Secure & flexible monitoring of virtual machine University of Mazandran Science & Tecnology By : Esmaill Khanlarpour [email protected] January 07 2010
Jan 07, 2016
Secure & flexible monitoring
of virtual machine
University of Mazandran Science & Tecnology
By : Esmaill Khanlarpour
January 07 2010
Outline:
VMM & Types
Secure & Flexible Monitoring of Virtual Machines
Xen Hypervisor
Xen Architecture
Prolegomenon
Requirements
Introduction
Memory Introspection
2 / 30
Outline (contd.):
XenAccess Monitoring Library
XenAccess Virtual Memory Introspection
Conclusion
Secure & Flexible Monitoring of Virtual Machines
3 / 30
Is a piece of software/hardware platform-virtualization software that allows multiple operating systems to run on a
host computer concurrently.
VMM (or Hypervisor):
The VM management ,memory partitioning, cpu scheduling
...
Secure & Flexible Monitoring of Virtual Machines
4 / 30
Type 1 (bare-metal) hypervisors are software systems that
VMM types :
run directly on the host's hardware.
control the hardware control and to monitor guest operating-systems.
Examples include
VMware ESX Server , Xen , Oracle VM Server ,..
Secure & Flexible Monitoring of Virtual Machines
5 / 30
VMM types (contd.) :
HWW
VMM
Type1 Architecture
Application
OS
Application
OS
Secure & Flexible Monitoring of Virtual Machines
6/ 30
Type 2 (or hosted) hypervisors are software applications running within a conventional operating-system environment.
VMM types (contd.) :
Examples include
VMware Server (formerly known as GSX), VMware Workstation,....
Secure & Flexible Monitoring of Virtual Machines
7 / 30
VMM types (contd.) :
HWW
VMM
Application
OS
Host os
Type2 Architecture
Secure & Flexible Monitoring of Virtual Machines
8/ 30
Xen is a virtual-machine monitor for x86, x86-64,
Itanium and PowerPC 970 architectures
Xen Hypervisor :
The University of Cambridge Computer Laboratory
developed the first versions of Xen for linux .
As of 2009 the Xen community develops and maintains
Xen as free software .
Secure & Flexible Monitoring of Virtual Machines
9 / 30
Xen Hypervisor (contd.):
licensed under the GNU General Public License (GPL2).
Xen has traditionally used a paravirtualized approach to
implement virtualization.
Xen uses a split domain architecture , meaning that guest
OSes are kept in unprivileged domains(domU).
Type 1 of VMM types.
Secure & Flexible Monitoring of Virtual Machines
10 / 30
Xen Hypervisor (contd.):
Other Domain In Xen is Domain 0 (Dom0)
Xen Hypervisor
HWW
DOM0 DOM U DOM U
Secure & Flexible Monitoring of Virtual Machines
11 / 30
boots automatically when the hypervisor boots
Domain 0 (dom0) :
interact with the other virtual machines
receives special management privileges and direct
access to all physical hardware by defaul
Modified versions of Linux, NetBSD and Solaris can run as
the Dom0
Secure & Flexible Monitoring of Virtual Machines
12/ 30
Domain 0 (contd.):
All Xen virtualization environments require Domain 0 to be running before any other virtual machines can be started
Secure & Flexible Monitoring of Virtual Machines
13 / 30
Domain User (DomU):
EXCEPT Dom0,All paravirtualized virtual machines running on a Xen hypervisor, are referred to as DomU PV Guests
Unmodified versions of Microsoft Windows and other
proprietary operating systems can also run as guests if
the CPU supports x86 virtualization
such CPUs include Intel VT and AMD-V.
Secure & Flexible Monitoring of Virtual Machines
14 / 30
Xen Architecture :
Secure & Flexible Monitoring of Virtual Machines
15 / 30
Memory Introspection:
Memory introspection is the process of viewing the memory of one virtual machine from a different virtual machine.
What makes memory introspection difficult is the semantic gap between the two virtual machines.
This Technique most used in intrusions detection .
Example : state of a system call
Secure & Flexible Monitoring of Virtual Machines
16 / 30
Introduction :
Monitoring application
No architecture
Example : Task manager
Monitoring app in VM
Monitoring app is ≠ VMM
Secure & Flexible Monitoring of Virtual Machines
17 / 30
Create a Architecture:
Bryan D.payne & his friends
Bryan D.payne is a Ph.D. Candidate in the College of
Computing at the Georgia Institute of Technology
Start a Project in Georgia Tech Information Security
Center (GTISC) that was called XenAccess architecture .
