Embed Size (px)
Citation preview
IBM T. J. Watson Research Center
© 2007 IBM Corporation
Trusted Virtual Datacenter –Radically simplified security management
Stefan Berger, Ramón Cáceres, Dimitrios Pendarakis, Reiner Sailer, Ray Valdez
Secure Systems Department, T.J. Watson Research Center
Sailer - IBM T. J. Watson Research Center
© 2005 IBM [email protected] 11/7/2007
Security Opportunity Prologue
Significant Challenges• Status quo approach to IT and business security is too complex,
is not measurable, will not scale• Lack of secure foundation for dynamic enterprise environments
Synergistic Strategy• Leverage emerging trusted computing technologies (TCG) and
commoditization of virtualization (Intel / AMD, EMC, Microsoft, IBM)
• Near-term: stronger guarantees position security as an enabler• Longer-term: radically simplified IT security management
Sailer - IBM T. J. Watson Research Center
© 2005 IBM [email protected] 11/7/2007
TCGTPM1.2DRTM
Intel LTSENTER
AMD SVMSKINIT
Trusted Computing and Virtualization Timeline
3
200720032002 2004 2005 2006
MS NGSCB 1..
IBM IMA for Linux
IBMsHype
MSVistabitlocker
NACIBMvTPM
TCGTPM1.1SRTM
Sailer - IBM T. J. Watson Research Center
© 2005 IBM [email protected] 11/7/2007
Virtualization Landscape at a Glance
Application-level (or middleware-level) virtualization
• E.g., Java Virtual Machine, Softricity (Microsoft SoftGrid), Thinstall
Operating system-level virtualization
• E.g., Linux VServers, Solaris Containers / Zones, Virtuozzo
Hypervisor-based virtualization
• Type 1: VMware ESX, Microsoft Viridian, Xen, PHYP, PR/SM• Type 2: VMware Workstation, Microsoft Virtual PC, KVM
Sailer - IBM T. J. Watson Research Center
© 2005 IBM [email protected] 11/7/2007
Classic Type 1 Hypervisor
Hypervisor
Guest Kernel Guest Kernel Guest Kernel
Application
Application
Application
Application
Application
Application
Application
Application
Application
Hardware CPU and I/O devices
Virtualizes hardware
Virtual Machines
Sailer - IBM T. J. Watson Research Center
© 2005 IBM [email protected] 11/7/2007
Virtualization-based Security & Systems Management
Trusted Virtual Data Center (TVDc)
Virt
ual
Res
ourc
esPh
ysic
al
Res
ourc
es
Market Analysis Security UnderwritingCentralized IT Security management
TVD: Grouping of VMs and resources that support common objective (customer workloads, etc.)Abstracting the physical infrastructure (platform independence, scalability)Policy-driven (consistent security configuration and management)
Distributed EnforcementVery strong, coarse-grain security guarantees – cannot be bypassed by VMs
Single data center security policy across different platforms and hypervisors
Containment (viruses, break-ins) & Trust
TVDcTVDc
Hypervisor
Hypervisor
Hypervisor
Systems ViewSystems View TVDc ViewTVDc View
Sailer - IBM T. J. Watson Research Center
© 2005 IBM [email protected] 11/7/2007
sHype: Enabling Trusted Virtual Datacenters
Xen VMM(virtualizes+ isolates)
sHype(controlssharing)
TVDc(manages)
WorkLoad
VM
CoalitionHuman Resources
– Workload Isolation + Integrity– Radically Simplified WL-Management
ManagedServices
Payroll
Sailer - IBM T. J. Watson Research Center
© 2005 IBM [email protected] 11/7/2007
Trusted Virtual Datacenter Simplifies Security Management
Systems ViewSystems View Virtual Domain ViewVirtual Domain View
TVDcTVDc
Red = Acct.Green = HR.Blue = Dev.
Guard-VM
Isolation Integrity
Trust
Sailer - IBM T. J. Watson Research Center
© 2005 IBM [email protected] 11/7/2007
IBM TVDc: Radically Simplified Security Management
Trusted Virtual Data Center Value Proposition
Isolation Management Integrity Management
Enforces restrictions on administration and data sharing:
Who manages what: independent adminfor Hertz and Avis accountsWhat can run together: ensure air-gaps between strongly competing workloadsWorkload and data isolation (malwareconfinement)
Maintains software inventory and acts as an early warning system for anomalies; detect and report:
What is running in each VMIf VMs/Systems are correctly configuredIf VMs are up-to-date with patches
TVDc reduces the risk of security exposuresTVDc enables consistent, policy-driven enforcement
Sailer - IBM T. J. Watson Research Center
© 2005 IBM [email protected] 11/7/2007
Secure Hypervisor Architecture (sHype)
Hardware
Xen / sHype
Linux
Application
Application
MS Windows
Application
Application
SecureServices
VM
Attested boot and run-time (TCG/TPM, IMA)
Isolation between partitions
Access control between partitions
Secure (isolated) servicese.g. Policy Management
Resource control and metering
Auditing, Monitoring, Metering, …
Sailer, Jaeger, Valdez, Cáceres, Perez, Berger, Griffin, van Doorn: Building a MAC-based Security Architecture for the Xen Opensource Hypervisor. 21st ACSAC, 2005.
