Problem statement Contributions Perspectives Detection of virtual machine monitor corruptions ıt Morgan , Eric Alata, Vincent Nicomette Benoˆ LAAS-CNRS - Dependable Computing and Fault Tolerance (TSF) Team Journ´ ee SEC 2 - June 30th, 2015 Detection of virtual machine monitor corruptions 1 / 13
Problem statement Contributions Perspectives Outline Problem statement 1 Contributions 2 Perspectives 3 Detection of virtual machine monitor corruptions 2 / 13
Problem statement Contributions Perspectives Context Project SVC – Secured Virtual Cloud Project Investissement d’Avenir Itrust , Bull , Eneed , Secludit , Eurogiciel , Val Informatique , Blue Mind , LAAS-CNRS , IRIT Project Coordinator : Bull LAAS Contributions – 3 PhDs, 2 focusing on security Evaluation of intrusion detection mechanisms in clouds Detection of virtual machine monitor corruptions Detection of virtual machine monitor corruptions 3 / 13
Problem statement Contributions Perspectives Virtual machine monitors VM Launch VM 1 VM 2 VM exit VM exit Hypervisor Hardware Guest software Transitions Privileged software Hardware Privileged entity Ensures space and time isolation between virtual machines Control model similar to operating system control over userland applications Detection of virtual machine monitor corruptions 4 / 13
Problem statement Contributions Perspectives Motivations More and more complex VMM Xen, KVM, VMware ESXi Peripherals virtualisation Mass storage virtualisation Remote administration Vulnerabilities regularly discovered Large attack surface Necessity to detect the compromission of the hypervisor Detection of virtual machine monitor corruptions 5 / 13
Problem statement Trusted architecture Contributions Experimentation Perspectives Outline Problem statement 1 Contributions 2 Trusted architecture Experimentation Perspectives 3 Detection of virtual machine monitor corruptions 6 / 13
Problem statement Trusted architecture Contributions Experimentation Perspectives Trusted architecture proposed A tiny security hypervisor ( l 1 ) in charge of detecting corruption of virtualised hypervisor ( l 2 ) VM1 l2 VM2 l2 VM3 l2 Hypervisor l 2 VM l1 Security hypervisor l 1 Hardware BUT, the security hypervisor ( l 1 ) may be also attacked and compromised Hardware bugs Malicious peripherals Necessity to control the integrity of the security hypervisor itself through a trusted autonomous hardware component Detection of virtual machine monitor corruptions 7 / 13
Problem statement Trusted architecture Contributions Experimentation Perspectives An execution enclave of integrity checks Guarded Software Component Security Hypervisor Checks Hardware Trusted Hardware Component Integrity Challenge and checks environment checks 1 The integrity of the security hypervisor is regularly checked by the trusted hardware component through 1) challenges and 2) environment checks 2 The integrity of the guarded software component is checked by the security hypervisor 3 Alarms are raised when challenges or integrity checks fail Detection of virtual machine monitor corruptions 8 / 13
Problem statement Trusted architecture Contributions Experimentation Perspectives Prototype PC with Intel processor (VT-x, VT-d), PCI Express bus Trusted hardware component based on FPGA technology Bare metal security hypervisor using nested virtualisation technology Experimentation with Linux and a corrupted driver in the kernel as the Guarded Software Component Publications : SSTIC 2014[2] Detection of virtual machine monitor corruptions 9 / 13
Problem statement Contributions Perspectives Outline Problem statement 1 Contributions 2 Perspectives 3 Detection of virtual machine monitor corruptions 10 / 13
Problem statement Contributions Perspectives Perspectives Current virtualisation of KVM ou VMware ESXi Improving the challenges and environment checks First prototype of recursive hypervisor (allowing to implement several security mechanisms at different privilege levels) Publications : SSTIC 2015[3] Detection of virtual machine monitor corruptions 11 / 13
Problem statement Contributions Perspectives Detection of virtual machine monitor corruptions ıt Morgan , Eric Alata, Vincent Nicomette Benoˆ LAAS-CNRS - Dependable Computing and Fault Tolerance (TSF) Team Journ´ ee SEC 2 - June 30th, 2015 Detection of virtual machine monitor corruptions 12 / 13
Problem statement Contributions Perspectives R´ ef´ erences [1] http://sarssi2013.univ-pau.fr/index.php/programme [2] https://www.sstic.org/2014/presentation/tests_ dintegrite_dhyperviseurs/ [3] https://www.sstic.org/2015/presentation/abyme__un_ voyage_au_coeur_des_hyperviseurs_recursifs/ D´ emo 1 : https://youtu.be/Nax0SHUx9GQ D´ emo 2 : https://youtu.be/1yz_ZUA2KGM Detection of virtual machine monitor corruptions 13 / 13
Recommend
More recommend