xen security modules xsm
play

Xen Security Modules (XSM) George Coker National Information - PowerPoint PPT Presentation

Mar 25, 2023 •12 likes •342 views

Xen Security Modules (XSM) George Coker National Information Assurance Research Lab National Security Agency (NSA) gscoker@alpha.ncsc.mil National Information Assurance Research Lab 1 UNCLASSIFIED What is XSM? A generalized

  1. Xen Security Modules (XSM) George Coker National Information Assurance Research Lab National Security Agency (NSA) gscoker@alpha.ncsc.mil ■ National Information Assurance Research Lab ■ 1 UNCLASSIFIED

  2. What is XSM? ● A generalized security framework for Xen – Allows custom security functionality in modules – Creates general security interfaces for Xen – Removes security model specific code from Xen ■ National Information Assurance Research Lab ■ 2 UNCLASSIFIED

  3. Framework Interface Goals ● Capable of supporting known security models – hard to be "complete" ● Minimize impact on Xen ● Config enable/disable for Xen ■ National Information Assurance Research Lab ■ 3 UNCLASSIFIED

  4. Rational for XSM ● New usage models for Xen have different security goals ● Shouldn't “hardwire” security model – Xen should be capable of supporting many through configuration ● New security functionality without changes to Xen mechanisms ■ National Information Assurance Research Lab ■ 4 UNCLASSIFIED

  5. New Usage Models ● Decomposed dom0 – Removal of all-powerful dom0? ● Least privilege for each domain – e.g. separation of platform/hardware config and domain building privileges ● Security module could be created to define these new privileges? ■ National Information Assurance Research Lab ■ 5 UNCLASSIFIED

  6. New Usage Models (cont.) ● Resource partitions – How are resources partitioned and controlled? ● Ability to allow certain domains to control resource allocations – e.g. multiple domain builders ● Security module could be defined to control allocations? ■ National Information Assurance Research Lab ■ 6 UNCLASSIFIED

  7. New Usage Models (cont.) ● Protection of the platform from third party software – How are resources partitioned and controlled? ● e.g. device driver isolation ● e.g. sandboxing – Security module could be defined to mediate accesses across domains ■ National Information Assurance Research Lab ■ 7 UNCLASSIFIED

  8. New Usage Models (cont.) ● Protection for core platform security services – How to safely create platform wide services? ● e.g. media encryption ● e.g. IP-filtering/routing ● e.g. measurement & attestation – Security module could be defined to isolate, mediate access to, and guarantee invocation of services ■ National Information Assurance Research Lab ■ 8 UNCLASSIFIED

  9. XSM Security Benefits ● Encapsulation of security functionality – A well-defined security architecture is required for a well-defined TCB ● common criteria ● Extensible security functionality – e.g. trusted IVC ● security modules can enable security identification of communications channels or peers without changing the implementation of existing channel mechanisms (grants and events) ■ National Information Assurance Research Lab ■ 9 UNCLASSIFIED

  10. XSM Implementation ● Derived from Linux Security Modules (LSM) – Linux 2.6.13.4 ● Security function infrastructure – Derived from ACM – New security functionality ● Security module – Implements security hooks – Specific to a security model ■ National Information Assurance Research Lab ■ 10 UNCLASSIFIED

  11. XSM Today ● 57 hooks to date – 60% complete (estimate) – Target privileged hypercalls (initially) – Comprehensive hook placement ● attempts to anticipate new modules ■ National Information Assurance Research Lab ■ 11 UNCLASSIFIED

  12. XSM Specifics ● Early initialization – Prior to idle domain creation ● Early allocation/late deallocation of domain security structures – domain_create – domain_destroy ■ National Information Assurance Research Lab ■ 12 UNCLASSIFIED

  13. XSM Specifics (cont.) ● No excepted event channels – evtchn_init – evtchn_bind_interdomain ● Will not support stacking – Security module behavior cannot be predicted under stacking and may violate the goals of the security module while meeting few or none of the goals of the user – Stacking should be a property of the security module. ■ National Information Assurance Research Lab ■ 13 UNCLASSIFIED

  14. XSM Modules ● Registered and linked in at boot ● Modules may register a security hypercall ● Modules may register a policy magic number to identify and load a policy from boot ■ National Information Assurance Research Lab ■ 14 UNCLASSIFIED

  15. Existing XSM Modules ● Dummy (XSM default) ● ACM/sHype (IBM) ● Flask (NSA) ■ National Information Assurance Research Lab ■ 15 UNCLASSIFIED

  16. XSM Hooks ● What are the hooks doing? – Interpose on code path – Allocation/setting of security structures – Platform security initialization ■ National Information Assurance Research Lab ■ 16 UNCLASSIFIED

