Hyper-V Security
Hyper-V SecurityHyper-V Security
Brandon BakerSenior Development Lead
Microsoft
Brandon BakerSenior Development Lead
Microsoft
William ArbaughPrincipal ArchitectMicrosoft
William ArbaughPrincipal ArchitectMicrosoft
October 31st, 2008 1ACM CCS / VMSec
Hyper-V Security
AgendaAgenda
• What is Hyper-V?• Why a hypervisor?• Quick Background & Architecture• Security Model• Challenges• Future Directions
• What is Hyper-V?• Why a hypervisor?• Quick Background & Architecture• Security Model• Challenges• Future Directions
October 31st, 2008 2ACM CCS / VMSec
Hyper-V Security
What is Hyper-V?What is Hyper-V?
• Full machine virtualization• Component of Windows Server
2008 x64• Beta shipped in box• RTM available through Windows
Update
• Full machine virtualization• Component of Windows Server
2008 x64• Beta shipped in box• RTM available through Windows
Update
ACM CCS / VMSec October 31st, 2008 3
Hyper-V Security
How to install Hyper-VHow to install Hyper-V
October 31st, 2008 4ACM CCS / VMSec
Hyper-V Security
What is Hyper-V?What is Hyper-V?
• Has three major components:• Hypervisor• Virtualization Stack• Virtual Devices
• Requires hardware assisted virtualization• AMD AMD-V • Intel VT
• Has three major components:• Hypervisor• Virtualization Stack• Virtual Devices
• Requires hardware assisted virtualization• AMD AMD-V • Intel VT
October 31st, 2008 5ACM CCS / VMSec
Hyper-V Security
AgendaAgenda
• What is Hyper-V?• Why a hypervisor?• Quick Background & Architecture• Security Model• Challenges• Future Directions
• What is Hyper-V?• Why a hypervisor?• Quick Background & Architecture• Security Model• Challenges• Future Directions
October 31st, 2008 6ACM CCS / VMSec
Hyper-V Security
VMM ArrangementsVMM Arrangements
• Hosted Virtualization• Hosted Virtualization • Hypervisor Virtualization• Hypervisor Virtualization
VMMVMM
ExamplesVMware Workstation KVMVirtual PC & Virtual Server
ExamplesVMware ESXXenHyper-V
Hardware Hardware
Host OS
Guest 1 Guest 2 Guest 1 Guest 2
October 31st, 2008 7ACM CCS / VMSec
Hyper-V Security
Monolithic Versus MicrokernelMonolithic Versus Microkernel
• Monolithic hypervisor• Simpler than a modern kernel,
but still complex• Implements driver model
• Monolithic hypervisor• Simpler than a modern kernel,
but still complex• Implements driver model
• Microkernel hypervisor• Simple partitioning functionality• Increase reliability and
minimizes TCB• No third-party code• Drivers run in root guest
• Microkernel hypervisor• Simple partitioning functionality• Increase reliability and
minimizes TCB• No third-party code• Drivers run in root guest
All virtualization systems have a VMM, drivers, virtualization software, and management interfaces.
Hypervisor
VM 1(Admin)
VM 2 VM 3
Hardware Hardware
Hypervisor
VM 2(“Child”)
VM 3(“Child”)
October 31st, 2008 8ACM CCS / VMSec
Hyper-V Security
AgendaAgenda
• What is Hyper-V?• Why a hypervisor?• Quick Background & Architecture• Security Model• Challenges• Future Directions
• What is Hyper-V?• Why a hypervisor?• Quick Background & Architecture• Security Model• Challenges• Future Directions
October 31st, 2008 9ACM CCS / VMSec
Hyper-V Security
Root
VirtualizationService
Providers(VSPs)
WindowsKernel
Server Core
Virtualization Stack
DeviceDrivers
Windows hypervisor
VM WorkerProcessesVMMS
Service
WMI Provider
Guest Partitions
Ring 0
Ring 3
VirtualizationServiceClients(VSCs)
OSKernel
EnlightenmentsVMBus
Guest Applications
Provided by:Provided by:
WindowsWindows
ISVISV
Hyper-VHyper-V
Hyper-V ArchitecturePartition
VMCS/VMCBAPICMMUCPUStorage NIC
Ring 0
Ring 3
Ring “-1”
October 31st, 2008 10ACM CCS / VMSec
Hyper-V Security
HypervisorHypervisor• Partitioning Kernel
• Partition is isolation boundary• Few virtualization functions;
relies on virtualization stack
• Very thin layer of software• Microkernel• Highly reliable
• No device drivers• Two versions, one for Intel
and one for AMD• Drivers run in the root• Leverage the large base of
Windows drivers
• Well-defined interface• Allow others to create
support for their OSes as guests
• Partitioning Kernel• Partition is isolation boundary• Few virtualization functions;
relies on virtualization stack
• Very thin layer of software• Microkernel• Highly reliable
• No device drivers• Two versions, one for Intel
and one for AMD• Drivers run in the root• Leverage the large base of
Windows drivers
• Well-defined interface• Allow others to create
support for their OSes as guests
