Feather-weight Virtual Machine
Group Members:
Project Description:
Many fault-tolerant and intrusion-tolerant systems require the ability to
test-drive un-trusted programs in a realistic environment without leaving
permanent damages. Virtual machine technology is a perfect fit to meet this
need. Because such trial operations need to be invoked frequently on a routine
basis, invoking a virtual execution environment from the realistic environment
must be extremely low-overhead. This project aims at developing an OS level
virtualization technique on Microsoft Windows called Feather-weight Virtual
Machine (FVM). Under FVM architecture, each virtual machine is created by
sharing the same state as the host machine, and is logically isolated by name
space virtualization, resource copy on write and IPC confinement. The main
technical difficulty in building FVM on Windows is the complicated name spaces
and communication mechanisms, and not fully-documented system call interface.
Experimental results demonstrate that FVM requires less system resource, incurs
lower startup and run-time performance overhead, and thus makes a more
effective building block for cyber-security applications.
OS-level virtualization:
Virtualization is to partition lower-level system resources to present multiple operating environments at a higher level. There are different levels of abstraction at which virtualization can take place, including instruction set architecture, hardware abstraction layer, system call interface, library call interface, etc. Normally OS-level virtualization means partitioning system resources at the system call interface. The key idea behind FVM is name space virtualization such that name spaces visible to processes in one virtual machine are disjoint from those visible to processes in another virtual machine. For example, suppose an application in one virtual machine (vm1) tries to access a file "c:\a\b", FVM will redirect it to "c:\vm1\a\b". To avoid unnecessary duplication of common system resources, FVM adopts a copy-on-write mechanism, which means an FVM virtual machine shares the system resources with the host machine by default, and gets a local resource copy before it attempts to modify the host copy. The OS-level virtualization is not a new idea. In recent years there are already many projects on the Linux/FreeBSD platform, like FreeBSD Jail, Linux VServer, Virtuozzo and Alcatraz, but not many attempts have been tried on the Microsoft Windows platform. The main issues with FVM design on the Windows platform include the following:
- System service calls interception. Different from Linux platform where source code is fully available, MS Windows hides too many secrets from people. The system service calls are not officially and fully documented, especially those for handing window and messages. Special interception methods are required in order to change function call's entry point.
- Process grouping. Each FVM virtual machine starts from one root process, whose child and descendant processes inherit the same association with the same virtual machine. When this group of processes makes system calls to access system resources, the FVM layer may redirect the access to the virtual machine's local copy.
- Name space virtualization principle. There are various kinds of name spaces on Windows platform, such as files, registries (configurations), kernel objects, win32 services (daemon processes) and others. Name space virtualization should identify all these names spaces and their corresponding system service calls. Basically, most system calls taking a resource name as an input parameter should be intercepted. In addition, resource renaming during the virtualization must be able to maintain the consistency of any application logic.
- Copy-on-write. The "write" access to system resource from a process in a virtual machine will result at the resource being duplicated into the virtual machine's local space, if it has not been duplicated before. The "write" access here includes write, delete, rename, as well as the read access when sharing is not allowed. FVM's copy-on-write mechanism duplicates file's content, attribute and full-path directory structure, and registry's key, value and first-level sub-keys.
- IPC confinement. In order to achieve a proper degree of isolation, inter-process communication (IPC) must be confined so that processes in one virtual machine can communicate with only processes running in the same virtual machine. In addition to standard IPC mechanisms like synchronization object, socket, named pipe, there are also quite a few Windows-specific IPC mechanisms like window message, DDE, COM, clipboard, etc. How to identify and confine these IPC mechanisms properly remains a challenging task.
- Single instance restriction. Windows is initially designed under the consumption that only one interactive user can use any desktop applications at the same time. Therefore, many applications allow only one instance of application to start at one time. Such restrictions are not suitable for the FVM environment where multiple application instances can run simultaneously in different virtual machines, and must be circumvented by appropriate IPC confinement.
Applications:
The Feather-weight Virtual Machine technique provides a virtual execution
environment with low overhead and resource requirement, and is useful in many
applications as follows:
- Mobile code security. Mobile
code refers to programs that come into an end user's computer over the
network and start to execute with or without the user's knowledge or
consent. Malicious mobile code like viruses, worms and Trojan horses,
usually propagated through email attachments or html content, can damage
the end user's computer or connected network. Recent techniques against
malicious mobile code include behavior blocking and least-privilege execution, but
the problems with these approaches are the difficulty of setting up
security policy and running admin-only applications. Running email clients
and Web browsers like Microsoft Internet Explorer and Outlook inside an FVM virtual machine can guarantee that, malicious code coming
through these applications cannot damage the host machine and connected
network. New downloaded files within the virtual machine are automatically
committed and marked to the host machine. Once malicious behavior
is detected in the virtual machine, removing the virtual machine and starting
a fresh one are the only things to do for recovery.
- Vulnerability assessment. Vulnerability assessment can mitigate security risks
because it proactively identifies a system/service's potential weaknesses.
However, vulnerability assessment tools are not extensively used in
practice because the scanning process may disrupt the system/service under
scan by crashing the machines, corrupting the data, or both. To avoid the
side effects of vulnerability assessment in practical environment, a
duplicated copy of the scanned service application is started on an
FVM virtual machine. Vulnerability assessment is performed on
this duplicated copy only, without disrupting the original production-mode
service applications. This assessment procedure has high testing fidelity
because the duplicated copy is identical to the production mode
applications. Experimental results indicate that the side effects are
completely isolated from the host machine and the performance impact is as
low as 3%.
