When virtual is better than real - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

When virtual is better than real

Description:

Services are protected from applications and guest operating system ... Qualcomm founder, MI5/MI6, State Dept. Cryptographic file systems do not solve this ... – PowerPoint PPT presentation

Number of Views:52
Avg rating:3.0/5.0
Slides: 18
Provided by: UM174
Category:
Tags: better | mi6 | real | virtual

less

Transcript and Presenter's Notes

Title: When virtual is better than real


1
When virtual is better than real
  • Peter M. Chen
  • Brian D. Noble
  • University of Michigan

2
Standard system architecture
administrative tools
application
application
application
host operating system
host machine
3
Virtual-machine system architecture
application
application
application
guest operating system
administrative tools
host operating system
virtual machine monitor
host machine
4
Benefits
  • Services are protected from applications and
    guest operating system
  • Services work for multiple OS versions and
    vendors
  • Services benefit from unique abilities of virtual
    machines
  • e.g. create temporary virtual machines
  • e.g. communicate quickly to host
  • e.g. move virtual-machine state across network
  • e.g. encrypt virtual-machine state

5
Challenges
  • Overhead of running applications in virtual
    machine
  • Semantic gap between events in guest OS and
    events in virtual machine
  • Are there useful services that can work at
    virtual-machine level?
  • some services dont need to know about guest OS
    abstractions
  • some services can reconstruct semantic
    information common to all guest OSs

6
Secure logging
  • Current systems log interesting events (e.g.
    logins)
  • vulnerable to OS compromise
  • may not anticipate relevant events
  • Apply fault-tolerance techniques to log and
    replay complete execution of virtual machine
  • Analyze any intrusion to arbitrary level of
    detail, even after point of OS compromise

disable syslog
replace OS
plant Trojan horse steal credit cards attack
other machines etc., etc.
gain access
7
Reducing log traffic
  • Only log non-deterministic events
  • human input
  • interrupts
  • network messages
  • Messages from cooperating hosts can be re-created
    instead of logged
  • remember message order
  • safely identify cooperating hosts
  • If all hosts on LAN cooperate, only need to log
    incoming network traffic (at gateway)

8
Intrusion prevention
  • Current systems block suspicious events before
    they compromise system
  • accuracy limited by fuzzy definition of
    suspicious
  • Create disposable clone of the virtual machine,
    use clone to measure actual effect of suspicious
    event
  • Enables destructive tests
  • Open questions
  • semantic gap VM detects OS-level effect?
  • what does original VM do while clone is testing
    event?

9
Intrusion detection
  • Current detectors look for signs that system has
    been compromised
  • network-based detectors only see network packets
  • host-based detectors vulnerable to OS compromise
  • Virtual-machine intrusion detector
  • monitor complete set of system events (CPU,
    memory, disk, keyboard, network)
  • monitoring continues even if OS is compromised
  • Semantic gap how to understand system events
    without re-implementing guest OS?

10
Environment migration
  • Lots of ways to migrate state thin clients,
    distributed FS, process migration, carry laptop
  • intolerant of latency
  • residual dependencies
  • require user intervention/management
  • Virtual machines can encapsulate and move
    complete state of running computer
  • no OS changes
  • nothing to carry (or lose)
  • utilize remote computing resources

11
Migrating quickly
  • Machine state can be very large memorydisk
  • Take advantage of sequential sharing patterns
  • logically one machine no concurrent sharing of
    state
  • exploit pattern via DFS, shared memory techniques
  • Not all state is needed right away
  • memory and disk working set size is visible
  • may successfully predict immediate needs
  • Requires crossing the semantic gap
  • disk gaps are easy physical blocks rarely
    remapped
  • memory is often remapped, via virtualized hardware

12
Other uses of encapsulation
  • Fast migration depends on ability to do two
    things
  • encapsulate the entire state of a machine
  • identify critical state that will be needed soon
  • Other potential uses for encapsulation
  • machine cloning for destructive hypothesis
    testing
  • encrypting entire machine state for arbitrary
    Oses
  • Current encryption systems one-shot, incomplete
  • file system, swap space, secure RPC,
  • Can use encapsulation to guarantee all state
  • suspend virtual machine to (encrypted) disk
  • capture all network traffic below level of OS

13
Alternatives
  • Add service to monolithic OS
  • trusts entire OS to be secure
  • trusts entire OS to be crash-proof
  • Re-structure OS into isolated layers
  • requires OS modifications
  • similar tradeoffs to VM-based services
    performance, semantic gap
  • Language-level virtual machines
  • limited to applications written in specific
    languages

14
Conclusions
  • Virtual-machine services have interestingpotentia
    l ...
  • portable across different OSs
  • work despite OS compromise
  • clone, encrypt, transport state of entire
    computer
  • ... and raise plenty of open questions
  • performance penalty
  • semantic gap

15
Zero-Interaction Authentication
  • Laptop theft an increasingly common problem
  • cost is not loss of hardware, but exposure of
    data
  • Qualcomm founder, MI5/MI6, State Dept.
  • Cryptographic file systems do not solve this
  • authentication gives laptop authority to decrypt
  • anyone holding the laptop has authority too
  • frequent authentication -gt user burden -gt turn
    off
  • ZIA user retains long-term authority
  • wear cryptographic token with short-range radio
  • token contains key-encrypting keys
  • file system gets encryption keys only when needed

16
ZIA Extended to Entire Machine
  • ZIA only protects below file system/application
    boundary
  • once an application reads data, cannot reclaim it
  • data can be displayed on screen or in memory
  • Virtual machines allow easy capture of this state
  • when user leaves, suspend guest machine
  • store guest image on a host ZIA disk
  • begin restoration when user is back in range
  • User has no incentive to disable encryption
  • low performance penalty over raw disk
  • data restored before user resumes work

17
Other Uses of Encapsulation
  • Neednt just store image passively on disk
  • cryptographic token identifies user
  • location-aware systems can track nearby
    facilities
  • Provides secure environment migration
  • users machine follows them wherever they go
  • utilize nearby computing resources
  • no OS changes, nothing to carry or lose
  • Can be significant state
  • not all is needed at any one time, it is never
    shared
  • optimize by observing hot state, migrate that
    first
Write a Comment
User Comments (0)
About PowerShow.com