 2 1. 1. Label Label VMs VMs + VLANs VLANs 2. 2. VMM VMM enforces: enforces: VMs VMs VLANs VLANs 3. 3. Hardware Hardware VLAN VLAN switch switch enforces: enforces: Blades Blades VLANs VLANs Virtual LAN 1 Virtual LAN 2 Network Switch 2005 IBM Corporation 14

Trusted Virtual Domains Isolation and Trust Authentication: systems and workloads Attestation: mutually verifiable environments Mediated Communications: transparent protection, authorization and audit Isolation: protect against attacks and limit spread of damage 2005 IBM Corporation 15

Distributed Trusted Computing Base Putting Access Control and Integrity Measurement together Establish trust enabling collaboration across multiple platforms Are P1 and P2 mutually trusted (TCB) Are policies A and B compatible? Are policies uniformly enforceable? vm4 vm5 VM change / compromise B Platform P1 vm1 vm2 vm3 A Platform P2 TCB change / compromise McCune, McCune, Berger, Berger, Cáceres, Cáceres, Jaeger, Jaeger, Sailer: Sailer: Shamon A System for Distributed Mandatory Access Control. 22 nd ACSAC, 2006. Shamon sailer@us.ibm.com A System for Distributed Mandatory Access Control. 11/7/2007 22 nd ACSAC, 2006. 2005 IBM Corporation 16

Trusted Platform Module (TPM) Winbond Infineon Atmel Trusted Computing in today s s world is largely synonymous with a use that involves the Trusted Platform Module (TPM) TPM is a passive storage device that has some interesting properties: You cannot remove data once you ve written it to the TPM You can retrieve an aggregate of the data from the TPM that is signed s by that unique key The TPM provides sealed storage Storage root key protection igned by that TPM s 2005 IBM Corporation 17

Integrity Measurement Integrity & Attestation Provide reliable runtime integrity guarantees Certificates provide identity and secure tunnel But does the remote system currently satisfy security-related requirements? execute measure Leverage Trusted Platform Module (TPM) / Core Root of Trust for Measurement Remotely attest software-stack Detect cheating & compromise (load guarantees) Bind sensitive data to endpoint (certificates etc.) Non-intrusive / negligible overhead Implemented for Linux in 2003/2004 IBM Integrity Measurement Architecture (IMA) 6 4 2 s OS OS Loader Core Root of Trust 5 3 1 Sailer, Sailer, Zhang, Zhang, Jaeger, Jaeger, Doorn. Doorn. Design Design and and Implementation Implementation of of a a TCG-based TCG-based Integrity Integrity Measurement Measurement Architecture. Architecture. Usenix Usenix Security Security Symposium, Symposium, August, August, 2004. 2004. 2005 IBM Corporation 18

Trusted Computing uses real-time attestation to establish sufficient facts about a system, such as software integrity, to interpolate from its past to its future behavior. 1. Local integrity verification Does my system have integrity? Is it save to log in and use? (Kiosk, Desktop, ) 2. Remote integrity verification Does their system have integrity? Is it save to use? (online services, ) What about its users? 1. How is my system doing? 3. Use Service 2. How is their system doing? 2005 IBM Corporation 19

Integrity Measurement Architecture (IMA) Attesting System Measurements Verifying System Deduce System Properties Data Config data Boot- Process TCG Grub Kernel Real System Program... IMA Kernel module SHA1(Boot Process) SHA1(Kernel) SHA1(Kernel Modules) SHA1(Program) SHA1(Libraries) SHA1(Configurations) SHA1(Structured data) TPM-Signed PCR Integrity Value Analysis Inferred System Known Fingerprints (1) Measurement (2) Attestation (3) Verification 2005 IBM Corporation 20

Berger, Berger, Cáceres, Cáceres, Goldman, Goldman, Perez, Perez, Sailer, Sailer, van van Doorn Doorn vtpm: vtpm: Virtualizing Virtualizing the the Trusted Trusted Platform Platform Module. Module. 15th 15th USENIX USENIX Security Security Symposium, Symposium, July July 2006 2006 Virtual TPMs Enable VM Integrity Attestation IMA-enabled IMA-enabled Guest Kernel OS IMA-enabled IMA-enabled Guest Kernel OS IMA-enabled Virtual TPMs Support current IMA via vtpms (flexible, scalable) Policy Manager Measure HW, hypervisor, and critical services Secure Hypervisor ACM Hardware Core Root of Trust 2005 IBM Corporation 21

