When Virtual is Harder than Real: Security Challenges in Virtual MachineBased Computing Environments

As virtual machines become pervasive users will be able tocreate, modify and distribute new "machines " with unprecedented ease. This flexibility provides tremendous benefits forusers. Unfortunately, it can also undermine many assumptions that today's relatively static security architectures rely on aboutthe number of hosts in a system, their mobility, connectivity, patch cycle, etc.We examine a variety of security problems virtual computing environments give rise to. We then discuss potential directions forchanging security architectures to adapt to these demands.

A Virtual Machine Introspection Based Architecture for Intrusion Detection

Today's architectures for intrusion detection force the IDS designer to make a difficult choice. If the IDS resides on the host, it has an excellent view of what is happening in that host's software, but is highly susceptible to attack. On the other hand, if the IDS resides in the network, it is more resistant to attack, but has a poor view of what is happening inside the host, making it more susceptible to evasion. In this paper we present an architecture that retains the visibility of a host-based IDS, but pulls the IDS outside of the host for greater attack resistance. We achieve this through the use of a virtual machine monitor. Using this approach allows us to isolate the IDS from the monitored host but still retain excellent visibility into the host's state. The VMM also offers us the unique ability to completely mediate interactions between the host software and the underlying hardware. We present a detailed study of our architecture, including Livewire, a prototype implementation. We demonstrate Livewire by implementing a suite of simple intrusion detection policies and using them to detect real attacks

When virtual is harder than real: Security challenges in virtual machine based computing environments

As virtual machines become pervasive users will be able to create, modify and distribute new “machines ” with unprecedented ease. This flexibility provides tremendous benefits for users. Unfortunately, it can also undermine many assumptions that today’s relatively static security architectures rely on about the number of hosts in a system, their mobility, connectivity, patch cycle, etc. We examine a variety of security problems virtual computing environments give rise to. We then discuss potential directions for changing security architectures to adapt to these demands.

Virtualization Aware File Systems: Getting Beyond the Limitations ofVirtual Disks

Abstract Virtual disks are the main form of storage in today's vir-tual machine environments. They offer many attractive features, including whole system versioning, isolation,and mobility, that are absent from current file systems. Unfortunately, the low-level interface of virtual disks isvery coarse-grained, forcing all-or-nothing whole system rollback, and opaque, offering no practical means of shar-ing. These problems impose serious limitations on virtual disks ' usability, security, and ease of management.To overcome these limitations, we offer Ventana, a virtualization aware file system. Ventana combines the file-based storage and sharing benefits of a conventional distributed file system with the versioning, mobility, andaccess control features that make virtual disks so compelling. 1 Introduction Virtual disks, the main form of storage in today's virtualmachine environments, have many attractive properties, including a simple, powerful model for versioning, roll-back, mobility, and isolation. Virtual disks also allow VMs to be created easily and stored economically, freeingusers to configure large numbers of VMs. This enables a new usage model in which VMs are specialized for par-ticular tasks. Unfortunately, virtual disks have serious shortcomings.Their low-level isolation prevents shared access to storage, which hinders delegation of VM management, sousers must administer their own growing collections of machines. Rollback and versioning takes place at thegranularity of a whole virtual disk, which encourages mismanagement and reduces security. Finally, virtual disks'lack of structure obstructs searching or retrieving data in their version histories [34].Conversely, existing distributed file systems support fine-grained controlled sharing, but not the versioning,isolation, and encapsulation features that make virtual disks so useful.To bridge the gap between these two worlds, we presen

Flexible OS Support and Applications for Trusted Computing

Trusted computing (e.g. TCPA and Microsoft's Next-Generation Secure Computing Base) has been one of the most talked about and least understood technologies in the computing community over the past year. The capabilities trusted computing provides have the potential to radically improve the security and robustness of distributed systems. Unfortunately, the debate over its application to digital rights management has caused its significant other applications to be largely overlooked. In this paper we present a broader vision for trusted computing. We give an intuitive model for understanding the capabilities and limitations of the mechanisms provided by trusted computing. We describe a flexible OS architecture to support trusted computing. We present a range of practical applications that illustrate how trusted computing can be used to improve security and robustness in distributed systems

Virtualization aware file systems: Getting beyond the limitations of virtual disks

Virtual disks are the main form of storage in today’s virtual machine environments. They offer many attractive features, including whole system versioning, isolation, and mobility, that are absent from current file systems. Unfortunately, the low-level interface of virtual disks is very coarse-grained, forcing all-or-nothing whole system rollback, and opaque, offering no practical means of sharing. These problems impose serious limitations on virtual disks ’ usability, security, and ease of management. To overcome these limitations, we offer Ventana, a virtualization aware file system. Ventana combines the filebased storage and sharing benefits of a conventional distributed file system with the versioning, mobility, and access control features that make virtual disks so compelling.

Abstract Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation

Today’s operating systems, word processors, web browsers, and other common software take no measures to promptly remove data from memory. Consequently, sensitive data, such as passwords, social security numbers, and confidential documents, often remains in memory indefinitely, significantly increasing the risk of exposure. We present a strategy for reducing the lifetime of data in memory called secure deallocation. With secure deallocation we zero data either at deallocation or within a short, predictable period afterward in general system allocators (e.g. user heap, user stack, kernel heap). This substantially reduces data lifetime with minimal implementation effort, negligible overhead, and without modifying existing applications. We demonstrate that secure deallocation generally clears data immediately after its last use, and that without such measures, data can remain in memory for days or weeks, even persisting across reboots. We further show that secure deallocation promptly eliminates sensitive data in a variety of important real world applications.

Abstract Data Lifetime is a Systems Problem

As sensitive data lifetime (i.e. propagation and duration in memory) increases, so does the risk of exposure. Unfortunately, this issue has been largely overlooked in the design of most of today’s operating systems, libraries, languages, etc. As a result, applications are likely to leave the sensitive data they handle (passwords, financial and military information, etc.) scattered widely over memory, leaked to disk, etc. and left there for an indeterminate period of time. This greatly increases the impact of a system compromise. Dealing with data lifetime issues is currently left to application developers, who largely overlook them. Security-aware developers who attempt to address them (e.g. cryptographic library writers) are stymied by the limitations of the operating systems, languages, etc. they rely on. We argue that data lifetime is a systems issue which must be recognized and addressed at all layers of the software stack.