Sailer, Jaeger, Valdez, Cáceres, Perez, Berger, Griffin, van Doorn: Building a MAC-based Security Architecture for the Xen Opensource Hypervisor. 21st ACSAC, 2005.
Sailer - IBM T. J. Watson Research Center
© 2005 IBM [email protected] 11/7/2007
sHype Access Control Architecture (Example: Xen)
Hardware
Xen / sHype ACM
Hypervisor securityhooks
Callbacks
Linux
Application
Application
MS Windows
Application
Application
SecureServices
Dom
0 (M
anagement)
VMFlexible framework: Supports Multiple Policies
Access Control Module Implements Policy Model
Hypervisor Security Hooksmediate inter-VM communication + resource accessinteract with ACM foraccess decision
Implemented for Xen, PHYP, rHype in various stages
Sailer - IBM T. J. Watson Research Center
© 2005 IBM [email protected] 11/7/2007
1. Centralized Isolation Management
• Policy authoring and management Define security labels and anti-collocation rulesRevision-based policy management
• Labeling Systems, VMs and resources
• Label-based managementRestrict Admins to manage a set of security labelsRestrict configuration choices based on policy
= Accounting = Human Resources= Development
Anti-Collocation:{ , },...
Sailer - IBM T. J. Watson Research Center
© 2005 IBM [email protected] 11/7/2007
2. Distributed Isolation Enforcement at Run-time (Secure hypervisor extensions sHype/ACM)
Xen: Integrated into Open-source distribution
PHYP Access Control Module (research prototype)
Xen: Integrated into Open-source distribution
PHYP Access Control Module (research prototype)
1. Control Sharing
tAnti-Collocation:{ , }
3. Enforce rules foranti-collocation
2. Control what a system can run
Sailer - IBM T. J. Watson Research Center
© 2005 IBM [email protected] 11/7/2007
Virtual LAN 1
Virtual LAN 2Virtual LAN 1
Virtual LAN 2Virtual LAN 1
Virtual LAN 2
TVDc Network Isolation
1. Label VMs + VLANs
2. VMM enforces: VMs ↔ VLANs
3. Hardware VLAN switch enforces:
Blades ↔ VLANs
1. Label VMs + VLANs
2. VMM enforces: VMs ↔ VLANs
3. Hardware VLAN switch enforces:
Blades ↔ VLANs
VM1 VM VM4 VM5
VMM VMM
Blade 1 Blade 2
Network Switch
X
VM2 VM3
“TVDc – Managing Security in the Trusted Virtual Datacenter” in ACM SIGOPS Operating System Review Special: IBM Research. Vol 42, Issue 1, January 2008. Berger, Cáceres, Pendarakis, Perez, Sailer, Schildhauer, Srinivasan, Valdez.
“TVDc – Managing Security in the Trusted Virtual Datacenter” in ACM SIGOPS Operating System Review Special: IBM Research. Vol 42, Issue 1, January 2008. Berger, Cáceres, Pendarakis, Perez, Sailer, Schildhauer, Srinivasan, Valdez.
Sailer - IBM T. J. Watson Research Center
© 2005 IBM [email protected] 11/7/2007
Trusted Virtual Domains – Isolation and Trust
Attestation:mutually verifiable environments
Isolation: protect against attacks and limit spread of damage
Mediated Communications:transparent protection, authorization and audit
Authentication:systems and workloads
Sailer - IBM T. J. Watson Research Center
© 2005 IBM [email protected] 11/7/2007
vm4 vm5
B
Distributed Trusted Computing BasePutting Access Control and Integrity Measurement together
Establish trust – enabling collaboration across multiple platforms
• Are P1 and P2 mutually trusted (TCB)• Are policies A and B compatible?• Are policies uniformly enforceable?
VM change / compromise
Platform P1
Platform P2vm1 vm2 vm3
A
McCune, Berger, Cáceres, Jaeger, Sailer: Shamon – A System for Distributed Mandatory Access Control. 22nd ACSAC, 2006.
McCune, Berger, Cáceres, Jaeger, Sailer: Shamon – A System for Distributed Mandatory Access Control. 22nd ACSAC, 2006.
