Post on 12-Jan-2016
D u k e S y s t e m s
D u k e S y s t e m s
Pocket Hypervisors:Opportunities and
Challenges
Peter ChenUniversity of Michigan
Landon CoxDuke University
D u k e S y s t e m s
Conventional organization
Operating System
ProcessProcessProcess
D u k e S y s t e m s
Hypervisor
Hypervisor organization
Guest OSGuest OS
Process Process
EncapsulationMediationIsolation
D u k e S y s t e m s
Recent interest in hypervisors
Lots of papers/companies the past five years Xen, VMware, ReVirt, Potemkin, etc.
On mobile devices? Not so much. Some uses of encapsulation (ISR, SoulPad) No uses of mediation or isolation
Why? Hypervisors have been considered impractical Insufficient hardware support Prohibitive performance overhead
D u k e S y s t e m s
Pocket hypervisors are practical and useful.
Security Opportunistic services
Hardware supportPrivilege modes
MMUMoore’s Law
D u k e S y s t e m s
Securing commodity devices
With PC functions come PC problems Mobile malware already exists (Cabir, Skulls) BlueTooth exploits (BlueBug, SNARF)
Poses new kinds of threats Conversation eavesdropping Location privacy compromises Gain access to telecom resources
trifinite.org, bluestumbler.org
D u k e S y s t e m s
OS
Simple example attack: Skulls
Mobile Anti-virus
CameraAddress book
“Flash player”
On reboot, phone can only make and receive calls.
Blue Tooth
services
D u k e S y s t e m s
Pocket Hypervisor
Partition device functionality
Isolate core services from untrusted apps.Age-old challenge: how to still allow sharing?Shared file space? Explicit message passing?
Core Guest OS
Mobile Anti-virus
3rd party Guest OS
Blue Tooth
services
“Flash player”
Blue Tooth
servicesCamera
D u k e S y s t e m s
OS
Example attack: BlueBug
Mobile Anti-virus
CameraAddress book
Remote access to SIM card, can issue AT commands.(attacker can read contacts, make calls, send SMS)
Blue Tooth
services
D u k e S y s t e m s
Pocket Hypervisor
Security services
Core Guest OS
Mobile Anti-virus
Camera
3rd party Guest OS
AppAppBlue
Tooth services
Security servicesSecurity services
Difficult to stop this attack (can’t force BT to properly authenticate)Hypervisor can still provide secure logging, profiling servicesKey challenge: how to expose and log guest state efficiently
D u k e S y s t e m s
Pocket hypervisors are practical and useful.
Security Opportunistic services
Hardware support
D u k e S y s t e m s
Expose information about environment Light, pressure, temperature readings
Expands vantage point of owner Hundreds of observation points Streamed/aggregated to central location
Mote price-performance ratio Cheap nodes allow large deployments (cover large area, overcome failures) Powerful nodes allow complex applications
Sensor networks
D u k e S y s t e m s
Expose information about environment Network events, MAC addresses, ESSIDs
Expands vantage point of owner Hundreds of observation points Streamed/aggregated to central location
Phone price-performance ratio Cheap nodes allow large deployments (cover large area, overcome mobility) Powerful nodes allow complex applications
Mobile phones as sensors
D u k e S y s t e m s
Opportunistic services
COPSE (new project at Duke) Concurrent opportunistic sensor environment “A thicket of small trees cut for economic purposes.”
Allow execution of untrusted service instances Enables mobile testbeds, opportunistic sensor nets Hypervisor ensures isolation (performance, energy)
Key tension Encourage volunteers to participate Support useful services
D u k e S y s t e m s
Internet
What are the disincentives to participate?
D u k e S y s t e m s
Example disincentive
DukeFrancHome
DukeFrancHome
Adversaries shouldn’t be
able to upload location
trackers.
D u k e S y s t e m s
Location privacy
Could enforce execution regions Only execute guests within a physical region Requires access to a location service
Could “scrub” MAC addresses Hypervisor manages device namespace Translate names between VM and network
D u k e S y s t e m s
Wireless NIC Wireless NIC
Hypervisor
Guest OS
App
Guest OS
App
VDriverVDriver
00:18:DE:2C:A3:8A
00:0C:29:4E:F4:1C 00:30:65:0D:11:61
Machine Driver
Hypervisor
Guest OS
App
Guest OS
App
VDriverVDriver
00:0C:29:4E:F4:1C
00:18:DE:2C:A3:8A 00:13:21:B7:94:B9
Machine Driver
N2 = 00:30:65:0D:11:61
N2 = 00:30:65:0D:11:61
N1 = 00:13:21:B7:94:B9
N1 = 00:13:21:B7:94:B9
Node One (N1) Node Two (N2)
D u k e S y s t e m s
Conclusions
Pocket hypervisors are practical and useful Practicality
Commodity devices support for virtualization Devices resources are becoming more plentiful
Usefulness Device security Opportunistic services