Security Challenges on the Clone, Snapshot, Migration and Rollback ...

The Fifth Annual ChinaGrid Conference

Security Challenges on the Clone, Snapshot, Migration and Rollback of Xen Based Computing Environments Lei Yu, Chuliang Weng, Minglu Li, Yuan Luo Department of Computer Science and Engineering Shanghai Jiaotong University Shanghai, China [email protected] Abstract—While virtual machines provide significant flexibility for users and administrators to clone, snapshot, migration and rollback with unprecedented ease, it also bring forth some new problems and negative effects to the security of computing environments. The applications and operating systems are forced to run in a dynamical and unregulated computing environment, which gives rise to so radical difference that the administrator is difficult to maintain the security of computing environment. This paper summarizes and presents some types of security challenges based on existing viewpoints, then we analysis the similar challenges in Xen and discuss the potential directions and implementations for modifying it to adapt to these challenges.

A. Scenario We set our scene at AdventureSpeed, a manufacturer and distributor of autos. Typically, automotive industry is one of the most complex manufacturing. Like real auto manufacturers, the employees in various departments of AdventureSpeed work on computers and collaborate through the network. Moreover, the software used in the firm has diverse requirements, e.g. product designers need to design their new auto on the mac OS X, Data Center maintains the SAP Database on the Solaris 10, marketmen analysis market and sale auto on Vista and so on.

Keywords-Virtualization; Security; Version managament

The only difference is that this company's employees are facing a virtual computer rather than a physical machine.

I.

INTRODUCTION

B. the Administrator Role Alice is AdventureSpeed’s System administrator and in charge of computing environ-ment. As a role, Alice usually is a department or a team instead of an individual. In traditional industries, Alice has powerful privileges to decide what operating system, as well as application the employees and departments use, and which should be for-bidden.

Virtualization dramatically improves the efficiency and availability of computing resources in current organizations. As users are able to clone, snapshot, migrate and rollback with unprecedented ease, virtual computing environments let us respond to market dynamics faster and more efficiently than ever before. A virtual machine is essentially a software container that bundles a set of virtual hardware resources, an operating system and all its applications, into a file(s). Encap-sulation makes virtual machines incredibly portable and easy to manage. We can clone, snapshot, modify, migrate and rollback the virtual machines just like any other software files.

Even in the relatively free enterprise, Alice also played an important role in the com-puting environment. For the security of computing environments, she monitors each virtual machine, and directly consoles physical machines in virtual computing envi-ronments. Once some malicious behavior is found, Alice should find out which virtual machine and physical machine is sources, and what should be potential aims. Then, the sources should be isolated and recovered, while the vulnerability should be patched or changed the configuration.

However, the flexibility also gives rise to some new problems and negative effects to the security of computing environments, because it forces applications to work in a dynamically changing and unregulated computing environment, in which Administrators hardly manage the security of VMs. The security architecture of computing environment must be modified.To adapt these demands, we will discuss Xen existing problems and potential implementations in section 4. II.

III.

ISSUE SCENARIO

To clarify the details of the paper, we should present a scenario for Xen-based virtual environments. Some roles will also be introduced. The scenario is just an example that facilitates the following.

978-0-7695-4106-8/10 $26.00 © 2010 IEEE DOI 10.1109/ChinaGrid.2010.47

SECURITY PROBLEMS IN VIRTUAL ENVIRONMENTS

A virtual machine is essentially a software container that bundles a set of virtual hardware resources, as well as an operating system ,all its applications and even their states, into a file(s). Encapsulation makes virtual machines incredibly portable and easy to manage. Virtual machines allow users to clone virtual machine’s file systems and configuration files, that are used to create new virtual machines on other physical machines. Particularly, the virtual machine monitor(VMM) can entirely encapsulate the state of guest OS running on it, which is named as snapshot. The states can be saved and copyed as files, as well as transferred on the Ethernet and 223

B. Invalid One-time Password and Aging Password The purpose of a one-time password (OTP) is to make it more difficult to gain unauthorized access to restricted resources or modules[1], like a computer account. Traditionally static passwords can be accessed more easily by an unauthorized intruder given enough attempts and time, and also maybe eavesdropped and reused by the intruder. By constantly altering the password, as is done with a one-time password or aging password, this risk can be greatly reduced.

internet. The state may be restored at later time on different physical machines. According to the difference of time or location, the restore behaviors were also be called as rollback or migration. The VM’s functions, such as clone, snapshot, rollback and migration, bring forth some new problems and negative effects to the security of computing environments. It should be noted that this paper only focus on those novel security problems caused by clone, snapshot, rollback and migration in virtual computing environments rather than on the general systems.