TCB change / compromise
Sailer - IBM T. J. Watson Research Center
© 2005 IBM [email protected] 11/7/2007
Trusted Platform Module (TPM)
Trusted Computing in todayTrusted Computing in today’’s world is largely synonymous with a s world is largely synonymous with a use that involves the Trusted Platform Module (TPM)use that involves the Trusted Platform Module (TPM)
TPM is a passive storage device that has some interesting TPM is a passive storage device that has some interesting properties:properties:
•• You cannot remove data once youYou cannot remove data once you’’ve written it to the TPMve written it to the TPM•• You can retrieve an aggregate of the data from the TPM that is sYou can retrieve an aggregate of the data from the TPM that is signed by that igned by that TPMTPM’’ss
unique keyunique key•• The TPM provides sealed storageThe TPM provides sealed storage•• Storage root key protectionStorage root key protection
WinbondWinbondInfineonInfineon
AtmelAtmel
Sailer - IBM T. J. Watson Research Center
© 2005 IBM [email protected] 11/7/2007
Integrity Measurement – Integrity & Attestation
Provide reliable runtime integrity guarantees• Certificates provide identity and secure tunnel• But does the remote system currently satisfy
security-related requirements?
Leverage Trusted Platform Module (TPM) / Core Root of Trust for Measurement• Remotely attest software-stack• Detect cheating & compromise (load guarantees)• Bind sensitive data to endpoint (certificates etc.)• Non-intrusive / negligible overhead
Implemented for Linux in 2003/2004• IBM Integrity Measurement Architecture (IMA) Core Root of Trust
OS Loader
OS
Applications
1
3
5
2
4
6
measureexecute
Sailer, Zhang, Jaeger, Doorn. Design and Implementation of a TCG-based Integrity Measurement Architecture. Usenix Security Symposium, August, 2004.
Sailer, Zhang, Jaeger, Doorn. Design and Implementation of a TCG-based Integrity Measurement Architecture. Usenix Security Symposium, August, 2004.
Sailer - IBM T. J. Watson Research Center
© 2005 IBM [email protected] 11/7/2007
1. Local integrity verificationDoes my system have integrity?Is it save to log in and use? (Kiosk, Desktop, …)
2. Remote integrity verificationDoes their system have integrity?Is it save to use? (online services,…)What about its users?
2. How is their system doing?
1. How is my system doing?
3. UseService
Trusted Computing uses real-time attestation to establish sufficient facts about a system, such as software integrity, to interpolate from its past to its future behavior.
Sailer - IBM T. J. Watson Research Center
© 2005 IBM [email protected] 11/7/2007
Integrity Measurement Architecture (IMA)
Inferred System
SHA1(Boot Process)SHA1(Kernel)SHA1(Kernel Modules)SHA1(Program)SHA1(Libraries)SHA1(Configurations)SHA1(Structured data)…
MeasurementsDeduce System
Properties
KnownFingerprints
Real System
Program
Kernel Kernelmodule
Config data
Boot-Process
Data
TPM-Signed PCR Integrity Value
(1) Measurement (2) Attestation (3) Verification
Attesting System Verifying System
Analysis
IMATCGGrub
.........
Sailer - IBM T. J. Watson Research Center
© 2005 IBM [email protected] 11/7/2007
Berger, Cáceres, Goldman, Perez, Sailer, van Doorn “vTPM: Virtualizing the Trusted Platform Module”. 15th USENIX Security Symposium, July 2006
Berger, Cáceres, Goldman, Perez, Sailer, van Doorn “vTPM: Virtualizing the Trusted Platform Module”. 15th USENIX Security Symposium, July 2006
Virtual TPMs Enable VM Integrity Attestation
Hardware
Secure Hypervisor
Guest Kernel Guest Kernel
Application
Application
Application
Application
Application
Application
Core Root of Trust
IMA-enabled OS IMA-enabled OS
Application
Application
IMA
-enabled Application
Application
IMA
-enabled Application
IMA
-enabled Application Measure HW,
hypervisor, and critical services
Virtual TPMs
Policy Manager
Support current IMA via vTPMs(flexible, scalable)
ACM
Sailer - IBM T. J. Watson Research Center
© 2005 IBM [email protected] 11/7/2007
vTPM+IMA: Focus on Solving Real Problems
Configuration ManagementConfigure server classesVerify configuration against software stack
Runs old patch-level
HELP!