  17. Hook Placement Philosophy ● Positioned at key locations – Identified by analysis ● Availability of security relevant objects ● Safety of hook location in code path ● General benefit to security ● Comprehensive placement – Localized in code path ● Balance between hook placement and maintenance ■ National Information Assurance Research Lab ■ 17 UNCLASSIFIED

  18. Hook Placement Philosophy (cont.) – Minimize impact to Xen code paths ● Leverage existing exit/error paths wherever possible – Rely on calling function to hold references to objects ● Safer for Xen if security modules do not hold references to Xen objects ■ National Information Assurance Research Lab ■ 18 UNCLASSIFIED

  19. Current Hook Locations ● dom0_ops.c ● domain.c ● grant_table.c ● event_channel.c ● setup.c ● mm.c ■ National Information Assurance Research Lab ■ 19 UNCLASSIFIED

  20. First Class Security Objects ● Generic security pointers on Xen first class objects – e.g. struct domain & struct evtchn – Allocation/access via hook functions ● Only if required by module ● Modules may hold security labels on other platform resources that Xen does not manage – e.g. physical interrupts ■ National Information Assurance Research Lab ■ 20 UNCLASSIFIED

  21. Performance ● Are more checks more expensive? – Small constant XSM overhead per hook – Premise "basic" call/return is a minimal overhead – Extra overhead for hooks is module specific ● Presently no "observed" degradation – Further investigation required ■ National Information Assurance Research Lab ■ 21 UNCLASSIFIED

  22. ACM Module ● How will it affect sHype/ACM ? – sHype/ACM will plug into XSM hooks – Changes are transparent to sHype management / use – sHype/ACM will support a single policy (CHWALL/STE) ■ National Information Assurance Research Lab ■ 22 UNCLASSIFIED

  23. ACM Module Implementation ● Little modification required to turn into XSM module – modifications in Xen code only! – no change to user-space tool chain ● TODO: Nativization cleanups – Better use of hook references – Remove refactored functionality ■ National Information Assurance Research Lab ■ 23 UNCLASSIFIED

  24. Flask Module ● Xen nativization of Flask security code – Linux 2.6.13.4 ● Capabilities – RBAC/TE – MLS/MCS ● Security server optimized for small memory footprint – Memory footprint comes from number of types, not number of permissions or hooks used ■ National Information Assurance Research Lab ■ 24 UNCLASSIFIED

  25. Flask Policy ● Uses existing SELinux policy language – Common policy generation and analysis toolchain ● Xen policy is less complex than Linux – Fewer security controls ■ National Information Assurance Research Lab ■ 25 UNCLASSIFIED

  26. How does Flask use XSM? ● Event Channels – Fine-grain allocation of physical interrupts (example) ● Grant Tables – Fine-grain sharing between domains (example) ● Dom0 Operations – Fine-grain allocation of io resources (example) ● MMU – Fine-grain control of foreign mappings (example) ■ National Information Assurance Research Lab ■ 26 UNCLASSIFIED

  27. Event Channels (example) static int flask_evtchn_pirq(struct domain *d, struct evtchn *chn, int pirq) { u32 newsid; rc = avc_has_perm(newsid, psid, SECCLASS_EVENT, u32 psid; EVENT__BIND, NULL); int rc; if (rc) struct domain_security_struct *dsec; return rc; struct evtchn_security_struct *esec; esec->sid = newsid; dsec = d->ssid; esec = chn->ssid; return rc; } rc = security_pirq_sid(pirq, &psid); if (rc) return rc; rc = security_transition_sid(dsec->sid, psid, SECCLASS_EVENT, &newsid); if (rc) { printk("%s: security_transition_sid failed, rc=%d (pirq=%d)\n", __FUNCTION__, -rc, pirq); return rc; } rc = avc_has_perm(dsec->sid, newsid, SECCLASS_EVENT, EVENT__CREATE, NULL); if (rc) return rc; ■ National Information Assurance Research Lab ■ 27 UNCLASSIFIED

  28. Grant Tables (example) static int flask_grant_mapref(struct domain *d1, struct domain *d2, uint32_t flags) { u32 perms = GRANT__MAP_READ; if (flags & GTF_writing) perms |= GRANT__MAP_WRITE; return domain_has_perm(d1, d2, SECCLASS_GRANT, perms); } ■ National Information Assurance Research Lab ■ 28 UNCLASSIFIED

Recommend

Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Linux Security Modules Trent

872 views • 30 slides
Hardware Security Smartcards and other TamperResistant Modules Markus G. Kuhn Computer

Hardware Security Smartcards and other TamperResistant Modules Markus G. Kuhn Computer

Hardware Security Smartcards and other TamperResistant Modules Markus G. Kuhn Computer Laboratory http://www.cl.cam.ac.uk/~mgk25/ Applications of Tamper Resistant Modules Security of cryptographic applications is based on secure

