Trusted Virtual Datacenter Radically simplified security management

(1)

Trusted Virtual Datacenter –

Radically simplified security management

Stefan Berger, Ramón Cáceres, Dimitrios Pendarakis,

Reiner Sailer, Ray Valdez

(2)

sailer@us.ibm.com

Security Opportunity Prologue

Significant Challenges

•

Status quo approach to IT and business security is too complex,

is not measurable, will not scale

•

Lack of secure foundation for dynamic enterprise environments

Synergistic Strategy

•

Leverage emerging trusted computing technologies (TCG) and

commoditization of virtualization (Intel / AMD, EMC, Microsoft, IBM)

•

Near-term: stronger guarantees position security as an enabler

(3)

TCG TPM1.2 DRTM Intel LT SENTER AMD SVM SKINIT

Trusted Computing and Virtualization Timeline

2007 2003 2002 2004 2005 2006 MS NGSCB 1.. IBM IMA

for Linux IBMsHype

MS Vista bitlocker NAC IBM vTPM TCG TPM1.1 SRTM

(4)

sailer@us.ibm.com

Virtualization Landscape at a Glance

Application-level (or middleware-level) virtualization

•

E.g., Java Virtual Machine, Softricity (Microsoft SoftGrid),

Thinstall

Operating system-level virtualization

•

E.g., Linux VServers, Solaris Containers / Zones, Virtuozzo

Hypervisor-based virtualization

•

Type 1: VMware ESX, Microsoft Viridian, Xen, PHYP, PR/SM

(5)

Classic Type 1 Hypervisor

Hypervisor

Guest Kernel Guest Kernel Guest Kernel

Application Application Application Application Application Application Application Application Application

Hardware _{CPU and I/O devices}

Virtualizes hardware Virtual Machines

(6)

sailer@us.ibm.com

Virtualization-based Security & Systems Management

Trusted Virtual Data Center (TVDc)

Virtual R e sour ces Phy si cal R e sour ces

Market Analysis Security Underwriting

Centralized IT Security management

TVD: Grouping of VMs and resources that support common objective (customer workloads, etc.)

Abstracting the physical infrastructure (platform independence, scalability)

Policy-driven (consistent security configuration and management)

Distributed Enforcement

Very strong, coarse-grain security

guarantees – cannot be bypassed by VMs

Single data center security policy across different platforms and hypervisors

Containment (viruses, break-ins) & Trust

TVDc TVDc Hypervisor Hypervisor Hypervisor Systems View

(7)

sHype: Enabling Trusted Virtual Datacenters

Xen VMM

(virtualizes

+ isolates)

sHype

(controls

sharing)

TVDc

(manages)

Work

Load

VM

Coalition

Human Resources

– Workload Isolation + Integrity

– Radically Simplified WL-Management

Managed

Services

(8)

sailer@us.ibm.com

Trusted Virtual Datacenter Simplifies Security Management

Systems View

Systems View _{Virtual Domain View}_{Virtual Domain View}

TVDc

Red = Acct. Green = HR. Blue = Dev. Guard-VM

Isolation

Integrity

Trust

(9)

IBM TVDc: Radically Simplified Security Management

Trusted Virtual Data Center Value Proposition

Isolation Management

Integrity Management

Enforces restrictions on

administration and data sharing:

Who manages what: independent admin for Hertz and Avis accounts

What can run together: ensure air-gaps between strongly competing workloads

Workload and data isolation (malware confinement)

Maintains software inventory and acts as an early warning system for anomalies; detect and report:

What is running in each VM

If VMs/Systems are correctly configured

If VMs are up-to-date with patches

Æ TVDc reduces the risk of security exposures

(10)

sailer@us.ibm.com

Secure Hypervisor Architecture (sHype)

Hardware Xen / sHype Linux Application Application MS Windows Application Application Secure Services VM

Attested boot and run-time (TCG/TPM, IMA)

Isolation between partitions

Access control between partitions Secure (isolated) services

e.g. Policy Management

Resource control and metering Auditing, Monitoring, Metering, …

Sailer, Jaeger, Valdez, Cáceres, Perez, Berger, Griffin, van Doorn:

