Virtual Machine approach to Security

download report

Transcript Virtual Machine approach to Security

Virtual Machine approach to
Security
Gautam Prasad and Sudeep Pradhan
10/05/2010
CS 239
UCLA
Virtual Machine and Virtual
Infrastructure
• A virtual machine is a tightly isolated software container that
can run its own operating systems and applications as if it
were a physical computer.
• A virtual infrastructure lets you share your physical resources
of multiple machines across your entire infrastructure.
• In a virtual Infrastructure, many virtual machines interact with
each other, are created and destroyed dynamically and move
from one physical hardware to another seamlessly.
• We call the physical system which provides virtualization as
Host.
• Virtual Machine and its Operating system is called the guest.
Properties of Virtual Infrastructure
•
•
•
•
•
•
Decouples software environment from its underlying hardware infrastructure
so one can aggregate multiple servers, storage infrastructure and networks
into shared pools of resources. (Scaling, Mobility)
Virtual Machines can be deployed on an ad hoc basis, and destroyed when
their purpose is served. (Transience, Diversity)
Virtual machines can be provisioned using a template, thus 100s of VMs can
be spawned in a short time.(Scaling, Diversity, Lifecycle)
State of the virtual machine (or a group of virtual machines) can be checkpointed and reverted whenever necessary.(Software Lifecycle, Data Lifetime)
Resources in a virtual infrastructure can be scheduled dynamically for
maintenance of part of the infrastructure. (Mobility)
These properties of a Virtual Infrastructure makes it difficult to apply the traditional
Computer security methods.
Risks mentioned in Gartner Report on
Virtualization Security
• Information Security Isn't Initially Involved in the Virtualization
Projects
• A Compromise of the Virtualization Layer Could Result in the
Compromise of All Hosted Workloads
• The Lack of Visibility and Controls on Internal Virtual Networks
Created for VM-to-VM Communications Blinds Existing Security
Policy Enforcement Mechanisms
• Workloads of Different Trust Levels Are Consolidated Onto a Single
Physical Server Without Sufficient Separation
• Adequate Controls on Administrative Access to the
Hypervisor/VMM Layer and to Administrative Tools Are Lacking
• There Is a Potential Loss of Separation of Duties for Network and
Security Controls
New approach to security
• Dedicated infrastructure for enforcing security policies
provided by ubiquitous virtualization layer
• Ubiquity will give more control to administrators to
control the features like mobility and data lifetime.
• Moving security and management functions from
guest to host(virtualization layer) has several benefits
like:
–
–
–
–
Delegating management
Guest OS independence
Life cycle independence
Securely supporting diversity
Sandbox
• A virtual machine can be used to create a
sandbox that is a restricted environment with
limited resources on the host machine.
• Untrusted code can be run in this
environment to protect the host machine.
• This is the original security model provided by
the Java platform
Data Security
• Virtualization of systems allows them to have
a consistent patch level and configuration
• It can isolate different workloads in the host
machine
• This is an important aspect in security for the
vitualisation enabled cloud computing
Intrusion Detection
• Intrusion Detection Systems (IDS) are venerable
to attack when they reside on the host machine
• A network based IDS has less information about
what is happening to the host
• A virtual machine monitor (VMM) can be used to
inform a network based IDS mediate both
hardware and software interactions on the host
machine
• The operations of the virtual machine on the host
can be logged for analysis later without relying on
the integrity of the host operating system
Problems
• Logging using Virtual Machine Monitors can make
sensitive data persist on a virtual machine
• Once a Virtual Machine is infected it has full access to
the host machine as opposed to infecting the host
machine’s OS
• Establishing the identity of a Virtual machine can be
difficult because of their mobility between systems and
dynamic creation of the machines
• Because of the ease of creating more VMs it can be
difficult to manage them and keep them secure
• Transient nature so a machine can briefly appear and
infect others and then disappear