#000: BC55F0AFE013C...E6CFAA2B4D2AB | boot_aggregate (bios + grub stages)
#001: A8A865C7203F2...0A2289F7D035B | grub.conf (boot configuration)
#002: 1238AD50C652C...87D06A99A22D1 | vmlinuz-2.6.5-bk2-lsmtcg
#003: 84ABD2960414C...9364B4E5BDA4F | init (first process)
#004: 9ECF02F90A2EE...5DE4798A1BE3D | ld-2.3.2.so (dynamic linker)
#005: 1238AD50C652C...87D06A99A22D1 | Illegal Config /etc/http.conf
#006: 84ABD2960414C...9364B4E5BDA4F | Old HTTP Server 1.1
#000: BC55F0AFE013C...E6CFAA2B4D2AB | boot_aggregate (bios + grub stages)
#001: A8A865C7203F2...0A2289F7D035B | grub.conf (boot configuration)
#002: 1238AD50C652C...87D06A99A22D1 | vmlinuz-2.6.5-bk2-lsmtcg
#003: 84ABD2960414C...9364B4E5BDA4F | init (first process)
#004: 9ECF02F90A2EE...5DE4798A1BE3D | ld-2.3.2.so (dynamic linker)
#005: 1238AD50C652C...87D06A99A22D1 | Illegal Config /etc/http.conf
#006: 84ABD2960414C...9364B4E5BDA4F | Old HTTP Server 1.1
System A
Problem ManagementAutomatically detect and isolate real problemsDirect intelligence towards those real problemsFix problems efficientlyVerify that problems no longer exists
#000: BC55F0AFE013C...E6CFAA2B4D2AB | boot_aggregate (bios + grub stages)
#001: A8A865C7203F2...0A2289F7D035B | grub.conf (boot configuration)
#002: 1238AD50C652C...87D06A99A22D1 | vmlinuz-2.6.5-bk2-lsmtcg
#003: 84ABD2960414C...9364B4E5BDA4F | init (first process)
#004: 9ECF02F90A2EE...5DE4798A1BE3D | ld-2.3.2.so (dynamic linker)
#005: 1238AD50C652C...87D06A99A22D1 | Linux Root Kit
#006: 84ABD2960414C...9364B4E5BDA4F | Unknown Program
#000: BC55F0AFE013C...E6CFAA2B4D2AB | boot_aggregate (bios + grub stages)
#001: A8A865C7203F2...0A2289F7D035B | grub.conf (boot configuration)
#002: 1238AD50C652C...87D06A99A22D1 | vmlinuz-2.6.5-bk2-lsmtcg
#003: 84ABD2960414C...9364B4E5BDA4F | init (first process)
#004: 9ECF02F90A2EE...5DE4798A1BE3D | ld-2.3.2.so (dynamic linker)
#005: 1238AD50C652C...87D06A99A22D1 | Linux Root Kit
#006: 84ABD2960414C...9364B4E5BDA4F | Unknown Program
System B
Sailer - IBM T. J. Watson Research Center
© 2005 IBM [email protected] 11/7/2007
Research Challenges around TVDc Technologies
Controlled Sharing Between TVDc• Guard systems
Integrity Measurement Architecture• Run-time guarantees (extend load-time guarantees)• Property determination and fingerprint management
Distributed Mandatory Access Control• Policy composition & change management
Virtual TPM• Safely migrate/save/restore the virtual root of trust
Sailer - IBM T. J. Watson Research Center
© 2005 IBM [email protected] 11/7/2007
Trusted Virtual Data Center Summary
TVDc is designed to achieve • simplified security management• enterprise-level assurance
TVDc creates confined workload domains to enable• independent trust and security properties
More on our department team page:http://www.research.ibm.com/secure_systems_department or:
“TVDc – Managing Security in the Trusted Virtual Datacenter”in ACM SIGOPS Operating System Review Special: IBM Research. Vol 42, Issue 1, January 2008. Berger, Cáceres, Pendarakis, Perez, Sailer, Schildhauer, Srinivasan, Valdez.
“TVDc – Managing Security in the Trusted Virtual Datacenter”in ACM SIGOPS Operating System Review Special: IBM Research. Vol 42, Issue 1, January 2008. Berger, Cáceres, Pendarakis, Perez, Sailer, Schildhauer, Srinivasan, Valdez.
Sailer - IBM T. J. Watson Research Center
© 2005 IBM [email protected] 11/7/2007
Resources – TVDc building blocks freely available:
Integrity Measurement Architecture (IMA)• Source code: http://sourceforge.net/projects/linux-ima
• Project page:http://domino.research.ibm.com/comm/research_people.nsf/pages/sailer.ima.html
Virtual Trusted Platform Module (vTPM)• Source code in Xen: http://www.xensource.com/xen• Project page: http://www.research.ibm.com/ssd_vtpm
sHype Access Control Architecture• Source code in Xen: http://www.xensource.com/xen• Xen User Guide: http://www.cl.cam.ac.uk/research/srg/netos/xen/readmes/user• Project page: http://www.research.ibm.com/ssd_shype
