TechReady7 Breakout Chalktalk Template 3/14/2009 1 Kai Axford ...
TechReady7 Breakout Chalktalk Template
3/14/2009
Kai Axford, CISSP, MCSE
Senior Security Strategist
Microsoft Corporation
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
1
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
TechReady7 Breakout Chalktalk Template
3/14/2009
Security will ultimately enable virtualization
Myth
Red Pill and Blue Pill programs make
virtualization insecure
Security is the primary driver for
Reality
desktop virtualization
Security will drive more secure server
Reality
environments
3 Entire contents © 2008 Forrester Research, Inc. All rights reserved.
Desktop virtualization, server virtualization: all
require the same tools as before . . .
• Virtual machines think they are real –
you must treat them as such
» Patch management
» Configuration management
» Antivirus security updates
» Access control
• Each tool will keep machines up-to-
date with latest security updates and
secure configurations
4 Entire contents © 2008 Forrester Research, Inc. All rights reserved.
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
2
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
TechReady7 Breakout Chalktalk Template
3/14/2009
. . . However, there are a few additional
processes you must add
• Offline VMs brings new challenges to
Offline
the environment
VM
» Supplement agent-based tools with
tools that can update an offline
machine
» Or, make sure to scan VMs so old
vulnerability don’t make their way
into a production environment
• Firewall-enable each VM – you can’t
guarantee a physical appliance is
inspecting traffic
5 Entire contents © 2008 Forrester Research, Inc. All rights reserved.
Recommendations
> Security is an enabler
> Data centralization
Shift your mindset
> Better endpoint security
> Standardization of server environment
> Virtualization can strain organizational silos
Cross train VM
> Train desktop, server, network, and
management
storage admins on VM management
> Create ‘Gold’ images for rapid VM
deployment
Use standard templates
> Eliminates error associated with
configuring systems for hardware variants
Look for virtualization-
> Offline patching and preflight checks for
aware tools
production VMs
6 Entire contents © 2008 Forrester Research, Inc. All rights reserved.
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
3
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
TechReady7 Breakout Chalktalk Template
3/14/2009
Microsoft Confidential – Provided under NDA
Application Application
Application Application
Application Application
Application Application
Application Application
Application Application
Operating
Operating
Operating
System
System
System
Hardware
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
4
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
TechReady7 Breakout Chalktalk Template
3/14/2009
Provided by:
Host
Guests
Windows
Ring 3: User Mode
Virtual Server
WebApp
Virtualization
Virtual Server
Guest Applications
Service
ISV
IIS
Ring 1: Guest Kernel Mode
VM Additions
Provides resources
Windows (NT4, 2000, 2003)
Windows Server 2003
Ring 0: Kernel Mode
or Windows XP
Same
privilege
Kernel
Device
VMM Kernel
level
Drivers
Server Hardware
Application Application
Application Application
Application Application
Application Application
Application Application
Application Application
Operating
Operating
Operating
System
System
System
Hypervisor
Hardware
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
5
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
TechReady7 Breakout Chalktalk Template
3/14/2009
Application Application
Application Application
Application Application
Application Application
Application Application
Application Application
Operating
Sys
S tem
ys
Ser
S vices
Operating
Operating
System
Oper
Sys at
t ing
em
System
Sys
S tem
ys
Ser
S vices
System Kernel
Hypervisor
Hardware
• Monolithic
• Microkernelized
VM 1
VM 1
VM 2
VM 3
(“Parent”)
(Admin)
Virtual-
VM 2
VM 3
ization
(“Child”)
(“Child”)
Stack
Hypervisor
Drivers
Drivers
Drivers
D
Drriiv
v e
errs
s
D
Drriiv
v e
errs
s
D
Drriiv
v e
errs
s
Drivers
D
Drriiv
v e
errs
s
Hypervisor
Hardware
Hardware
– Simpler
– Cheaper
– Use existing drivers
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
6
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
TechReady7 Breakout Chalktalk Template
3/14/2009
Windows Hypervisor
Server Hardware
• Stack canaries (/GX)
• NoExecute (NX)
• Code pages marked read-only
• Limited exception handling
• Digitally signed
• Security Development Lifecycle
– Threat modeling
– Static analysis
– Fuzz testing
– Penetration testing
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
7
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
TechReady7 Breakout Chalktalk Template
3/14/2009
• Memory protection
– Mapping of physical memory to partition memory
– Can supersede R/W/X guest page table access rights
• I/O protection
– HV enforces parent policy for guest access to I/O
• v.1: guests have no access
• HV interface
– Parent sets policy for guess access to hypercalls,
instructions
• v.1: guests have no access to privileged instructions
• Integrates with AzMan
– Department- and role-based administration
– Segregate who can manage groups of VMs
• Definable functions:
– Start, stop, create, add hardware, change image
– None require server or domain admin
• Shared resources are protected
– ISO disk images always read-only
– Write functions invoke copy (differencing disks)
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
8
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
TechReady7 Breakout Chalktalk Template
3/14/2009
Root Partition
Child Partitions
Provided by:
Ring 3: User Mode
Manages guest partitions
Virtualization Stack
Windows
Handles intercepts
Virtualization
WMI Provider
Guest Applica E
tiom
ns ulates devices
VM Worker
(Most traditional hypervisor functions)
Processes
VM
ISV
Service
Virtualization
Service
OS
Server Core
Virtualization
E
Cln
i f
e o
n r
ts ces partitio
K n
er a
n s