There are typical three types of one-time passwords: mathematical algorithm type, a time-synchronized type, using portable electronic devices (e.g. mobile phones) as an out-of-band method for transmitting one-time passwords. All the three types are invalid because of the virtual machine’s snapshot and rollback.

A. Invalid Randomness Randomness and random generator play fundamental roles in cryptography gener-ally, and particularly in privatekey cryptography.

S/KEY is a famous one-time password system in first type[2]. There are two sides to the operation of the S/KEY system. On the client side, A user‘s real password is combined in an offline device (e.g. a list of passwords printed on an paper) with a short set of characters and a decrementing counter to form a single-use password. Because each password is only used once, they are useless to password sniffers. On the host side, the server must verify the one-time password and permit the secure changing of the user's secret passphrase.

Computers are predictable devices. Without specific devices, physical computer hardly generate true random information, It usually generates pseudorandom information. Pseudorandom information is usually generated by functions in software, which is also a deterministic function. Although the function may generate a sequence of numbers that exhibit some properties of a true random number, they are only statistically random. Fortunately, some operating systems (e.g. Linux) can generate more true random information. These random seeds usually originate from the device driver. For example, the keyboard driver to collect the time information between two keys, and then fill in the environmental noise random number generator library. Random seeds are stored in the entropy pool, it will be “mixing” when entering new data. unfortunately, the devices are virtual devices which is essentially software, these data may be easily simulated or forged outside the virtual machine.

First step begins with a secret key w. This secret can either be provided by the user, or can be generated by a computer. Secure hash function H is applied n times to w, thereby producing a hash chain of n one-time passwords (the passwords are the results of the cryptographic hash H).Then, the initial secret w is discarded. The user is provided with the n passwords and printed out in reverse order. The last n-1 passwords are discarded from the server. Only the first password Kh, at the top of the user‘s list, is stored on the host side. When client consumes a password Kc to acquire the authorization from the host, the host will make sure H(Kc)=Kh. If this equation is satisfied, then the password used by the client is effective, the host will also replace the Kh’s value by Kc. The old Kc also will be discarded on the client. The old Kc or Kh have no value for the intruder, who usually eavesdrop them on the network or other channels.

Even if we ignore the differences between pseudorandom and true random, virtual machine’s snapshot and rollback functions will still weaken the randomness. A workflow in application program or service will generate random information, and build some security modules base on the information, which may be used to communicate with outsides. There is a interval between generation and used last time, which may be a few milliseconds, or a few seconds, a few minutes or even hours. In the interval, the random information always has been kept in memory, it will be saved in the snapshot which took place at the granularity of a whole VM memory.

While virtual machine rollbacks, the old Kh will be restored in the rollback of the whole virtual memory and virtual disk. The one-time password is invalid. Simultaneously, the other types and aging password are also invalid. C. Low Manageability In our virtual scenario, Alice is in charge of the security and stability of AdventureSpeed’s computing environment. As same as in traditional environment, Alice has to respond actively to every virus, worm, hacker and other malicious behavior. When a novel malicious act, which usually utilizes a newly discovered vulnerability, is found in the computing environment, Alice must patch VM’s operating system and application program. If the malicious behavior is produced by Trojan horse or virus, Alice must take corresponding

For a long time, randomness is the firm foundation of many security protocol and encryption algorithms, such as key generator, MAC and stream ciphers. Even if the information is saved outside virtual machines, it will be transited back and exist in the memory of VM for using. Because the interval exists all the same, this approach is also invalid. The sensitive random information should be clean before the snapshot of VM.