Building a MAC-based Security Architecture for the Xen Opensource Hypervisor. 21st_{ACSAC, 2005.}

Sailer, Jaeger, Valdez, Cáceres, Perez, Berger, Griffin, van Doorn:

(11)

sHype Access Control Architecture (Example: Xen)

Hardware

Xen / sHype ACM

Hypervisor security hooks Callbacks Linux Application Application MS Windows Application Application Secure Services Dom0 (Management) VM Flexible framework:

Supports Multiple Policies

Access Control Module

Implements Policy Model

Hypervisor Security Hooks

9

mediate inter-VM

communication + resource access

9

interact with ACM for

access decision

Implemented for Xen, PHYP,

(12)

sailer@us.ibm.com

1. Centralized Isolation Management

•

Policy authoring and management

Define security labels and anti-collocation rules

Revision-based policy management

•

Labeling Systems, VMs and resources

•

Label-based management

Restrict Admins to manage a set of security labels

Restrict configuration choices based on policy

= Accounting

= Human Resources = Development

(13)

2. Distributed Isolation Enforcement at Run-time

(Secure hypervisor extensions sHype/ACM)

Xen: Integrated into Open-source distribution

PHYP Access Control Module (research prototype)

Xen: Integrated into

Open-source distribution

PHYP Access Control Module

(research prototype)

1. Control Sharing

9

9 a

9

t Anti-Collocation:{ , }

3. Enforce rules for

anti-collocation

2. Control what a

system can run

(14)

TVDc Network Isolation

1. Label VMs + VLANs 2. VMM enforces: VMs

↔

VLANs 3. Hardware VLAN switch enforces: Blades

↔

VLANs 1. Label VMs + VLANs 2. VMM enforces: VMs

↔

VLANs 3. Hardware VLAN switch enforces: Blades

↔

VLANs VM₁ VM VM4 VM5 VMM VMM Blade 1 Blade 2 Network Switch

X

VM₂ VM₃

(15)

Trusted Virtual Domains – Isolation and Trust

Attestation:

mutually verifiable environments

Isolation:

protect against attacks and limit spread of damage

Mediated Communications:

transparent protection, authorization and audit

Authentication:

(16)

sailer@us.ibm.com

vm4 vm5

B

Distributed Trusted Computing Base

Putting Access Control and Integrity Measurement together

Establish trust – enabling collaboration across multiple platforms

•

Are P1 and P2 mutually trusted (TCB)

•

Are policies A and B compatible?

•

Are policies uniformly enforceable?

VM change / compromise Platform P1 Platform P2 vm1 vm2 vm3

A

McCune, Berger, Cáceres, Jaeger, Sailer:

Shamon – A System for Distributed Mandatory Access Control. 22nd _{ACSAC, 2006.}

McCune, Berger, Cáceres, Jaeger, Sailer:

Shamon – A System for Distributed Mandatory Access Control. 22nd _{ACSAC, 2006.}

TCB change / compromise

(17)

Trusted Platform Module (TPM)

Trusted Computing in todayTrusted Computing in today’’s world is largely synonymous with a s world is largely synonymous with a use that involves the Trusted Platform Module (TPM)

use that involves the Trusted Platform Module (TPM)

TPM is a passive storage device that has some interesting TPM is a passive storage device that has some interesting properties:

properties:

•

• You cannot remove data once youYou cannot remove data once you’’ve written it to the TPMve written it to the TPM

•

• You can retrieve an aggregate of the data from the TPM that is sYou can retrieve an aggregate of the data from the TPM that is signed by that igned by that TPMTPM’’ss unique key

unique key

•

• The TPM provides sealed storageThe TPM provides sealed storage

•

• Storage root key protectionStorage root key protection

Winbond

Infineon

Atmel

(18)

sailer@us.ibm.com

Integrity Measurement –

Integrity & Attestation

Provide reliable runtime integrity guarantees

•

Certificates provide identity and secure tunnel

•

But does the remote system currently satisfy security-related requirements?