- Application streaming. Application streaming is a technology that stores and maintains applications in a streaming server. Different from thin-client computing and virtualized hosted clients, the applications utilize the computing resource of the end-user's computer without being physically installed there. All the application binaries, data and configurations are streamed to end-user's computer on demand. Application streaming is not a security solution. Instead, it is designed to work with legitimate software and to reduce the maintenance/patching cost and software conflict. The FVM technique can be used to create isolated environments on the end-user's computer to execute applications on demand. It can also act as the application packager, which records most significant application resources that are initially streamed to the client.
- LUA (Least-privilege User Account) compatible execution. An application process
normally inherits the security context of the current logged-on user. When
users log onto the system as the administrator, the application process is granted
administrator privilege, and can lead to system
damage when the application is infected with malicious code. If users
log on from a restricted user account with least privilege, the possibility
of system damage due to malicious code execution or human error is greatly reduced.
However, it is said that 70% of software will not run properly unless the
user process has the administrator privilege. One of the main reasons to this problem
is that some applications improperly store state information in protected global directory
instead of the user's private profile directory. This design flaw can be
mitigated by running applications in an FVM virtual machine of a
least-privileged user account, which virtually possesses the administrator privilege.
- Multi-level Windows desktops. Protecting sensitive enterprise information from theft
by authorized, motivated inside attackers is one of the main security
concerns to security practitioners and system administrators. Many
enterprise digital rights management systems provide solutions to this
problem by combining usage rights with content distribution, and depend on
encryption to stop information theft from un-trusted client applications.
Another different approach is to go back to old fashion and transparently
apply thin-client computing in the current PC environment. Based on the FVM technique, it is possible for users to operate multi-level desktops on the same host
machine. Each desktop is associated with one FVM virtual
machine, and is isolated from other desktops and the host machine. Under this
architecture, all the sensitive information is stored centrally on file
servers, database servers or web servers. Whenever an client application
tries to access the sensitive content on any servers, the application process is assigned to a high-level desktop, where no communication is possible to
the outside of the desktop. As a result, the
content rendered on such a desktop is protected from most information theft.
Publication:
-
Subhadeep Sinha "Data Paladin - An Application-Independent Rights Management System" Computer Science Department, SUNY at Stony Brook, NY 11794-4400,
December 2008.
-
Hariharan Kolam Govindarajan
Applications and Enhancements of Feather-weight Virtual Machine (FVM)
Computer Science Department, SUNY at Stony Brook, NY 11794-4400,
May 2008.
-
Yang Yu, Hariharan Kolam Govindarajan, Lap-chung Lam, Tzi-cker Chiueh
"Applications of Feather-Weight Virtual Machine"
, Proceedings of the 2008 ACM SIGPLAN/SIGOPS International Conference on
Virtual Execution Environments (VEE08),
Seattle WA., March 2008.
-
Yang Yu,
"OS-level Virtualization and Its Applications"
, Ph.D. Dissertation, December 2007.
-
-
-
Yang Yu, Lap-chung Lam and Tzi-cker Chiueh, "An Isolation Framework on Windows for Safe Execution of Mobile Code", Technical Report, November 2005.
Related Work:
- Linux-VServer, http://linux-vserver.org
- Virtuozzo - The Complete Server Automation and Virtualization Solution, http://www.sw-soft.com/products/virtuozzo
- FreeBSD Jail, http://docs.freebsd.org/44doc/papers/jail/jail.html
- Z. Liang, V.N. Venkatakrishnan and R. Sekar, "Isolated Program Execution: An Application Transparent Approach for Executing Untrusted Programs", Annual Computer Security Applications Conference, Las Vegas, December 2003.
- Weiqing Sun, Zhenkai Liang, V.N. Venkatakrishnan, and R. Sekar, "One-way Isolation: An Effective Approach for Realizing Safe Execution Environments", ISOC Network and Distributed Systems Symposium, San Diego, February 2005.
- Wine, an Open Source implementation of the Windows API on top of X and Unix. http://www.winehq.com
- ReactOS Project, a ground-up implementation of a Microsoft Windows® XP compatible operating system, http://www.reactos.org
- GreenBorder, the Desktop DMZ software for Windows, http://www.greenborder.com
- Andy Dornan, Application Streaming: The Virtual Thin Client
- Softricity, Virtual Application Computing, http://www.softricity.com
- AppStream, Application streaming for software distribution and maintenance, http://www.appstream.com
- Thinstall, Create self-contained applications that can be deployed and executed without installation, http://thinstall.com
- Gary Nebbett, "Windows NT/2000 Native API Reference"
- David A. Solomon and Mark E. Russinovich, "Inside Microsoft Windows 2000", Third Edition
- Dirk Balfanz and Daniel R. Simon, "WindowBox: A Simple Security Model for the Connected Desktop", 4th USENIX Windows Systems Symposium.
- Admin-only applications, http://nonadmin.editme.com/KnownProblems
- Keith Brown, Security in Longhorn: Focus on Least Privilege
Last modified: 02/17/09