• Runs within the root partition• Portion of traditional
hypervisor that has been pushed up and out to make a micro-hypervisor
• Manages guest partitions• Handles intercepts• Emulates devices
Virtualization Stack
October 31st, 2008 11ACM CCS / VMSec
Hyper-V Security
AgendaAgenda
• What is Hyper-V?• Why a hypervisor?• Quick Background & Architecture• Security Model• Challenges• Future Directions
• What is Hyper-V?• Why a hypervisor?• Quick Background & Architecture• Security Model• Challenges• Future Directions
October 31st, 2008 12ACM CCS / VMSec
Hyper-V Security
Root
VirtualizationService
Providers(VSPs)
WindowsKernel
Server Core
Virtualization Stack
DeviceDrivers
Windows hypervisor
VM WorkerProcessesVM
Service
WMI Provider
Guest Partitions
VirtualizationServiceClients(VSCs)
OSKernel
EnlightenmentsVMBus
Guest Applications
Hyper-V TCBPartition
October 31st, 2008 13ACM CCS / VMSec
Hyper-V Security
Security AssumptionsSecurity Assumptions• Guests are untrusted• Root must be trusted by hypervisor; parent must
be trusted by children.• Code will run in all available processor modes,
rings, and segments• Hypercall interface will be well documented and
widely available to attackers.• All hypercalls can be attempted by guests• Can detect you are running on a hypervisor• We’ll even give you the version• The internal design of the hypervisor will be well
understood
• Guests are untrusted• Root must be trusted by hypervisor; parent must
be trusted by children.• Code will run in all available processor modes,
rings, and segments• Hypercall interface will be well documented and
widely available to attackers.• All hypercalls can be attempted by guests• Can detect you are running on a hypervisor• We’ll even give you the version• The internal design of the hypervisor will be well
understood October 31st, 2008 14ACM CCS / VMSec
Hyper-V Security
Security GoalsSecurity Goals• Strong isolation between partitions• Protect confidentiality and integrity of guest data
• Separation• Unique hypervisor resource pools per guest• Separate worker processes per guest• Guest-to-parent communications over unique channels
• Non-interference• Guests cannot affect the contents of other guests, parent, hypervisor• Guest computations protected from other guests• Guest-to-guest communications not allowed through VM interfaces• Memory, registers, and caches scrubbed on VM context switch
• Strong isolation between partitions• Protect confidentiality and integrity of guest data
• Separation• Unique hypervisor resource pools per guest• Separate worker processes per guest• Guest-to-parent communications over unique channels
• Non-interference• Guests cannot affect the contents of other guests, parent, hypervisor• Guest computations protected from other guests• Guest-to-guest communications not allowed through VM interfaces• Memory, registers, and caches scrubbed on VM context switch
October 31st, 2008 15ACM CCS / VMSec
Hyper-V Security
Security Non-GoalsSecurity Non-Goals• Things we don’t do in Hyper-V v1• Mitigate hardware bleed-through
(inference attacks)• Mitigate covert channels• Guarantee availability• Protect guests from the root• Protect the hypervisor from the root• Utilize trusted hardware• TPM, Device Assignment, DMA protection,
Secure Launch
• Things we don’t do in Hyper-V v1• Mitigate hardware bleed-through
(inference attacks)• Mitigate covert channels• Guarantee availability• Protect guests from the root• Protect the hypervisor from the root• Utilize trusted hardware• TPM, Device Assignment, DMA protection,
Secure Launch October 31st, 2008 16ACM CCS / VMSec
Hyper-V Security
Root Partition
Server Core
Virtualization Stack
Windows hypervisor
Guest Partitions
Guest OSKernel
Guest Applications
Hyper-V Security Model
VMBus
AzMan
Hypercall
Part ID 1
Hypercall
Part ID 2…n
Partition Privileges
VM Config
Win
do
ws
Au
thN
Part ID to VM Config
VMCSMemory Map
October 31st, 2008 17ACM CCS / VMSec
Hyper-V Security
Hypervisor Security Model
Hypervisor Security Model
• Memory• Physical Address to Partition map
maintained by Hv• Parent/Child ownership model on
memory• Can supersede access rights in guest
page tables (R, W, X)
• CPU• Hardware guarantees cache & register
isolation, TLB flushing, instruction interception
• I/O• Hypervisor enforces Parent policy for all
guest access to I/O ports• Hyper-V v1 policy is guests have no
access to real hardware
• Hypervisor Interface• Partition privilege model• Guests access to hypercalls,