224

measures to scan each machine‘s file system and clean the malicious code.

file in domain 0, allowing it to be resumed at a later time. In other words, open-source Xen’s semi-snapshot can only snapshot the states of CPU and memory, not the state of file system.

But Alice will face two challenges in the virtual computing environment. Firstly, there are many VMs in various states, which include “power-on”, “power-off”, “paused”, historical state’s snapshots, the last 3 types are in potential and hibernant VM states, Alice will suffer from the difficulties of managing them. Secondly, when a newly discovered vulnerability is patched, a new type virus is identified and killed, the VM’s old version snapshot may be rollback at unpredictable time. So Alice is hard to manage all VM’s states. IV.

However, we can use other assistant methods to create the snapshots of file system. Literature[3] puts forward the snapshot function for Xen by logic volume; Literature[4] presents the snapshot function for VMware by NFS. In Linux, the Logical Volume Manager (LVM) can also be used for creating a snapshot, which takes significantly less time than the directly copying the file system. Nevertheless, this method implies that your virtual machine uses an LVM logical volume as its storage back-end, as opposed to using a virtual disk file.

THE SOLUTIONS IN XEN

When we try to solve these problems in Xen or others existed virtual machine monitors (VMM), there are a number of obstacles must be overcome.

Recently, we presented a novel virtual disk snapshot mechanism—Mensa, which can make snapshot and rollback inside Xen. Need not extra snapshot environment outside xen. While Xen itself achieves performance by modifying the guest and host OS, we desire that the soft will ena-ble them need no additional restrictions, such as LVM in domain0, and NFS in domainU etc..

A. Offline File System Manage As mentioned above, the states Guest domains in Xen also include “power-on”, “power-off”, “paused” and historical state’s snapshots. The last 3 types are offline VM states. To improve manageability, Alice must have the ability to access and maintain the VM’s file system in offline state.

The Mensa prototype is also a block-level snapshot software, a CoW snapshot virtual block device soft-ware. The front-end of Xen was changed to direct transport the requests from the file system of domain without optimization. The back-end driver will be split into three modules, the back-end receiver, snapshot mapping module, and physical driver as shows in Figure 1.. The detail can be found in our full paper.

In Xen, virtual file system can be available to virtual machines in a number of different ways[3]. The most typical method is exported from a filesystem image as a file-backed virtual block device (VBD), whereas the straightforward method is to export a physical block device (a hard drive or partition) from dom0 directly to the guest domain as a VBD Moreover, standard network storage protocols such as NBD, iSCSI, NFS, etc., can be used to provide storage to virtual machines.

C. VM Identity In virtual computing environments, users are able to create, modify, clone, rollback and migrate “machines” with unprecedented ease. Therefore, it is difficult to distinguish the relationship between VMs.

In first method, filesystem image simulates block device, which has a number of partitions in the image files. Whether the VM is power-on or not, domain0 could access and maintain the file system in the image. We can use the “losetup” command to associate a “new” loop device with the image files, then we use “kpartx” to set up device mappings for the partitions of loop device. Eventually, we can mount the mapped partitions to use. If some partitions saved as logic volume, the logic volume must be activated by lvchange command beforehand.

In traditional computing environments there are a series of methods to identify machines. They can be a list of MAC address, CPU serial number (SN), hard disk SN, mother SN, BIOS SN. Without such mechanisms it could be extremely difficult to establish who is responsible for a machine[5]. Whereas, in xen the information is dynamically assigned on domainU’s creation or clone, which is infeasible for identifying. There are also some simple methods for traditional physical machines, such as computer ID, but they are also infeasible because of domainUs’ clone and migration.

Without starting the VM, Alice can directly scan viruses and Trojan horses in those file-systems, then clean them. Alice also can identify the versions of guest OS which is power-off, or change its security settings.

To identify domainUs, we need to build a single database for computing environment. Each particular behaviors of domainU, such as creation, clone and migration, should be recorded into the database. In those behaviors, the virtual MAC address, CPU serial number (SN), hard disk SN, mother SN and BIOS SN etc. should be also assigned by the database.