564 views • 23 slides
Hardware Security Modules (HSMs) Benefits and Challenges ICANN 50, London, UK 25 June 2014

Hardware Security Modules (HSMs) Benefits and Challenges ICANN 50, London, UK 25 June 2014

Hardware Security Modules (HSMs) Benefits and Challenges ICANN 50, London, UK 25 June 2014 richard.lamb@icann.org Hardware Security Modules Cool but what are you protecting? This works fine in many cases ..but this may be the real problem No

255 views • 12 slides
Security Operation Center Concepts and Implementation renaud.bidou@intexxia.com > SOC Modules

Security Operation Center Concepts and Implementation renaud.bidou@intexxia.com > SOC Modules

Security Operation Center Concepts and Implementation renaud.bidou@intexxia.com > SOC Modules > Global Architecture > Collection & Storage > Correlation > SOC Modules R Box R Box reaction and reporting + A Box K Box A Box

673 views • 13 slides
Hardware Security Modules What they are and why it's likely that you've (indirectly) used one

Hardware Security Modules What they are and why it's likely that you've (indirectly) used one

Hardware Security Modules What they are and why it's likely that you've (indirectly) used one today Insert Your Name Insert Your Title Insert Date RWC 2015 Paul Hampton 8 th January 2015 What Am I Going to Talk About? What Is A Where Will

746 views • 30 slides
Attacking a co-hosted VM A hacker, a hammer and two memory modules 1 Who we are (1) Mehdi

Attacking a co-hosted VM A hacker, a hammer and two memory modules 1 Who we are (1) Mehdi

Attacking a co-hosted VM A hacker, a hammer and two memory modules 1 Who we are (1) Mehdi Talbi Security researcher at Stormshield haka-security project. Past life: academia (phd, postdoc, ) Main research topics: advanced

1.61k views • 94 slides
The DragonBeam Framework: Hardware-Protected Security Modules for In-Place Intrusion Detection

The DragonBeam Framework: Hardware-Protected Security Modules for In-Place Intrusion Detection

The DragonBeam Framework: Hardware-Protected Security Modules for In-Place Intrusion Detection Man-Ki Yoon, Mihai Christodorescu, Lui Sha, Sibin Mohan University of Illinois at Urbana-Champaign Qualcomm Research Silicon Valley June 6, 2016

928 views • 46 slides
http://www.cl.cam.ac.uk/~mgk25/sc99-tamper[-slides].pdf Classes of Attacks on Security Modules

http://www.cl.cam.ac.uk/~mgk25/sc99-tamper[-slides].pdf Classes of Attacks on Security Modules

Design Principles for Tamper-Resistant Smartcard Processors Oliver Kmmerling Markus G. Kuhn ADSR Computer Laboratory http://www.cl.cam.ac.uk/~mgk25/sc99-tamper[-slides].pdf Classes of Attacks on Security Modules Microprobing Open the

465 views • 22 slides
Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod

Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod

Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod Ganapathy vg@cs.wisc.edu University of Wisconsin, Madison Joint work with Trent Jaeger Somesh Jha tjaeger@cse.psu.edu jha@cs.wisc.edu Pennsylvania

604 views • 41 slides
Modern Systems: Security October 8, 2012 Background: Trusted Platform Modules What is a TPM?

Modern Systems: Security October 8, 2012 Background: Trusted Platform Modules What is a TPM?

Modern Systems: Security October 8, 2012 Background: Trusted Platform Modules What is a TPM? 16 Platform Configuration Registers (PCRs) Random Number Generator (RNG) Endorsement Key (EK) burned in hardware What can it do?

575 views • 33 slides
How does LuK come to life? LuK consists of a collection of modules you only link in the modules

How does LuK come to life? LuK consists of a collection of modules you only link in the modules

slide 1 gaius How does LuK come to life? LuK consists of a collection of modules you only link in the modules actually required the mixture of the modules required for the lab exercises may be different each lab exercise has a file: init

492 views • 24 slides
Modules Modules A module is a collection of functions that we can use to do more powerful things

Modules Modules A module is a collection of functions that we can use to do more powerful things

Modules Modules A module is a collection of functions that we can use to do more powerful things with our Python programs. Lots of modules exist, written by other developers. You can use a module without needing to understand what it is doing

165 views • 14 slides
Trusted Platform Modules and Hardware-based Security Andreas Nilsson Masters Student at Nada,

Trusted Platform Modules and Hardware-based Security Andreas Nilsson Masters Student at Nada,

Trusted Platform Modules and Hardware-based Security Andreas Nilsson Masters Student at Nada, KTH Pointsec Mobile Technologies TPM Introduction Microcontroller affixed to the motherboard. Cryptographic functions like key storage

834 views • 35 slides
1 Some overlap with all modules particularly modules 3, 6 and 7. LDF/plan making evidence