instructions, MSRs with security impact enforced based on Parent policy
• Hyper-V v1 policy is guests have no access to privileged instructions
• Memory• Physical Address to Partition map
maintained by Hv• Parent/Child ownership model on
memory• Can supersede access rights in guest
page tables (R, W, X)
• CPU• Hardware guarantees cache & register
isolation, TLB flushing, instruction interception
• I/O• Hypervisor enforces Parent policy for all
guest access to I/O ports• Hyper-V v1 policy is guests have no
access to real hardware
• Hypervisor Interface• Partition privilege model• Guests access to hypercalls,
instructions, MSRs with security impact enforced based on Parent policy
• Hyper-V v1 policy is guests have no access to privileged instructions
• Uses Authorization Manager (AzMan)• Fine grained authorization and
access control• Department and role based• Segregate who can manage groups
of VMs
• Define specific functions for individuals or roles• Start, stop, create, add hardware,
change drive image
• VM administrators don’t have to be Server 2008 administrators
• Guest resources are controlled by per VM configuration files
• Shared resources are protected• Read-only (CD ISO file)• Copy on write (differencing disks)
• Uses Authorization Manager (AzMan)• Fine grained authorization and
access control• Department and role based• Segregate who can manage groups
of VMs
• Define specific functions for individuals or roles• Start, stop, create, add hardware,
change drive image
• VM administrators don’t have to be Server 2008 administrators
• Guest resources are controlled by per VM configuration files
• Shared resources are protected• Read-only (CD ISO file)• Copy on write (differencing disks)
Hyper-V Security ModelHyper-V Security Model
October 31st, 2008 18ACM CCS / VMSec
Hyper-V Security
Virtualization AttacksVirtualization AttacksRoot Partition
VirtualizationService
Providers(VSPs)
WindowsKernel
Server Core
DeviceDrivers
Virtualization Stack
VM WorkerProcessesVM
Service
WMI Provider
Guest Partitions
VirtualizationServiceClients(VSCs)
EnlightenmentsVMBus
Server Hardware
Guest Applications
HackersHackers
OSKernel
Windows hypervisor
VMBus
Provided by:Provided by:
WindowsWindows
ISVISV
Hyper-VHyper-V
October 31st, 2008 19ACM CCS / VMSec
Hyper-V Security
Hyper-V Security Hardening (1/2)
Hyper-V Security Hardening (1/2)
• Hypervisor has separate address space• Guest addresses != Hypervisor addresses
• No 3rd party code in the Hypervisor• Limited number of channels from guests to
hypervisor• No “IOCTL”-like things
• Guest to guest communication through hypervisor is prohibited
• No shared memory mapped between guests• Guests never touch real hardware i/o
• Hypervisor has separate address space• Guest addresses != Hypervisor addresses
• No 3rd party code in the Hypervisor• Limited number of channels from guests to
hypervisor• No “IOCTL”-like things
• Guest to guest communication through hypervisor is prohibited
• No shared memory mapped between guests• Guests never touch real hardware i/o
October 31st, 2008 20ACM CCS / VMSec
Hyper-V Security
Hyper-V Security Hardening (2/2)
Hyper-V Security Hardening (2/2)
• Hypervisor built with • ASLR• Stack guard cookies (/GS)• Hardware No eXecute (NX)• Code pages marked read only• Memory guard pages• Limited exception handling• Hypervisor binary is signed
• Hypervisor and Root components completed SDL• Threat modeling• Static Analysis• Fuzz testing• Penetration testing
• Hypervisor built with • ASLR• Stack guard cookies (/GS)• Hardware No eXecute (NX)• Code pages marked read only• Memory guard pages• Limited exception handling• Hypervisor binary is signed
• Hypervisor and Root components completed SDL• Threat modeling• Static Analysis• Fuzz testing• Penetration testing
October 31st, 2008 21ACM CCS / VMSec
Hyper-V Security
AgendaAgenda
• What is Hyper-V?• Why a hypervisor?• Quick Background & Architecture• Security Model• Challenges• Future Directions
• What is Hyper-V?• Why a hypervisor?• Quick Background & Architecture• Security Model• Challenges• Future Directions
October 31st, 2008 22ACM CCS / VMSec
Hyper-V Security
Maslow’s Hierarchy of Virtualization Security
Maslow’s Hierarchy of Virtualization Security
October 31st, 2008 23ACM CCS / VMSec
Hyper-V Security
Challenges – ImplementationChallenges – Implementation
• Security of the platform• SDL• Simplify• Separate• Push complexity out and
up
• Hypervisor correctness“Is this hypervisor safe?”