B. Snapshot & Rollback Snapshot and Rollback are great features in virtual computing environment, which provide significant value for users and administrators. Unfortunately, open source Xen doesn't offer support for snapshots – In Xen, we can use the “xm save” command to save the current state of the virtual machine and write it to a disk file, but we cannot snapshot the virtual file system. The administrator of a Xen system only can suspend a virtual machine’s current state into a disk 225

D. Forced Administer For some particular reasons, Alice cannot have some computers’ super password. Without the password, Alice is hard to block against malicious code in the domainU’s memory directly. She should have the ability to force domainU’s owner to scan memory and solve the security problem.

not enough, the new environment may be under a lot of new potential threats. We should further perfect the Xen’s security, develop a series of tools to improve security of virtual computing environments. We believe that xen and the other virtual platform will have an important role to play in the evolution of large-scale computing environments. The next generation of products will solve those problems perfectly.

The most straightforward method is to forbid the domainU’s starting, but the owner cannot solve problem on the power-off VM. The conventional method is to restrict domainU’s network accessing, which is allow to access few websites that will help the owner to solve problem and download some patches.

ACKNOWLEDGMENT This research is sponsored in part by the Key Project of Chinese National Programs for Fundamental Research and Development(973 program) under grants 2007CB310900.

As mentioned above, users are able to clone, modify, rollback and migrate “machines” with unprecedented ease. In virtual computing environment, Alice must forbid the illegal clone and migration. Many traditional approaches provide similar function in different areas, full disk encryption (FDE) provide a high efficient mechanism for full VM encryption and decryption, techniques of trusted platform module (TPM) allows a VM to be "pinned" to a particular physical machine.

REFERENCES [1] [2] [3]

E. Sensitive data clean

[4]

[5]

[6]

[7]

[8] Figure 2. In Xen, those Sensitive Data should be Clean Before the Snapshot of DomainU [9]

As mentioned above, virtual machine’s snapshot and rollback functions will weaken the randomness, OTP and aging password are also invalid. In Xen, those sensitive data should be clean before the snapshot of domainU (See Figure 2). We could transmit data between domain0 and domain by xenstore, xenbus. Making up an event channel between them is to simulate a virtual interrupt request (VIRQ) in domainU. Then, we could build a device driver in each domain, which inform the application for cleaning its sensitive data.

V.

CONCLUSIONS

When we construct a virtual computing environment by Xen, some essential security problem should be solved beforehand. Simply migrating operating systems and applications from physical machine to virtual machine are

226

N. Haller, C. Metz: A One-Time Password System. IETF rfc2289. February, 1998. Neil Haller: The s/keytm one-time password system. Symposium on Network and Distributed System Security(1994), 151-157. Dutch T.M., Gitika A., Brendan C., Geoffrey L.: Parallax: Virtual Disks for Virtual Machines. Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems, Glasgow, Scotland UK(2008) 41-54 . Ben P., Tal G., Mendel R.: Virtualization Aware File Systems: Getting Beyond the Limitations of Virtual Disks. 3rd Symposium of Networked Systems Design and Implementation (NSDI), May, 2006. Tal G., Mendel R. :When virtual is harder than real: Security challenges in virtual machine based computing environments. 10th Workshop on Hot Topics in Operating Systems, May 2005. C. Herley, D. Florencio, How to Login from an Internet Café without Worrying about Keyloggers. Proceedings of Symposium on Usable Privacy and Security (SOUPS)’06. S. Frølund, A. Merchant, Y. Saito, S. Spence, and A. C. Veitch. Fab: Enterprise storage systems on a shoestring. In Proceedings of HotOS’03: 9th Workshop on Hot Topics in Operating Systems, Lihue (Kauai), Hawaii, USA, May 2003,169-174. T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A virtual machine-based platform for trusted computing. In Proceedings of the 19th Symposium on Operating System Principles(SOSP 2003), October 2003. C. Frost, M. Mammarella, E. Kohler, A. de los Reyes, S. Hovsepian, A. Matsuoka, and L. Zhang. Generalized file system dependencies. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP’07), October 2007 ,307-320.

Paravirtual domainU 

Domain0  Mensa mapping mechanism 

Modified Blkfront 

Back‐end receiver 

driver 

sparse trees   

Physical  driver

VMM  Orginal disk  Figure 1. the Structure of Mensa

227

Snp files