Secure & Flexible Monitoring of Virtual Machines
18 / 30
Requirements:
1. No superfluous modifications to the VMM.
They designed the XenAccess architecture based on six
high-level requirements.
In general sense ,these requirements can be seen as typical good programming guidelines,or good security guidelines.
2. No modifications to the VM or the target OS.
Secure & Flexible Monitoring of Virtual Machines
19 / 30
Requirements (contd.):
3. Small performance impact.
4. Rapid development of new monitors.
5. Ability to monitor any data on target OS.
6. Target OS cannot tamper with monitors.
Secure & Flexible Monitoring of Virtual Machines
20 / 30
XenAccess Monitoring Library:
XenAccess is a library that simplifies the process of memory introspection for virtual machines running on the Xen hypervisor.
With XenAccess, your software can run in one virtual machine and access the memory space of other virtual machines.
The primary goal for the XenAccess architecture is to
satisfy the six requirements stated in the Requirements.
Secure & Flexible Monitoring of Virtual Machines
21 / 30
XenAccess Monitoring Library (contd.):
Xen Access is implemented in C language as a shared library with 1935 source lines of code(SLOC).
The two primary monitoring functionalities in XenAccess
Are virtual memory introspection and virtual disk Monitoring .
Secure & Flexible Monitoring of Virtual Machines
22/ 30
XenAccess Monitoring Library (contd.):
XenAccess & Requirements
Satisfy property 1 with : Chose Xen as a virtualization solution because it is a Type I VMM (Introspection VMM)
Secure & Flexible Monitoring of Virtual Machines
23 / 30
XenAccess Monitoring Library (contd.):
Satisfy property 2 with : with Xen Infrastructure they able to design the monitoring architecture to work without Changes to the target OS.
Satisfy property 3 with :
with examine the xenAccess.
Secure & Flexible Monitoring of Virtual Machines
24 / 30
XenAccess Monitoring Library (contd.):
Satisfy property 4 with :
with the XenAccess’s API (application program interface).
Satisfy property 5 with :
they desire an architecture that can monitor any data on the target OS.
Secure & Flexible Monitoring of Virtual Machines
25 / 30
XenAccess Monitoring Library (contd.):
Satisfy property 6 with :
They placed the monitors in a different VM than the target OS. Xen provides sufficient isolation between VMs for this
to be a viable solution.
Secure & Flexible Monitoring of Virtual Machines
26 / 30
XenAccess Monitoring Functionalities:
Virtual Memory introspection
Virtual Disk Monitoring
Secure & Flexible Monitoring of Virtual Machines
27 / 30
Virtual Memory introspection:
Secure & Flexible Monitoring of Virtual Machines
28 / 30
XenAccess Memory introspection
Virtual Memory Introspection (contd.):
An application that monitors for changes in the system call table
Example include :
An application that monitors the integrity of an installed
LKM (Linux Kernel Modules )
Secure & Flexible Monitoring of Virtual Machines
29 / 30
conclusion :
VMM & Type
Xen Hypervisor
Memory introspection
XenAccess Monitoring Library
Secure & Flexible Monitoring of Virtual Machines
30 / 30
Reference :
[2] Xen introduction. http://wiki.xensource.com/xenwiki/XenIntro,last accessed an 2009/12/22
[3] Xen Hypervisor . http://en.wikipedia.org/wiki/Hypervisor,last accessed an 2009/12/15
[4] Xen Domain . http://wiki.xensource.com/xenwiki/Dom0,last accessed an 2010/01/02
[1] BD Payne, M Carbone, and W Lee. “Secure and Flexible Monitoring of Virtual Machines”. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC 2007), December 2007.
Secure & Flexible Monitoring of Virtual Machines
Reference:
[5] Xen Domain . http://wiki.xensource.com/xenwiki/DomU,last accessed an 2010/01/02
[6] Xen Architecture. http://wiki.xensource.com/xenwiki/XenArchitecture,last accessed an 2009/12/15
Secure & Flexible Monitoring of Virtual Machines
Questions
Secure & Flexible Monitoring of Virtual Machines