hyper-v security

Hyper-V Security

Hyper-V SecurityHyper-V Security

Brandon BakerSenior Development Lead

Microsoft

Brandon BakerSenior Development Lead

Microsoft

William ArbaughPrincipal ArchitectMicrosoft

William ArbaughPrincipal ArchitectMicrosoft

October 31st, 2008 1ACM CCS / VMSec

Hyper-V Security

AgendaAgenda

• What is Hyper-V?• Why a hypervisor?• Quick Background & Architecture• Security Model• Challenges• Future Directions



Hyper-V Security

What is Hyper-V?What is Hyper-V?

• Full machine virtualization• Component of Windows Server

2008 x64• Beta shipped in box• RTM available through Windows

Update

• Full machine virtualization• Component of Windows Server

2008 x64• Beta shipped in box• RTM available through Windows

Update

ACM CCS / VMSec October 31st, 2008 3

Hyper-V Security

How to install Hyper-VHow to install Hyper-V


Hyper-V Security

What is Hyper-V?What is Hyper-V?

• Has three major components:• Hypervisor• Virtualization Stack• Virtual Devices

• Requires hardware assisted virtualization• AMD AMD-V • Intel VT

• Has three major components:• Hypervisor• Virtualization Stack• Virtual Devices

• Requires hardware assisted virtualization• AMD AMD-V • Intel VT


Hyper-V Security

AgendaAgenda




Hyper-V Security

VMM ArrangementsVMM Arrangements

• Hosted Virtualization• Hosted Virtualization • Hypervisor Virtualization• Hypervisor Virtualization

VMMVMM

ExamplesVMware Workstation KVMVirtual PC & Virtual Server

ExamplesVMware ESXXenHyper-V

Hardware Hardware

Host OS

Guest 1 Guest 2 Guest 1 Guest 2


Hyper-V Security

Monolithic Versus MicrokernelMonolithic Versus Microkernel

• Monolithic hypervisor• Simpler than a modern kernel,

but still complex• Implements driver model

• Monolithic hypervisor• Simpler than a modern kernel,

but still complex• Implements driver model

• Microkernel hypervisor• Simple partitioning functionality• Increase reliability and

minimizes TCB• No third-party code• Drivers run in root guest

• Microkernel hypervisor• Simple partitioning functionality• Increase reliability and

minimizes TCB• No third-party code• Drivers run in root guest

All virtualization systems have a VMM, drivers, virtualization software, and management interfaces.

Hypervisor

VM 1(Admin)

VM 2 VM 3

Hardware Hardware

Hypervisor

VM 2(“Child”)

VM 3(“Child”)


Hyper-V Security

AgendaAgenda




Hyper-V Security

Root

VirtualizationService

Providers(VSPs)

WindowsKernel

Server Core

Virtualization Stack

DeviceDrivers

Windows hypervisor

VM WorkerProcessesVMMS

Service

WMI Provider

Guest Partitions

Ring 0

Ring 3

VirtualizationServiceClients(VSCs)

OSKernel

EnlightenmentsVMBus

Guest Applications

Provided by:Provided by:

WindowsWindows

ISVISV

Hyper-VHyper-V

Hyper-V ArchitecturePartition

VMCS/VMCBAPICMMUCPUStorage NIC

Ring 0

Ring 3

Ring “-1”


Hyper-V Security

HypervisorHypervisor• Partitioning Kernel

• Partition is isolation boundary• Few virtualization functions;

relies on virtualization stack

• Very thin layer of software• Microkernel• Highly reliable

• No device drivers• Two versions, one for Intel

and one for AMD• Drivers run in the root• Leverage the large base of

Windows drivers

• Well-defined interface• Allow others to create

support for their OSes as guests

• Partitioning Kernel• Partition is isolation boundary• Few virtualization functions;

relies on virtualization stack

• Very thin layer of software• Microkernel• Highly reliable

• No device drivers• Two versions, one for Intel

and one for AMD• Drivers run in the root• Leverage the large base of

Windows drivers

• Well-defined interface• Allow others to create

support for their OSes as guests

• Runs within the root partition• Portion of traditional

hypervisor that has been pushed up and out to make a micro-hypervisor

• Manages guest partitions• Handles intercepts• Emulates devices



Hyper-V Security

AgendaAgenda




Hyper-V Security

Root


Providers(VSPs)