Leverage Trusted Platform Module (TPM) / Core Root of Trust for Measurement

•

Remotely attest software-stack

•

Detect cheating & compromise (load guarantees)

•

Bind sensitive data to endpoint (certificates etc.)

•

Non-intrusive / negligible overhead

Implemented for Linux in 2003/2004

•

IBM Integrity Measurement Architecture (IMA) Core Root of Trust OS Loader OS Applications 1 3 5 2 4 6 measure execute

Sailer, Zhang, Jaeger, Doorn. Design and Implementation of a TCG-based Integrity Measurement Architecture. Usenix Security Symposium, August, 2004.

(19)

1. Local integrity verification

Does my system have integrity?

Is it save to log in and use? (Kiosk, Desktop, …)

2. Remote integrity verification

Does their system have integrity?

Is it save to use? (online services,…)

What about its users?

2. How is their system doing? 1. How is my system doing? 3. Use Service

Trusted Computing uses real-time attestation to

establish sufficient facts about a system, such as

software integrity, to interpolate from its past to its

future behavior.

(20)

© 2005 IBM Corporation sailer@us.ibm.com Inferred System SHA1(Boot Process) SHA1(Kernel) SHA1(Kernel Modules) SHA1(Program) SHA1(Libraries) SHA1(Configurations) SHA1(Structured data) …

Measurements Deduce System _Properties

Known Fingerprints Real System Program Kernel Kernel module Config data Boot-Process Data TPM-Signed PCR Integrity Value

(1) Measurement (2) Attestation (3) Verification

Attesting System Verifying System

Analysis

IMA

TCG Grub

(21)

Virtual TPMs Enable VM Integrity Attestation

Hardware Secure Hypervisor

Guest Kernel Guest Kernel

Application Application Application Application Application Application

Core Root of Trust

IMA-enabled OS IMA-enabled OS Application Application IMA-enabled Application Application IMA-enabled Application IMA-enabled Application Measure HW, hypervisor, and critical services Virtual TPMs Policy Manager Support current IMA via vTPMs (flexible, scalable) ACM

(22)

sailer@us.ibm.com

vTPM+IMA: Focus on Solving Real Problems

Configuration Management

Configure server classes

Verify configuration

against software stack

Runs old

patch-level

HELP!

#000: BC55F0AFE013C...E6CFAA2B4D2AB | boot_aggregate (bios + grub stages) #001: A8A865C7203F2...0A2289F7D035B | grub.conf (boot configuration) #002: 1238AD50C652C...87D06A99A22D1 | vmlinuz-2.6.5-bk2-lsmtcg #003: 84ABD2960414C...9364B4E5BDA4F | init (first process)

#004: 9ECF02F90A2EE...5DE4798A1BE3D | ld-2.3.2.so (dynamic linker)

#005: 1238AD50C652C...87D06A99A22D1 | Illegal Config /etc/http.conf #006: 84ABD2960414C...9364B4E5BDA4F | Old HTTP Server 1.1

System A

Problem Management

Automatically detect and

isolate real problems

Direct intelligence towards those real problems

Fix problems efficiently

Verify that problems no

longer exists

#005: 1238AD50C652C...87D06A99A22D1 | Linux Root Kit #006: 84ABD2960414C...9364B4E5BDA4F | Unknown Program

(23)

Research Challenges around TVDc Technologies

Controlled Sharing Between TVDc

• Guard systems

Integrity Measurement Architecture

• Run-time guarantees (extend load-time guarantees)

• Property determination and fingerprint management

Distributed Mandatory Access Control

• Policy composition & change management

Virtual TPM

(24)

sailer@us.ibm.com

Trusted Virtual Data Center

Summary

TVDc is designed to achieve

• simplified security management

• enterprise-level assurance

TVDc creates confined workload domains to enable

• independent trust and security properties

More on our department team page: http://www.research.ibm.com/

secure_systems_department or:

“TVDc – Managing Security in the Trusted Virtual Datacenter” in ACM SIGOPS Operating System Review Special: IBM Research. Vol 42, Issue 1, January 2008. Berger, Cáceres, Pendarakis, Perez, Sailer, Schildhauer, Srinivasan, Valdez.

(25)