Securing Your Cloud with Xen Project s Advanced Security Features

Securing Your Cloud with Xen Project’s Advanced Security Features

Russell Pavlicek, Xen Project Evangelist

CloudOpen North America 2013

Who is the Old, Fat Geek Up Front?

I

Xen Project Evangelist

I

Employed by Citrix, focused entirely on the Xen Project

I

History with Open Source begins in 1997

I

Former columnist with Infoworld, Processor magazines

I

Former panelist on The Linux Show webcast, repeat guest on The Linux Link Tech Show

I

Over 150 pieces published, plus one book on Open Source

development and several blogs

Introduction: Xen Project and Security

I

Xen Project is an enterprise-grade Type I hypervisor

I

Built for the Cloud before it was called the Cloud

I

A number of advanced security features

I

Driver Domains, Stub Domains, FLASK, and more

I

Most of them are not (or cannot) be turned on by default

I

Although they are simple to use, sometimes they can appear

to be complicated

Presentation Goals

I

Introduce you to key Xen Project Security Tools

I

Discuss some key Xen security features

I

Get you started in the right direction toward securing your

Xen installation

Presentation Outline

I

A few thoughts on the problem of securing the Cloud

I

Overview of the Xen architecture

I

Brief introduction to principles of security analysis

I

Consider some attack surfaces and Xen features we can use to mitigate them:

I

Driver Domains

I

PVgrub

I

Stub Domains

I

Paravirtualization (PV) mode vs Hardware Virtualization (HVM) mode

I

FLASK example policy

The Cloud Security Conundrum

I

Security: The 800 pound gorilla of the Cloud world

I

Nothing generates more fear in specific, and FUD in general

I

Probably the single greatest barrier to Cloud adoption

I

Immediately behind it is the inability to get out of a 20th century IT mindset (i.e., ”Change is Bad”)

I

The good news: we don’t need to fear it – we just need to

solve it

Cloud Security: New Visibility to Old Problem

I

Security has always been an issue

I

Putting a truly secure system in the open does not reduce its security, just increases the frequency of attack

I

Unfortunately, system security behind the firewall has not always been comprehensive

I

Having solutions in Clouds forces us to solve the security issues we should have already solved

I

Security through obscurity is no longer sufficient

Security by Design, not by Wishful Thinking

I

Security by Wishful Thinking is Officially Dead

I

Merely hoping that your firewall holds off the marauding hordes is NOT good enough

I

Addressing security in one area while ignoring others is NOT good enough

I

Saying, ”We’ve never had a problem before” is NOT good enough

I

Comprehensive security starts with design

I

It needs to planned and carefully thought through

I

It needs to be implemented at multiple levels

I

It needs components which are themselves securable

Xen Project: Security by Design

I

Xen Project was designed for Clouds before the term ”Cloud”

was coined in the industry

I

Designers foresaw the day of an ”infrastructure for wide-area distributed computing” which we now call ”the Cloud”

I

http://www.cl.cam.ac.uk/research /srg/netos/xeno/publications.html

I

Xen is designed to thwart attacks from many attack vectors,

using different defensive techniques

Xen Architecture: A Basic Picture

Xen Hypervisor Hardware

device model (qemu) toolstack dom 0

Hardware Drivers

I/O Devices CPU Memory

Paravirtualized (PV) Domain

Fully Virtualized

(HVM) Domain netback

blkback

netfront blkfront

Security Overview

I

Threat Models:

I

Attacker can access network

I

Attacker controls one Guest VM

I

Security considerations to evaluate:

I

How much code is accessible?