WindowsKernel

Server Core


DeviceDrivers

Windows hypervisor

VM WorkerProcessesVM

Service

WMI Provider

Guest Partitions


OSKernel

EnlightenmentsVMBus

Guest Applications

Hyper-V TCBPartition


Hyper-V Security

Security AssumptionsSecurity Assumptions• Guests are untrusted• Root must be trusted by hypervisor; parent must

be trusted by children.• Code will run in all available processor modes,

rings, and segments• Hypercall interface will be well documented and

widely available to attackers.• All hypercalls can be attempted by guests• Can detect you are running on a hypervisor• We’ll even give you the version• The internal design of the hypervisor will be well

understood

• Guests are untrusted• Root must be trusted by hypervisor; parent must

be trusted by children.• Code will run in all available processor modes,

rings, and segments• Hypercall interface will be well documented and

widely available to attackers.• All hypercalls can be attempted by guests• Can detect you are running on a hypervisor• We’ll even give you the version• The internal design of the hypervisor will be well

understood October 31st, 2008 14ACM CCS / VMSec

Hyper-V Security

Security GoalsSecurity Goals• Strong isolation between partitions• Protect confidentiality and integrity of guest data

• Separation• Unique hypervisor resource pools per guest• Separate worker processes per guest• Guest-to-parent communications over unique channels

• Non-interference• Guests cannot affect the contents of other guests, parent, hypervisor• Guest computations protected from other guests• Guest-to-guest communications not allowed through VM interfaces• Memory, registers, and caches scrubbed on VM context switch

• Strong isolation between partitions• Protect confidentiality and integrity of guest data

• Separation• Unique hypervisor resource pools per guest• Separate worker processes per guest• Guest-to-parent communications over unique channels

• Non-interference• Guests cannot affect the contents of other guests, parent, hypervisor• Guest computations protected from other guests• Guest-to-guest communications not allowed through VM interfaces• Memory, registers, and caches scrubbed on VM context switch


Hyper-V Security

Security Non-GoalsSecurity Non-Goals• Things we don’t do in Hyper-V v1• Mitigate hardware bleed-through

(inference attacks)• Mitigate covert channels• Guarantee availability• Protect guests from the root• Protect the hypervisor from the root• Utilize trusted hardware• TPM, Device Assignment, DMA protection,

Secure Launch

• Things we don’t do in Hyper-V v1• Mitigate hardware bleed-through

(inference attacks)• Mitigate covert channels• Guarantee availability• Protect guests from the root• Protect the hypervisor from the root• Utilize trusted hardware• TPM, Device Assignment, DMA protection,

Secure Launch October 31st, 2008 16ACM CCS / VMSec

Hyper-V Security

Root Partition

Server Core


Windows hypervisor

Guest Partitions

Guest OSKernel

Guest Applications

Hyper-V Security Model

VMBus

AzMan

Hypercall

Part ID 1

Hypercall

Part ID 2…n

Partition Privileges

VM Config

Win

do

ws

Au

thN

Part ID to VM Config

VMCSMemory Map


Hyper-V Security

Hypervisor Security Model

Hypervisor Security Model

• Memory• Physical Address to Partition map

maintained by Hv• Parent/Child ownership model on

memory• Can supersede access rights in guest

page tables (R, W, X)