• Security of the platform• SDL• Simplify• Separate• Push complexity out and
up
• Hypervisor correctness“Is this hypervisor safe?”
October 31st, 2008 24ACM CCS / VMSec
Hyper-V Security
Challenges – ManagementChallenges – Management
• VM security level• Host suitability
• Identity• Administration• Patching• Software Inventory• Compliance• Antivirus• Network vs. virtual network security
“Are my policies safe?”
• VM security level• Host suitability
• Identity• Administration• Patching• Software Inventory• Compliance• Antivirus• Network vs. virtual network security
“Are my policies safe?”
October 31st, 2008 25ACM CCS / VMSec
Hyper-V Security
Challenges – RealizationChallenges – Realization
• Projecting security invariants into VMs
• Monitoring VM behavior• Behavior modification• Intercepting VM data flows
“Can I make my OS safer by being a VM?”
• Projecting security invariants into VMs
• Monitoring VM behavior• Behavior modification• Intercepting VM data flows
“Can I make my OS safer by being a VM?”
October 31st, 2008 26ACM CCS / VMSec
Hyper-V Security
AgendaAgenda
• What is Hyper-V?• Why a hypervisor?• Quick Background & Architecture• Security Model• Challenges• Future Directions
• What is Hyper-V?• Why a hypervisor?• Quick Background & Architecture• Security Model• Challenges• Future Directions
October 31st, 2008 27ACM CCS / VMSec
Hyper-V Security
What are we exploring?What are we exploring?• Measured launch• IOMMU support• TPM virtualization
• Measured launch• IOMMU support• TPM virtualization
October 31st, 2008 28ACM CCS / VMSec
Hyper-V Security
Measured LaunchMeasured Launch
• Start with Dynamic Root of Trust Measurement (DRTM)• AMD SKINIT • Intel SENTER
• DRTM resets processor to clean stateand executes secure loader• Loader starts a measurement chain
• Allows for measurement and policy enforcement on hypervisor
• Start with Dynamic Root of Trust Measurement (DRTM)• AMD SKINIT • Intel SENTER
• DRTM resets processor to clean stateand executes secure loader• Loader starts a measurement chain
• Allows for measurement and policy enforcement on hypervisor
October 31st, 2008 29ACM CCS / VMSec
Hyper-V Security
I/O Memory Management Unit (IOMMU)
I/O Memory Management Unit (IOMMU)
• Used for containing and directingdevice traffic• Access to memory• Interrupts
• Under development and goes by lotsof names• IOMMU (long-standing use in industry, AMD)• DMA Remapping (Intel/Microsoft)• VT-d, VT-d2 (Intel)
• Used for containing and directingdevice traffic• Access to memory• Interrupts
• Under development and goes by lotsof names• IOMMU (long-standing use in industry, AMD)• DMA Remapping (Intel/Microsoft)• VT-d, VT-d2 (Intel)
October 31st, 2008 30ACM CCS / VMSec
Hyper-V Security
TPM VirtualizationTPM Virtualization• Open questions:• What is the right way to expose TPM
functionality to VMs?• Low level hardware interface vs. hypercall• TPM wasn’t designed to be virtualized
• How should you handle measurements across VM migrations?• If a VM is sealed to a platform, it can’t be migrated.• If a VM isn’t sealed to a platform, how much trust do
you have?
• Open questions:• What is the right way to expose TPM
functionality to VMs?• Low level hardware interface vs. hypercall• TPM wasn’t designed to be virtualized
• How should you handle measurements across VM migrations?• If a VM is sealed to a platform, it can’t be migrated.• If a VM isn’t sealed to a platform, how much trust do
you have?
October 31st, 2008 31ACM CCS / VMSec
Hyper-V Security
For More InformationFor More Information• Email me thoughts, ideas, questions
• [email protected]• [email protected]
• Hypervisor Interface Specification• http://msdn.microsoft.com/en-us/library/bb969686.aspx
• Black Hat presentations• http://www.blackhat.com/html/bh-media-archives/bh-
archives-2007.html
• RSA Virtualization Blog• http://blogs.msdn.com/rsa2008/archive/2008/04/07/
isolation-of-virtual-machines.aspx
• Email me thoughts, ideas, questions• [email protected]• [email protected]
• Hypervisor Interface Specification• http://msdn.microsoft.com/en-us/library/bb969686.aspx
• Black Hat presentations• http://www.blackhat.com/html/bh-media-archives/bh-
archives-2007.html
• RSA Virtualization Blog• http://blogs.msdn.com/rsa2008/archive/2008/04/07/
isolation-of-virtual-machines.aspx October 31st, 2008 32ACM CCS / VMSec
Top Related