I

What is the interface like? (e.g., pointers vs scalars)

I

Defense-in-depth

I

Then combine security tactics to secure the installation

I

There is no single ”magic bullet”

I

Individual tactics reduce danger; combined tactics go even

farther

Example System, for our Discussion

I

Hardware setup

I

Two networks: one Control network, one Guest network

I

IOMMU with interrupt remapping (AMD or Intel VT-d v2) to allow for full Hardware Virtualization (HVM)

I

Default configuration

I

Network drivers in the Control Domain (aka ”Domain 0” or just ”Dom0”)

I

Paravirtualized (PV) guests using PyGrub (grub-like boot utility within context of Guest Domain)

I

Hardware Virtualized (HVM) guests using Qemu (as the device

model) running in the Control Domain

Attack surface: Network path

Xen Hypervisor Hardware

toolstack dom 0

NIC Driver

Control NIC

Rogue Domain netback netfront

Guest NIC bridge iptables

Domain

netfront

I

Where might an exploit focus?

I

Bugs in hardware driver

I

Bugs in bridging / filtering

I

Bugs in netback (via the ring protocol)

Attack surface: Network path

Xen Hypervisor Hardware

toolstack dom 0

NIC Driver

Control NIC

Rogue Domain netback netfront

Guest NIC bridge iptables

Domain

netfront

I

What could a successful exploit yield?

I

Control of Domain 0 kernel

I

Pretty much control of the whole system

Security feature: Driver Domains

Xen Hypervisor Hardware

toolstack dom 0

NIC Driver

Control NIC

Rogue Domain netback netfront

Guest NIC

bridge iptables

Domain

netfront

NIC Driver

Driver Domain

I

What is a Driver Domain?

I

Unprivileged VM which drives hardware, provides access to

guests

Security feature: Driver Domains

Xen Hypervisor Hardware

toolstack dom 0

NIC Driver

Control NIC

Rogue Domain netback netfront

Guest NIC

bridge iptables

Domain

netfront

NIC Driver

Driver Domain

I

Now a successful exploit could yield:

I

Control of the Driver Domain (PV hypercall interface)

I

Control of that guest’s network traffic

HowTo: Driver Domains

I

Create a VM with appropriate drivers

I

Use any distribution suitable as a Control Domain

I

Install the Xen-related hotplug scripts

I

Just installing the Xen tools in the VM is usually good enough

I

Give the VM access to the physical NIC with PCI pass-through

I

Configure the network topology in the Driver domain

I

Just like you would for the Control Domain

I

Configure the guest Virtual Network Interface (vif) to use the new domain ID

I

Add backend=domnet to vif declaration

vif = [ ’type=pv, bridge=xenbr0, backend=domnet’ ]

I

http://wiki.xenproject.org/wiki/Driver Domain

Attack surface: PyGrub

Xen Hypervisor

toolstack dom 0

Paravirtualized (PV) Domain domain

builder

pygrub

guest disk

I

What is PyGrub?

I

grub implementation for PV guests

I

Python program running in Control Domain

Attack surface: PyGrub

Xen Hypervisor

toolstack dom 0

Paravirtualized (PV) Domain domain

builder

pygrub

guest disk

I

Where might an exploit focus?

I

Bugs in file system parser

I

Bugs in menu parser

I

Bugs in domain builder

Attack surface: PyGrub

Xen Hypervisor

toolstack dom 0

Paravirtualized (PV) Domain domain

builder

pygrub

guest kernel disk

I

What could a successful exploit yield?

I

Control of Domain 0 user space

I

Pretty much control of the whole system

Security practice: Fixed kernels

Xen Hypervisor

toolstack dom 0

Paravirtualized (PV) Domain domain

builder kernel

image

guest disk

I

What is a fixed kernel?

I

Passing a known-good kernel from Control Domain

I

Removes attacker avenue to domain builder

Security practice: Fixed kernels

Xen Hypervisor

toolstack dom 0

Paravirtualized (PV) Domain domain

builder kernel

image

guest disk

I

Disadvantages

I

Host admin must keep up with kernel updates

I

Guest admin can’t pass kernel parameters, custom kernels,

Security feature: PVgrub

Xen Hypervisor

toolstack dom 0

domain builder

guest disk

MiniOS pvgrub

I

What is PVgrub?