• CPU• Hardware guarantees cache & register

isolation, TLB flushing, instruction interception

• I/O• Hypervisor enforces Parent policy for all

guest access to I/O ports• Hyper-V v1 policy is guests have no

access to real hardware

• Hypervisor Interface• Partition privilege model• Guests access to hypercalls,

instructions, MSRs with security impact enforced based on Parent policy

• Hyper-V v1 policy is guests have no access to privileged instructions

• Memory• Physical Address to Partition map

maintained by Hv• Parent/Child ownership model on

memory• Can supersede access rights in guest

page tables (R, W, X)

• CPU• Hardware guarantees cache & register

isolation, TLB flushing, instruction interception

• I/O• Hypervisor enforces Parent policy for all

guest access to I/O ports• Hyper-V v1 policy is guests have no

access to real hardware

• Hypervisor Interface• Partition privilege model• Guests access to hypercalls,

instructions, MSRs with security impact enforced based on Parent policy

• Hyper-V v1 policy is guests have no access to privileged instructions

• Uses Authorization Manager (AzMan)• Fine grained authorization and

access control• Department and role based• Segregate who can manage groups

of VMs

• Define specific functions for individuals or roles• Start, stop, create, add hardware,

change drive image

• VM administrators don’t have to be Server 2008 administrators

• Guest resources are controlled by per VM configuration files

• Shared resources are protected• Read-only (CD ISO file)• Copy on write (differencing disks)

• Uses Authorization Manager (AzMan)• Fine grained authorization and

access control• Department and role based• Segregate who can manage groups

of VMs

• Define specific functions for individuals or roles• Start, stop, create, add hardware,

change drive image

• VM administrators don’t have to be Server 2008 administrators

• Guest resources are controlled by per VM configuration files

• Shared resources are protected• Read-only (CD ISO file)• Copy on write (differencing disks)

Hyper-V Security ModelHyper-V Security Model


Hyper-V Security

Virtualization AttacksVirtualization AttacksRoot Partition


Providers(VSPs)

WindowsKernel

Server Core

DeviceDrivers


VM WorkerProcessesVM

Service

WMI Provider

Guest Partitions


EnlightenmentsVMBus

Server Hardware

Guest Applications

HackersHackers

OSKernel

Windows hypervisor

VMBus

Provided by:Provided by:

WindowsWindows

ISVISV

Hyper-VHyper-V


Hyper-V Security

Hyper-V Security Hardening (1/2)


• Hypervisor has separate address space• Guest addresses != Hypervisor addresses

• No 3rd party code in the Hypervisor• Limited number of channels from guests to

hypervisor• No “IOCTL”-like things

• Guest to guest communication through hypervisor is prohibited

• No shared memory mapped between guests• Guests never touch real hardware i/o

• Hypervisor has separate address space• Guest addresses != Hypervisor addresses

• No 3rd party code in the Hypervisor• Limited number of channels from guests to

hypervisor• No “IOCTL”-like things

• Guest to guest communication through hypervisor is prohibited

• No shared memory mapped between guests• Guests never touch real hardware i/o


Hyper-V Security



• Hypervisor built with • ASLR• Stack guard cookies (/GS)• Hardware No eXecute (NX)• Code pages marked read only• Memory guard pages• Limited exception handling• Hypervisor binary is signed

• Hypervisor and Root components completed SDL• Threat modeling• Static Analysis• Fuzz testing• Penetration testing

• Hypervisor built with • ASLR• Stack guard cookies (/GS)• Hardware No eXecute (NX)• Code pages marked read only• Memory guard pages• Limited exception handling• Hypervisor binary is signed

• Hypervisor and Root components completed SDL• Threat modeling• Static Analysis• Fuzz testing• Penetration testing


Hyper-V Security

AgendaAgenda




Hyper-V Security

Maslow’s Hierarchy of Virtualization Security

Maslow’s Hierarchy of Virtualization Security


Hyper-V Security

Challenges – ImplementationChallenges – Implementation

• Security of the platform• SDL• Simplify• Separate• Push complexity out and

up

• Hypervisor correctness“Is this hypervisor safe?”

• Security of the platform• SDL• Simplify• Separate• Push complexity out and

up

• Hypervisor correctness“Is this hypervisor safe?”


