Achieving Secure Out-of-Band Remote Management in Virtualized Systems

vm migration for secure out of band remote n.w
1 / 19
Embed
Share

Explore how to achieve secure out-of-band remote management in virtualized systems through VM migration, nested virtualization, and shadow devices. Learn about the challenges and solutions to prevent information leakage and unauthorized access, enhancing system security and management.

  • Virtualization
  • Remote Management
  • Security
  • VM Migration
  • Nested Virtualization
rayaanacharya
aklim Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. VM Migration for Secure Out-of-band Remote Management with Nested Virtualization Tomoya Unoki and Kenichi Kourai Kyushu Institute of Technology, Japan

  2. 2 Remote Management in Clouds IaaS clouds provide virtual machines (VMs) Run the virtualized system at each host Users can use VMs to construct their systems as needed Users access the systems in VMs from remote hosts Run remote management servers in VMs E.g., SSH and VNC virtualized system VM sshd user cloud

  3. 3 Out-of-band Remote Management IaaS clouds provide out-of-band remote management Users access virtual devices to manage the systems in VMs E.g., virtual serial console via virtual serial devices E.g., out-of-band VNC via virtual keyboards, mice, and video cards Can continue the system management in case of emergency E.g., failures of virtual networks and remote management servers virtualized system I/O virtual devices VM user cloud

  4. 4 Information Leakage Virtual devices are not sufficiently protected Accessible to all the cloud operators Sensitive information can be obtained from their inputs and outputs Not all the cloud operators are always trusted 35% of system admins have accessed sensitive information without authorization [CyberArk'09] virtualized system operators password VM virtual devices user

  5. 5 VSBypass [Futagami+, ACSAC'18] Achieve secure out-of-band remote management Move virtual devices outside the virtualized system Called shadow devices Run the virtualized system in a VM using nested virtualization Confine cloud operators in the virtualized system Prevent them from accessing shadow devices virtualized system in a VM I/O shadow devices virtual devices VM remote host

  6. 6 Migration Issues VM migration disables the secure remote management The migration manager inside the virtualized system cannot transfer the states of shadow devices outside it The states are lost at the destination host Users cannot access shadow devices correctly virtualized system (VM) virtualized system (VM) state transfer shadow devices migration manager migration manager shadow devices VM VM source host destination host

  7. 7 Our Approach: USShadow Enable secure remote management after VM migration The migration manager can handle the states of shadow devices Transparently and securely No modifications to the migration manager No information leakage from the states virtualized system (VM) virtualized system (VM) state state transfer shadow devices migration manager migration manager shadow devices VM VM restore save source host destination host

  8. 8 Threat Model Use the same threat model as VSBypass Some of the cloud operators may be untrusted Assume full control over the virtualized system Cloud providers are trusted Maintain hardware, the cloud hypervisor, and shadow devices VM running the virtualized system shadow devices migration manager VM cloud hypervisor

  9. 9 Interface to Shadow Devices A naive design is to provide a new interface The migration manager directly saves and restores the states of shadow devices Require modifications to the migration manager The migration manager strongly depends on the virtualized system Need to extend the migration protocol virtualized system (VM) transfer shadow devices migration manager

  10. 10 Save/restore via Pseudo Devices Provide pseudo devices inside the virtualized system Transparently access the states of shadow devices as those of pseudo devices The migration manager saves/restores the states of pseudo devices Pseudo devices communicate with shadow devices virtualized system (VM) virtualized system (VM) state state transfer shadow devices pseudo devices migration manager migration manager pseudo devices shadow devices save restore source host destination host

  11. 11 Communication with Shadow Devices Not easy to securely and efficiently communicate between pseudo and shadow devices Inter-process communication cannot be used Virtual network affects security and performance Use more secure and fast shared memory How to establish it without involving the virtualized system? virtualized system (VM) shadow devices shared memory pseudo devices

  12. 12 Shared Memory with Ultracall A pseudo device directly invokes the cloud hypervisor Using the ultracall mechanism [Futagami+, ACSAC'18] Completely bypass the virtualized system No modification, no performance degradation A shadow device shares the memory of the pseudo device virtualized system (VM) shadow devices pseudo devices memory ultracall cloud hypervisor

  13. 13 State Encryption Shadow devices encrypt/decrypt their own states on save/restore Prevent information leakage from the states to cloud operators Upon save: Obtain and encrypt register values and internal states Upon restore: Decrypt states and overwrite registers and internal states virtualized system (VM) encrypt shadow devices pseudo devices migration manager memory decrypt

  14. 14 Experiments We have implemented USShadow in Xen 4.8 Support virtual serial console and out-of-band VNC Support Xen and KVM as a virtualized system in a VM We conducted several experiments using USShadow Compared with VSBypass (no migration support) VM running the virtualized system target VM Gigabit Ethernet vCPU: 2 Memory: 3 GB vCPU: 2 Memory: 1 GB CPU: Xeon E3-1226 v3 Memory: 8 GB remote host source host destination host

  15. 15 Secure Remote Management after Migration We re-connected the VM using virtual serial console via SSH after VM migration We logged in to the VM before migration The login session was preserved after migration in USShadow We could not continue the access in VSBypass before migration after migration

  16. 16 Save/Restore Time The total state size of four shadow devices was 2 KB Not depend on the virtualized system The total save/restore time was 2.7 ms Each save/restore time was not proportional to the state size Restore was faster than save 0.5 KVM 0.4 device type serial device keyboard mouse video card size (byte) time (ms) 0.3 16 0.2 288 304 1408 0.1 0 serial keyboard mouse video save restore

  17. 17 Migration Performance The migration time slightly increased 24 ms (KVM) and 743 ms (Xen) on average The downtime slightly increased of decreased +6 ms (KVM) and -46 ms (Xen) on average 20 500 KVM downtime migration time 400 15 time (sec) time (ms) 300 10 200 5 100 0 0 256 MB 512 MB 1 GB 2 GB 256 MB 512 MB 1 GB 2 GB VSBypass USShadow VSBypass USShadow

  18. 18 Related Work CompSC [Pan+, VEE'12] Restore the states of passthrough NICs after VM migration Easier to restore the states of shadow devices D-MORE [Kawahara+, UCC'14] Achieve migration-transparent out-of-band remote management Need to migrate a VM outside the virtualized system together Xen-Blanket [Williams+, EuroSys'12] Achieve fast communication by modifying the virtualized system The design policy of USShadow is not to modify it

  19. 19 Conclusion USShadow continues secure out-of-band remote management after VM migration Transparently and securely save/restore the states of shadow devices Via pseudo devices in the virtualized system Efficiently communicate between pseudo and shadow devices The overhead of state save/restore was small Future work Support other remote management tools Support other virtualized systems

Related


No related presentations.

More Related Content