I

MiniOS + PV port of grub running in a guest context

I

PV equivalent of HVM “BIOS + grub”

I

Now a successful exploit could yield:

I

Control of the attacked guest domain alone

HowTo: PVgrub

I

Make sure that you have the PVgrub image

I

pvgrub-$ARCH.gz

I

Normally lives in /usr/lib/xen/boot

I

Included in Fedora Xen packages

I

Debian-based: need to build yourself

I

Use appropriate PVgrub as bootloader in guest configuration kernel="/usr/lib/xen/boot/pvgrub-x86_32.gz"

I

http://wiki.xenproject.org/wiki/Pvgrub

Attack surface: Device model (Qemu)

I

Where might an exploit focus?

I

Bugs in NIC emulator parsing packets

I

Bugs in emulation of virtual devices

I

What could a successful exploit yield?

I

Control Domain privileged userspace

I

Pretty much control of the whole system

Security feature: Qemu stub domains

I

What is a stub domain?

I

Stub domain: a small “service” domain running just one application

I

Qemu stub domain: run each Qemu in its own domain

I

What could a successful exploit yield?

I

Control only of the stub domain VM (which, if FLASK is employed, is a relatively small universe)

I

You need to devise another attack entirely to do anything

more significant

HowTo: Qemu stub domains

I

Make sure that you have the PVgrub image:

I

ioemu-$ARCH.gz

I

Normally lives in /usr/lib/xen/boot

I

Included in Fedora Xen packages

I

On Debian (and offshoots), you will need to build it yourself

I

Specify stub domains in your guest config device_model_stubdomain_override = 1

I

http://wiki.xenproject.org/wiki/Device Model Stub Domains

Attack Surface: Xen Hypervisor itself

I

Where might an exploit focus?

I

On Paravirtualized (PV) Guests:

I

PV Hypercalls

I

On full Hardware Virtualized (HVM) Guests:

I

HVM hypercalls (Subset of PV hypercalls)

I

Instruction emulation (MMIO, shadow pagetables)

I

Emulated platform devices: APIC, HPET, PIT

I

Nested virtualization

I

Security practice: Use PV VMs whenever possible

Security feature: FLASK example policy

I

What is FLASK?

I

Xen Security Module (XSM): Xen equivalent of LSM

I

FLASK: Framework for XSM developed by NSA

I

Xen equivalent of SELinux

I

Uses same concepts and tools as SELinux

I

Allows a policy to restrict hypercalls

I

What can FLASK do?

I

Basic: Restricts hypercalls to those needed by a particular guest

I

Advanced: Allows more fine-grained granting of privileges

I

FLASK example policy

I

This contains example roles for the Control Domain (dom0),

User/Guest Domain(domU), stub domains, driver domains,

etc.

HowTo: Use the example FLASK policy

I

Build Xen with XSM enabled

I

Build the example policy

I

Add the appropriate label to guest config files

I

seclabel=[foo]

I

stubdom label=[foo]

I

Make sure you TEST the example policy in your environment BEFORE putting it into production!

I

NOTE: As an example policy, it is not as rigorously tested as other parts of Xen during release, and it may not be suitable as-is if you are doing unusual things

I

http://wiki.xenproject.org/wiki

/Xen Security Modules : XSM-FLASK

ARM: Right solution for security

I

Stays in ARM Hypervisor Mode

I

The ARM architecture has separate Hypervisor and Kernel modes

I

Because Xen’s architecture maps so well to the ARM architecture, Xen never has to use Kernel mode

I

Other hypervisors have to flip back and forth between modes

I

If a hypervisor has to enter Kernel mode, it loses the security of running in a privileged mode, isolated from the rest of the system

I

This is a non-issue with the Xen Hypervisor on ARM

I

Does not need to use device emulation

I

No emulation means a smaller attack surface for bad guys

For More Information...

Details at http://wiki.xenproject.org/wiki/Securing Xen Thanks to George Dunlap for supplying much of the information

presented here, and Stefano Stabellini for ARM information Check out our blog: http://blog.xenproject.org/

Contact me at [email protected]

——————————–

Thank You!