Hyper-V Security

Challenges – ManagementChallenges – Management

• VM security level• Host suitability

• Identity• Administration• Patching• Software Inventory• Compliance• Antivirus• Network vs. virtual network security

“Are my policies safe?”

• VM security level• Host suitability

• Identity• Administration• Patching• Software Inventory• Compliance• Antivirus• Network vs. virtual network security

“Are my policies safe?”


Hyper-V Security

Challenges – RealizationChallenges – Realization

• Projecting security invariants into VMs

• Monitoring VM behavior• Behavior modification• Intercepting VM data flows

“Can I make my OS safer by being a VM?”

• Projecting security invariants into VMs

• Monitoring VM behavior• Behavior modification• Intercepting VM data flows

“Can I make my OS safer by being a VM?”


Hyper-V Security

AgendaAgenda




Hyper-V Security

What are we exploring?What are we exploring?• Measured launch• IOMMU support• TPM virtualization

• Measured launch• IOMMU support• TPM virtualization


Hyper-V Security

Measured LaunchMeasured Launch

• Start with Dynamic Root of Trust Measurement (DRTM)• AMD SKINIT • Intel SENTER

• DRTM resets processor to clean stateand executes secure loader• Loader starts a measurement chain

• Allows for measurement and policy enforcement on hypervisor

• Start with Dynamic Root of Trust Measurement (DRTM)• AMD SKINIT • Intel SENTER

• DRTM resets processor to clean stateand executes secure loader• Loader starts a measurement chain

• Allows for measurement and policy enforcement on hypervisor


Hyper-V Security

I/O Memory Management Unit (IOMMU)

I/O Memory Management Unit (IOMMU)

• Used for containing and directingdevice traffic• Access to memory• Interrupts

• Under development and goes by lotsof names• IOMMU (long-standing use in industry, AMD)• DMA Remapping (Intel/Microsoft)• VT-d, VT-d2 (Intel)

• Used for containing and directingdevice traffic• Access to memory• Interrupts

• Under development and goes by lotsof names• IOMMU (long-standing use in industry, AMD)• DMA Remapping (Intel/Microsoft)• VT-d, VT-d2 (Intel)


Hyper-V Security

TPM VirtualizationTPM Virtualization• Open questions:• What is the right way to expose TPM

functionality to VMs?• Low level hardware interface vs. hypercall• TPM wasn’t designed to be virtualized

• How should you handle measurements across VM migrations?• If a VM is sealed to a platform, it can’t be migrated.• If a VM isn’t sealed to a platform, how much trust do

you have?

• Open questions:• What is the right way to expose TPM

functionality to VMs?• Low level hardware interface vs. hypercall• TPM wasn’t designed to be virtualized

• How should you handle measurements across VM migrations?• If a VM is sealed to a platform, it can’t be migrated.• If a VM isn’t sealed to a platform, how much trust do

you have?


Hyper-V Security

For More InformationFor More Information• Email me thoughts, ideas, questions

• [email protected]• [email protected]

• Hypervisor Interface Specification• http://msdn.microsoft.com/en-us/library/bb969686.aspx

• Black Hat presentations• http://www.blackhat.com/html/bh-media-archives/bh-

archives-2007.html

• RSA Virtualization Blog• http://blogs.msdn.com/rsa2008/archive/2008/04/07/

isolation-of-virtual-machines.aspx

• Email me thoughts, ideas, questions• [email protected]• [email protected]

• Hypervisor Interface Specification• http://msdn.microsoft.com/en-us/library/bb969686.aspx

• Black Hat presentations• http://www.blackhat.com/html/bh-media-archives/bh-

archives-2007.html

• RSA Virtualization Blog• http://blogs.msdn.com/rsa2008/archive/2008/04/07/

isolation-of-virtual-machines.aspx October 31st, 2008 32ACM CCS / VMSec

hyper-v security

Technology