May 19, 2015
Background• Work on Xen dom0 disaggregation goes back 10 years
– Fault-tolerance, Performance & Scalability– Security and scalability– Relevant papers collected @ http://openxt.org/references.html
• Talks about Xen and Disaggregation / Security @ XenSummit– Client Virtualization Framework, Ze'ev Maor @ Neocleus, 2009– Disaggregated Xen, Patrick Colp @ University of British Columbia, 2011– XenClient XT, Gianluca Guida @ Citrix, 2012– Windsor / XCP disaggregation, James Bulpin @ Citrix, 2012– Secure Server Project, Jason Sonnek @ Adventium, 2013– XenClient XT, Phililp Tricca (me) @ Citrix, 2013
• LinuxCon– Securing your Xen-Based Cloud, George Dunlap @ Citrix, 2013– Security in the Cloud: Containers, KVM, and Xen, George Dunlap @
Citrix, 2014
Terminology
• Guest VM: user facing VM (windows / linux)• Service VM
– as defined in Xoar paper– Virtual machine providing ‘services’ to guests– Can provide duplication for scalability– Can perform security sensitive function for isolation
• APIs– Well defined interfaces between components– Xen front/back device model (block, network)– Platform API like input / ouput plugin architecture– DBus over Inter-VM communication API– Application level discovery, proxies, interposition / layer 7 etc
Disaggregation: Scalability / Security
bump-in-
the-wire
Guest
VM 1
Device Isolation VM
bump-in-
the-wire
Guest
VM 2
• Model described in the earlier literature
• Implemented in Qubes, OpenXT, XCP
• Scalability / security by removing dom0 from I/O path
• Value-add @ bump-in-the-wire (encryption, introspection)
F
B
F
B
F
B
F
B
Disaggregation: Management
• Model described in Xoar and XenClient XT XenSummit talk
• Cursory implementation in OpenXT
• Separates sphere of influence of mgmt. domain
• Can provide compatibility for multiple toolstacks
• API between mgmt. and outside world & domain builder
• Think libvirt and xapi mgmt. on one system
Guest
VM 1
Mgmt
Service VM 1
Guest
VM 2
Guest
VM 3
Mgmt
Service VM 2
Guest
VM 4
Domain Builder
NDVM
Disaggregation: Future
• Disaggregation at application level– Graphics composition– Peer-to-Peer storage / transfer– Mesh networking– “Layer 7” protocol / data interposition
• Proxies of all colors• In-line rewriting / injection: javascript etc
• Unikernels / Pioneering OS research– Service VM as a unit of experimentation & innovation– Minimal driver work (PV)
• Purpose-built appliances– Mesh networking– Anonymity proxies– ClickOS
Where We Are
• “the Snowden effect”
• Increase use of privacy preserving tech
– Tor
– Startpage / Ixquick
– SSL protected traffic increased from 1% to 3%
Where We Are• (U) I hunt sys admins
– Targeted attacks on high-value targets
– Targeting the tech community
• Response– BlackPhone– Protonet (huge crowd-
funding campaign)– Whisper Systems:
RedPhone / TextSecure / Flock
– TrueCrypt audit– Tor PORTAL– cryptech.is
• Produces results or rhetoric?– BlackPhone Hacked in 5
minutes @ DEFCON– Protonet “NSA-Proof” /
“Data Sovereignty”
• XenClient XT 3.0 released 2012• Subsequent maintenance releases
• OpenXT 0.01 released June 2014– https://github.com/OpenXT (59 repos)
• Focus remains– Platform disaggregation & integrity: benefits for
security and scalability– Mainstream client devices
• Room for growth– Additional device profiles– Platform research & value-add
Who / What is OpenXT
What We Have
• Platform is infrastructure– Others have built bridges
– We’ve built another one
• Economic value– transporting “stuffs”
from one side to the other
– How many “stuffs” (quantity \ variety)
– Implies extension
– How safe are the “stuffs” in transit
• So Many Xen Platforms– Client Virtualization
Framework (CVF)– XenClient Initiative (XCI)– Xen Cloud Platform (XCP)– OpenXCI– Qubes– OpenXT
What We Want• Have
– Platform, means for extension and working examples– Full build environment
• Want– Curators: maintainers for core platform components– API hackers: Inter-domain communication (IDC)– Service VM developers– Accelerated Graphics
• Paul Durrant: Multiple Device Emulators for HVM Guests
– AMD DRTM / SKINIT & security co-processor– Composable storage layer with integrity measurement
• Collaboration with other OSS projects– Service VM compatibility (XCP / OpenXCI / Qubes / Alpine Xen)– New Service VMs (HalVM / Mirage / ClickOS / CoreOS)– New hardware targets
• “Headless” mode for server• ARM compatibility
Service VM SDK
• Virtual Appliance – initial prototype OVF• Rootfs template (immutable)• Configuration (immutable)• Configuration (user / administrator writeable)• Data (writeable)• Map concepts from current “containerization”
projects to strong isolation in Service VM– Migration tool– VtoV migration
• Better tools and documentation
Why this “virtual platform”?
• Buildable from source by anyone who reads docs– Embedded-style build using OpenEmbedded (OE) / Yocto– OE layer / distro mechanisms support flexible build time config– Small change in workflow brings larger benefits
• Configurable disaggregation granularity at build-time– Respect hardware constraints– Embedded / Client / Server / Cloud– (Everything is embedded, you just don’t know it yet)
• With specific security properties– Minimize added threat to guest beyond bare metal– Improve security properties where possible– Integrity measurements rooted in hardware
• Have Intel via tboot, want AMD SKINIT
– Mandatory access control
“Upstreaming”
• OpenXT has a lot of code that forks “upstream” currently– Not sustainable
• OpenXT will aim to treat everything as an upstream except– Unique build metadata– Configuration– Platform mgmt.
• Contributions to upstream OE– Xen recipe in meta-virtualization (thanks Chris!)– meta-selinux (lots already)– meta-measured (TPM / TXT / measurement architecture)
UpstreamDevelopment
UpstreamPlatform
OpenXT
OSS Distro
UpstreamBuild Metadata
Bitbake / OE / Yocto
Metadata
RPM Metadata
DPKG Metadata
UpstreamBuild System
DownstreamConsumer
OE / YoctoImage
Recipes
Scripts + apt
Spins / Pungi
ServiceVMProvider
CloudIaaS / PaaS /
SaaS
Hardware OEM
OSV Distro / Embedded
Xen
toolstacks
Qemu
GNU
.
.
.
Linux
Ecosystem
OpenXT
• Project page
– http://openxt.org
• Project repos hosted on Github
– https://github.com/OpenXT
• OpenXT documentation / build instructions
– https://github.com/OpenXT/openxt/wiki/
• Google Group
– https://groups.google.com/forum/#!forum/openxt