1 Some overlap with all modules particularly modules 3, 6 and 7. LDF/plan making evidence

1 Some overlap with all modules particularly modules 3, 6 and 7. LDF/plan making evidence base and Implementation of the Yorkshire and Humber renewable and Low Carbon Energy Study, 2011 Introduction to climate change policy and context

1.04k views • 77 slides
Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James

Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James

Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201 AGENDA > Background on OSGi > Security per OSGI spec > Security beyond OSGI spec Background on OSGi > Why use

950 views • 56 slides
Secure upgrade of hardware security modules in bank networks Riccardo Focardi 1 Flaminia Luccio

Secure upgrade of hardware security modules in bank networks Riccardo Focardi 1 Flaminia Luccio

Secure upgrade of hardware security modules in bank networks Riccardo Focardi 1 Flaminia Luccio 1 1 Universit` a Ca Foscari di Venezia, Italy { focardi,luccio } @dsi.unive.it ARSPA-WITS10 Paphos, Cyprus March 27-28, 2010 Work

1.25k views • 69 slides
FRP IoT Modules as a Scala DSL BenCalus, BobReynders , DominiqueDevriese, Job Noorman,

FRP IoT Modules as a Scala DSL BenCalus, BobReynders , DominiqueDevriese, Job Noorman,

FRP IoT Modules as a Scala DSL BenCalus, BobReynders , DominiqueDevriese, Job Noorman, FrankPiessens imec - DistriNet - KU Leuven FRP IoT Modules Maintainable sensor network applications High-level FRP-based API FRP-modules compile

865 views • 53 slides
How does the come to life? the consists of a collection of Modula-2 modules the modules required

How does the come to life? the consists of a collection of Modula-2 modules the modules required

slide 1 gaius How does the come to life? the consists of a collection of Modula-2 modules the modules required for laboratory 1, 2 and 3 are different when you compile using make the makefile is analyzed and a module dependency list is created

653 views • 6 slides
Containers with difgerent Security Modules FOSDEM19 Presentation by John Johansen

Containers with difgerent Security Modules FOSDEM19 Presentation by John Johansen

Containers with difgerent Security Modules FOSDEM19 Presentation by John Johansen john.johansen@canonical.com www.canonical.com February 2019 1 LSM Infrastructure Responsibilities LSM Provides Infrastructure Which LSMs are enabled

609 views • 21 slides
THE BASICS IN ACTION UBC DIETETICS PROGRAM Module 2 of 2 SCOPE OF THESE MODULES Modules 1 &

THE BASICS IN ACTION UBC DIETETICS PROGRAM Module 2 of 2 SCOPE OF THESE MODULES Modules 1 &

HOME TUBE FEEDING THE BASICS IN ACTION UBC DIETETICS PROGRAM Module 2 of 2 SCOPE OF THESE MODULES Modules 1 & 2 address the following Nutrition Care Process steps Intervention Monitoring and Evaluation Assessment and Diagnosis are

492 views • 18 slides
Choosing next years modules on the Student Website Please choose your option modules by: 5pm

Choosing next years modules on the Student Website Please choose your option modules by: 5pm

Choosing next years modules on the Student Website Please choose your option modules by: 5pm Friday 13 March 2020 Af After er t this da date y e you w will n no l longer be be abl ble t to indi dicate modu dule pr pref efer

456 views • 16 slides
modules Organizing a Project into Packages and Modules As programs grow, you will organize

modules Organizing a Project into Packages and Modules As programs grow, you will organize

modules Organizing a Project into Packages and Modules As programs grow, you will organize them into packages and modules In Python, a package is a directory, and a module is a Python file We will only cover the fundamentals, for a more

589 views • 5 slides
Day 6: Modules, Standard Library Suggested reading: Learning Python (4th Ed.) Ch.21: Modules: The

Day 6: Modules, Standard Library Suggested reading: Learning Python (4th Ed.) Ch.21: Modules: The

Computer Sciences 368 Scripting for CHTC Day 6: Modules, Standard Library Suggested reading: Learning Python (4th Ed.) Ch.21: Modules: The Big Picture Ch.22: Module Coding Basics http://docs.python.org/release/2.4.3/modindex.html 2012 Fall

601 views • 37 slides
Module-3b: Offset and Flicker Mitigation 01 August 2018 14:29 Modules Page 1 Modules Page 2

Module-3b: Offset and Flicker Mitigation 01 August 2018 14:29 Modules Page 1 Modules Page 2

Module-3b: Offset and Flicker Mitigation 01 August 2018 14:29 Modules Page 1 Modules Page 2 Modules Page 3 If Y(f) is filtered, we get rid of flicker noise. Modules Page 4 Module-3c: Chopping Non-Idealities 06 September 2018 16:45 Open

235 views • 10 slides

More recommend