vtpm+ima: Focus on Solving Real Problems Configuration Management Configure server classes Verify configuration against software stack Problem Management Automatically detect and isolate real problems Direct intelligence towards those real problems Fix problems efficiently Verify that problems no longer exists System B System A HELP! #000: BC55F0AFE013C...E6CFAA2B4D2AB boot_aggregate (bios + grub stages) #000: BC55F0AFE013C...E6CFAA2B4D2AB boot_aggregate (bios + grub stages) #001: A8A865C7203F2...0A2289F7D035B grub.conf (boot configuration) #001: A8A865C7203F2...0A2289F7D035B grub.conf (boot configuration) #002: 1238AD50C652C...87D06A99A22D1 vmlinuz-2.6.5-bk2-lsmtcg #002: 1238AD50C652C...87D06A99A22D1 vmlinuz-2.6.5-bk2-lsmtcg #003: 84ABD2960414C...9364B4E5BDA4F init (first process) #003: 84ABD2960414C...9364B4E5BDA4F init (first process) #004: 9ECF02F90A2EE...5DE4798A1BE3D ld-2.3.2.so (dynamic linker) #004: 9ECF02F90A2EE...5DE4798A1BE3D ld-2.3.2.so (dynamic linker) #005: 1238AD50C652C...87D06A99A22D1 Linux Root Kit #005: 1238AD50C652C...87D06A99A22D1 Linux Root Kit #006: 84ABD2960414C...9364B4E5BDA4F Unknown Program #006: 84ABD2960414C...9364B4E5BDA4F Unknown Program Runs old patch-level #000: BC55F0AFE013C...E6CFAA2B4D2AB boot_aggregate (bios + grub stages) #000: BC55F0AFE013C...E6CFAA2B4D2AB boot_aggregate (bios + grub stages) #001: A8A865C7203F2...0A2289F7D035B grub.conf (boot configuration) #001: A8A865C7203F2...0A2289F7D035B grub.conf (boot configuration) #002: 1238AD50C652C...87D06A99A22D1 vmlinuz-2.6.5-bk2-lsmtcg #002: 1238AD50C652C...87D06A99A22D1 vmlinuz-2.6.5-bk2-lsmtcg #003: 84ABD2960414C...9364B4E5BDA4F init (first process) #003: 84ABD2960414C...9364B4E5BDA4F init (first process) #004: 9ECF02F90A2EE...5DE4798A1BE3D ld-2.3.2.so (dynamic linker) #004: 9ECF02F90A2EE...5DE4798A1BE3D ld-2.3.2.so (dynamic linker) #005: 1238AD50C652C...87D06A99A22D1 Illegal Config /etc/http.conf #005: 1238AD50C652C...87D06A99A22D1 Illegal Config /etc/http.conf #006: 84ABD2960414C...9364B4E5BDA4F Old HTTP Server 1.1 #006: 84ABD2960414C...9364B4E5BDA4F Old HTTP Server 1.1 2005 IBM Corporation 22

Research Challenges around TVDc Technologies Controlled Sharing Between TVDc Guard systems Integrity Measurement Architecture Run-time guarantees (extend load-time guarantees) Property determination and fingerprint management Distributed Mandatory Access Control Policy composition & change management Virtual TPM Safely migrate/save/restore the virtual root of trust 2005 IBM Corporation 23

Trusted Virtual Data Center Summary TVDc is designed to achieve simplified security management enterprise-level assurance TVDc creates confined workload domains to enable independent trust and security properties More on our department team page: http://www.research.ibm.com/ secure_systems_department or: TVDc TVDc Managing Managing Security Security in in the the Trusted Trusted Virtual Virtual Datacenter Datacenter in in ACM ACM SIGOPS SIGOPS Operating Operating System System Review Review Special: Special: IBM IBM Research. Research. Vol Vol 42, 42, Issue Issue 1, 1, January January 2008. 2008. Berger, Berger, Cáceres, Cáceres, Pendarakis, Pendarakis, Perez, Perez, Sailer, Sailer, Schildhauer, Schildhauer, Srinivasan, Srinivasan, Valdez. Valdez. 2005 IBM Corporation 24

Resources TVDc building blocks freely available: Integrity Measurement Architecture (IMA) Source code: http://sourceforge.net/projects/linux-ima Project page: http://domino.research.ibm.com/comm/research_people.nsf/pages/sailer.ima.html Virtual Trusted Platform Module (vtpm) Source code in Xen: http://www.xensource.com/xen Project page: http://www.research.ibm.com/ssd_vtpm shype Access Control Architecture Source code in Xen: http://www.xensource.com/xen Xen User Guide: http://www.cl.cam.ac.uk/research/srg/netos/xen/readmes/user Project page: http://www.research.ibm.com/ssd_shype 2005 IBM Corporation 25

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information