Xoar-BartMiller
Download
Report
Transcript Xoar-BartMiller
Bart Miller – October 22nd, 2012
TCB & Threat Model
Xen Platform
Xoar Architecture Overview
Xoar Components
Design Goals
Results
Security
Vulnerability Mitigation
Performance
Trusted Computing Base is defined as “the
totality of protection mechanisms within a
computer system – including hardware,
firmware, and software – the combination of
which is responsible for enforcing a security
policy.”
Xen, by virtue of privilege, is part of the TCB
In Xen, all components operate under a
monolithic trust domain
Compromise of any component yields two
benefits:
Gain privilege level of component
Access its interfaces to other components
Assumption #1: Administrators are not a
concern
Business imperative
Assumption #2: Malicious guest VM
Violate data integrity or confidentiality
Exploiting code
Assumption #3: The control VM will contain
bugs
Device drivers
Virtualized, passed-through, or emulated
XenStore
Hierarchical key-value store
System-wide registry
Most critical component
▪ Vulnerable to DoS attacks
▪ Perform most administrative operations
Toolstack
Administrative functions
Create, destroy, managing resources and privilege
for guest VMs
System Boot
Starts DomO process, initialize hardware
Reduce privilege
Each component should only have the privileges
essential to its purpose
Each component should only expose interfaces
when necessary
Reduce sharing
Sharing components should be avoided wherever
it is reasonable
Any sharing of components must be explicit
Allows for logging and auditing in the event of a
compromise
Reduce staleness
A component should only run for as long as it
needs to perform its task.
It should be restored to a known, good state as
frequently as practicable.
Reduced TCB
Bootstrapper, PCIBack, and Builder are most
privileged components
Bootstrapper and PCIBack destroyed once
initialized
TCB reduced
▪ Linux: 7.6M LoC
▪ Builder: 13,5k LoC (Builder)
Solved through isolation
Device Emulation
Virtualized Drivers
XenStore, re-written
Hypervisor vulnerabilities remain
Test system
Ca. 2011 server
Quad-core Xeon, 4Gb RAM
All virtualization features enabled
Memory overhead
512Mb – 896Mb in Xoar vs.
750Mb in XenServer
Any questions?