© 2008 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Virtualisation – Security’s Friend or Foe?
• Virtualisation is set to consign traditional hardware appliances to the dustbin of computing history”
Roger Howorth, IT Week
• http://www.itweek.co.uk/itweek/comment/2162238/future-appliances-virtual
Virtualization Requirements• Scheduler• Memory Management• VM State Machine• Virtualized Devices• Storage Stack• Network Stack• Binary Translators (optional)• Drivers• Management API
Old: Virtual Server ArchitectureProvided by:
Windows
ISV
Virtual Server
Guest Applications
GuestsHost
Ring 1: Guest kernel mode
Ring 0: Kernel mode
IIS
Virtual Server
WebApp Virtual Server Service
Windows Server 2003/Windows XP
Kernel Device
Driver
Server Hardware
VMM Kernel
Ring 3: User mode
Windows (NT4, 2000, 2003)
VM additions
New: Hyper-V Architecture
Guest Applications
Child Partition
Parent Partition
Ring 3: User mode
Ring 0: Kernel mode
Virtualisation Stack
VM Service
WMI Provider
VM Worker Process
es
VM Worker Process
es
VM Worker Process
es
Server Core
Virtualization Service Providers
(VSPs)Windo
ws Kernel
Device
Driver
Windows hypervisor
Server Hardware
Virtualization Service
Clients (VSC’s)
VMBus
OSKernel
Enlightenments
Ring “-1”
Provided by:
Rest of Windows
ISV
Hyper-V
New: Hyper-V Architecture
Guest Applications
Child Partition
Parent Partition
Ring 3: User mode
Ring 0: Kernel mode
Virtualisation Stack
VM Service
WMI Provider
VM Worker Process
es
VM Worker Process
es
VM Worker Process
es
Server Core
Virtualization Service Providers
(VSPs)Windo
ws Kernel
Device
Driver
Windows hypervisor
Server Hardware
Virtualization Service
Clients (VSC’s)
VMBus
OSKernel
Enlightenments
Ring “-1”
Provided by:
Rest of Windows
ISV
Hyper-V
Hackers
Why not get rid of the parent?• No defence in depth• Entire hypervisor running in the most privileged mode of
the system
Ring “-”1
UserMode
KernelMode
UserMode
KernelMode
UserMode
KernelMode Ring 0
Ring 3
Virtual Machine Virtual Machine
Virtual Machine
• Scheduler• Memory Management• Storage Stack• Network Stack• VM State Machine
• Virtualized Devices• Binary Translators• Drivers• Management API
Hardware
Micro-kernelized Hypervisor• Defence in depth• Using hardware to protect• Hyper-V doesn’t use binary translation
• Further reduces the attack surface
Ring -1
VM State MachineVirtualized DevicesManagement API
Storage StackNetwork Stack
Drivers
UserMode
KernelMode
UserMode
KernelMode Ring 0
Ring 3
Virtual Machine Virtual Machine
Parent Partition
• Scheduler• Memory Management
Hardware
Security Assumptions• Guests are untrusted• Trust relationships
• Parent must be trusted by hypervisor
• Parent must be trusted by children
• Code in guests can run in all available processor modes, rings, and segments
• Hypercall interface will be well documented and widely available to attackers
• All hypercalls can be attempted by guests
• Can detect you are running on a hypervisor• We’ll even give you the
version• The internal design of the
hypervisor will be well understood
Guest Applications
Child Partition
Parent Partition
Ring 3: User mode
Ring 0: Kernel mode
Virtualisation Stack
VM Service
WMI Provider
VM Worker Process
es
VM Worker Process
es
VM Worker Process
es
Server Core
Virtualization Service Providers
(VSPs)Windo
ws Kernel
Device
Driver
Windows hypervisor
Server Hardware
Virtualization Service
Clients (VSC’s)
VMBus
OSKernel
Enlightenments
Security Goals• Strong isolation between
partitions• Protect confidentiality and
integrity of guest data• Separation
• Unique hypervisor resource pools per guest
• Separate worker processes per guest
• Guest-to-parent communications over unique channels
• Non-interference• Guests cannot affect the
contents of other guests, parent, hypervisor
• Guest computations protected from other guests
• Guest-to-guest communications not allowed through VM interfaces
Guest Applications
Child Partition
Parent Partition
Ring 3: User mode
Ring 0: Kernel mode
Virtualisation Stack
VM Service
WMI Provider
VM Worker Process
es
VM Worker Process
es
VM Worker Process
es
Server Core
Virtualization Service Providers
(VSPs)Windo
ws Kernel
Device
Driver
Windows hypervisor
Server Hardware
Virtualization Service
Clients (VSC’s)
VMBus
OSKernel
Enlightenments
Isolation• No sharing of virtualized
devices• Separate VMBus per VM to
the parent • No sharing of memory
• Each has its own address space
• VMs cannot communicate with each other, except through traditional networking
• Guests can’t perform DMA attacks because they’re never mapped to physical devices
• Guests cannot write to the hypervisor
• Parent partition cannot write to the hypervisor
Guest Applications
Child Partition
Parent Partition
Ring 3: User mode
Ring 0: Kernel mode
Virtualisation Stack
VM Service
WMI Provider
VM Worker Process
es
VM Worker Process
es
VM Worker Process
es
Server Core
Virtualization Service Providers
(VSPs)Windo
ws Kernel
Device
Driver
Windows hypervisor
Server Hardware
Virtualization Service
Clients (VSC’s)
VMBus
OSKernel
Enlightenments
Hyper-V Security Hardening• Hypervisor has separate