el isolation boundary
Service
Windows
(VSCs)
Providers
Most virtualization functions moved out
Kernel
Device
(VSPs)
Drivers
VMBus
Enlightenments No device drivers
Ring 0
W : K
elle-rn
d el M
efi o
n de
ed interface for creating guest OSes
“Ring -1”
Windows hypervisor
Server Hardware
Root Partition
Guest Partitions
Provided by:
Virtualization Stack
Ring 3: User Mode
W indows
WMI Provider
Virtualization
Guest Applications
VM Worker
Processes
VM
ISV
Service
Attackers
Vi
V rt
i u
rt a
u l
a ilz
i a
z t
a i
t o
i n
o
Serv
Se i
rv c
i e
OS
ce
Server Core
Virtualization
Cl
C ile
i n
e t
n s
Kernel
ts
Service
Windows
(VSCs
(VSC )
s
Providers
Kernel
Device
(VSPs)
Drivers
VMBu
VM
s
Bus
Enlighten
e ments
Ring 0: Kernel Mode
Windows hypervisor
Server Hardware
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
9
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
TechReady7 Breakout Chalktalk Template
3/14/2009
Provided by:
Root Partition
Guest Partitions
Windows
Virtualization Stack
Ring 3: User Mode
Virtualization
WMI Provider
Guest Applications
VM Worker
ISV
Processes
VM
Service
Attackers
Vi
V r
i t
r u
t a
u l
a iz
i a
z t
a ito
i n
o
Se
S r
e v
r i
v c
i e
OS
ce
Server Core
Virtualization
Cl
C ie
i n
e t
n s
Kernel
ts
Service
(V
( S
V C
S s
C )
s
Windows
Providers
Kernel
Device
(VSPs)
Drivers
VM
V B
Mus
Bus
Enl
n igh
g t
h enme
m nts
Ring 0: Kernel Mode
Windows hypervisor
Server Hardware
Root
Guests
Trusted by guests
Don’t trust each other
Trusted by hypervisor
Trust root
?
Al modes
Al modes
Al rings
Al rings
Al segments
Al segments
Documented
v1.04
Hypercalls Available
Attempted
Hypervisor Trusts root
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
10
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
TechReady7 Breakout Chalktalk Template
3/14/2009
Patching the hypervisor
Windows Update
Managing lots of virtual machines
System Center – Virtual Machine Manager
Minimize risk to the Root Partition
Utilize Server Core
Don’t run arbitrary apps, no web surfing
Run your apps and services in guests
Use AzMan to reduce admin privilege
Connect to back-end management network
Only expose guests to internet traffic
Enable NX and Virtualization in BIOS
Networking
Virtual Switches
VLANs
Dedicated NIC for root partition
Storage
BitLocker
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
11
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
TechReady7 Breakout Chalktalk Template
3/14/2009
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
12
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
TechReady7 Breakout Chalktalk Template
3/14/2009
Virtual
Environment
Microsoft Identity
WS08 and Hyper-V
Lifecycle Manager
Authorization
Provides a single view of a user’s
Manager (AzMan)
identity and its privileges across the
for Role-Based
heterogeneous enterprise
Access Control
Enable end-uses to request access
to physical and virtual assets
through a defined
workflow
Physical
Environment
Smal subset of the executable files and DLLs instal ed
No GUI interface, no .NET, no PowerShell
Nine available Server Roles
Managed with remote tools
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
13
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
TechReady7 Breakout Chalktalk Template
3/14/2009
Virtual
Environment
Microsoft Identity
WS08 and Hyper-V
Lifecycle Manager
Authorization
Provides a single view of a user’s
Manager (AzMan)
identity and its privileges across the
for Role-Based
heterogeneous enterprise
Access Control
Enable end-uses to request access
to physical and virtual assets
through a defined
workflow
Physical
Environment
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
14
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
TechReady7 Breakout Chalktalk Template
3/14/2009
1.
Designed for virtual machines running on Windows Server 2008 and
Microsoft Hyper-V Server
2.
Support for Microsoft Virtual Server and VMware ESX
3.
Performance and Resource Optimization (PRO)
4.
Maximize datacenter resources through consolidation
5.
Machine conversions are a snap!
6.
Quick provisioning of new machines
7.
Intelligent Placement minimizes virtual machine guesswork in deployment
8.
Delegated virtual machine management for Development and Test
9.
The library helps keep virtual machine components organized
10.
Windows PowerShell™ provides rich management and scripting environment
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
15
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
TechReady7 Breakout Chalktalk Template
3/14/2009
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
16
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
TechReady7 Breakout Chalktalk Template
3/14/2009
• SubVirt (Samuel T. King, Peter M. Chen: Michigan U)
– Kernel based Rootkit based on a commercial VMM,
which creates and emulates virtual hardware.
• BluePill (AMD SVM) – Joanna Rutkowska
– Moves the Host OS to a Virtual Machine at the
hardware later (PoC on AMD, Theory on Intel)
• Vitriol (Intel VT-x Mac OSX) – Dino Dai Zovi
– VM Rootkit similar to BluePill but this time targeting
Mac OSX
• Is this is one of the next big attack vectors on the
horizon?
• The VM industry is focused on securing the VMs from
attack. Very little thought of VMs being used as the
attacker.
• Law enforcement agencies are now seeing cases where
people use VMs to attack, then shutdown the VM to
remove any trace of evidence.
• Does it work?
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
17
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
TechReady7 Breakout Chalktalk Template
3/14/2009
• We do write all events to the SysLog
• Things that go into drive slack are recoverable using
forensics tools.
• We still have network traces…
• …and audit logs
• …and firewall and router logs
• …not to mention video cameras in the server room.
Kai Axford, CISSP, MCSE
Sr. Security Strategist, Trustworthy Computing
Microsoft Corporation
http://blogs.technet.com/kaiaxford
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
18
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