address space• Guest addresses !=
Hypervisor addresses• No 3rd party code in the
Hypervisor• Limited number of channels
from guests to hypervisor• No “IOCTL”-like things
• Guest to guest communication through hypervisor is prohibited
• No shared memory mapped between guests
• Guests never touch real hardware I/O
Guest Applications
Child Partition
Parent Partition
Ring 3: User mode
Ring 0: Kernel mode
Virtualisation Stack
VM Service
WMI Provider
VM Worker Process
es
VM Worker Process
es
VM Worker Process
es
Server Core
Virtualization Service Providers
(VSPs)Windo
ws Kernel
Device
Driver
Windows hypervisor
Server Hardware
Virtualization Service
Clients (VSC’s)
VMBus
OSKernel
Enlightenments
Hyper-V & Secure Development Lifecycle• Hypervisor built with
• Stack guard cookies (/GS)• Address Space Layout
Randomization (ASLR)• Hardware Data Execution
Prevention• No Execute (NX) AMD• Execute Disable (XD)
Intel• Code pages marked read only• Memory guard pages• Hypervisor binary is signed
• Hypervisor and Parent going through SDL• Threat modeling• Static Analysis• Fuzz testing & Penetration
testing
Guest Applications
Child Partition
Parent Partition
Ring 3: User mode
Ring 0: Kernel mode
Virtualisation Stack
VM Service
WMI Provider
VM Worker Process
es
VM Worker Process
es
VM Worker Process
es
Server Core
Virtualization Service Providers
(VSPs)Windo
ws Kernel
Device
Driver
Windows hypervisor
Server Hardware
Virtualization Service
Clients (VSC’s)
VMBus
OSKernel
Enlightenments
Hyper-V Security Model• Uses Authorization Manager
• Fine grained authorization and access control
• Department and role based• Segregate who can manage
groups of VMs• Define specific functions for
individuals or roles• Start, stop, create, add
hardware, change drive image
• VM administrators don’t have to be Server 2008 administrators
• Guest resources are controlled by per VM configuration files
• Shared resources are protected• Read-only (CD ISO file)• Copy on write (differencing
disks)
Guest Applications
Child Partition
Parent Partition
Ring 3: User mode
Ring 0: Kernel mode
Virtualisation Stack
VM Service
WMI Provider
VM Worker Process
es
VM Worker Process
es
VM Worker Process
es
Server Core
Virtualization Service Providers
(VSPs)Windo
ws Kernel
Device
Driver
Windows hypervisor
Server Hardware
Virtualization Service
Clients (VSC’s)
VMBus
OSKernel
Enlightenments
Windows Server Core• Windows Server frequently deployed for a single role
• Must deploy and service the entire OS in earlier Windows Server releases
• Server Core a new minimal installation option• Provides essential server functionality• Command Line Interface only, no GUI Shell
• Benefits• Fundamentally improves availability• Less code results in fewer patches and reduced servicing
burden• Low surface area server for targeted roles• More secure and reliable with less management
Windows Server Core
What tools can help secure the Environment?• IPSec for host authentication• Use the principle of least privilege• Only install software you have a reason to trust• Ensure policy compliance – Network Access Protection
can be a huge help• Keep things as simple as possible• Add functionality as high up the stack as possible
How to proceed?• Virtualisation is not a silver bullet for security
problems• Nor is it a nightmare• It just changes the threat landscape
• Carefully consider the impact on trust boundaries and the knock-on effect of compromised security at layers underneath the applications – the deeper down the stack, the worse the impact
What is Microsoft Forefront?• Microsoft Forefront is a comprehensive line of
business security products providing greater protection and control through integration with your existing IT infrastructure and through simplified deployment, management, and analysis.
EdgeClient and Server OS
Server Applications
IT Service Management
Data Protection Manager ‘Service
Desk’ Capacity Planner Reporting
Manager Operations Manager Client
Data
Storage &
RecoveryProblem
ManagementCapacity Management
IT ReportingClient Operations
Management
Configuration Manager
Operations Manager
Performance & AvailabilityMonitoring
Software Update &
Deployment
Microsoft System Centre
Enabler for Microsoft’s Best Practices
Microsoft Operations Framework
Infrastructure Optimization
Next steps• Receive the latest Security news, sign-up
for the:• Microsoft Security Newsletter • Microsoft Security Notification Service
• Assess your current IT security environment• Download the free Microsoft Security
Assessment Tool
• Find all your security resources here http://www.microsoft.com/uk/security/infosec2008
Session Evaluation• Hand-in you session evaluation on your way out
• Win one of 2 Xbox 360® Elite’s in our free prize draw*
• Winners will be drawn at 3.30 today
• Collect your goody bag which includes. • Windows Vista Business (Upgrade), • Forefront Trials, • Forefront Hand-On-Labs• Security Resources CD
• I’ll be at the back of the room if you have any questions
* Terms and conditions apply, alternative free entry route available.