Transcript D uk e S ystems - University of Michigan

Duke Systems
Pocket Hypervisors:
Opportunities and Challenges
Landon Cox
Duke University
Peter Chen
University of Michigan
Duke Systems
Conventional organization
Process
Process
Process
Operating System
Duke Systems
Hypervisor organization
Process
Guest OS
Process
Guest OS
Encapsulation
Mediation
Isolation
Hypervisor
Duke Systems
Recent interest in hypervisors
 Lots of papers/companies the past five years
 Xen, VMware, ReVirt, Potemkin, etc.
 On mobile devices? Not so much.
 Some uses of encapsulation (ISR, SoulPad)
 No uses of mediation or isolation
 Why? Hypervisors have been considered impractical
 Insufficient hardware support
 Prohibitive performance overhead
Duke Systems
Pocket hypervisors are
practical and useful.
Hardware support
Privilege modes
MMU
Moore’s Law
Security
Opportunistic
services
Duke Systems
Securing commodity devices
 With PC functions come PC problems
 Mobile malware already exists (Cabir, Skulls)
 BlueTooth exploits (BlueBug, SNARF)
 Poses new kinds of threats
 Conversation eavesdropping
 Location privacy compromises
 Gain access to telecom resources
 trifinite.org, bluestumbler.org
Duke Systems
Simple example attack: Skulls
“Flash
player”
Address
book
Camera
Mobile
Antivirus
Blue
Tooth
services
OS
On reboot, phone can only make and receive calls.
Duke Systems
Partition device functionality
“Flash
player”
Blue
Tooth
services
3rd party Guest
OS
Camera
Mobile
Antivirus
Blue
Tooth
services
Core Guest OS
Pocket Hypervisor
Isolate core services from untrusted apps.
Age-old challenge: how to still allow sharing?
Shared file space? Explicit message passing?
Duke Systems
Example attack: BlueBug
Address
book
Mobile
Antivirus
Camera
Blue
Tooth
services
OS
Remote access to SIM card, can issue AT commands.
(attacker can read contacts, make calls, send SMS)
Duke Systems
Security services
App
App
3rd party Guest
OS
Camera
Mobile
Antivirus
Blue
Tooth
services
Core Guest OS
Pocket Hypervisor
Security
services
Difficult to stop this attack (can’t force BT to properly authenticate)
Hypervisor can still provide secure logging, profiling services
Key challenge: how to expose and log guest state efficiently
Duke Systems
Pocket hypervisors are
practical and useful.
Hardware support
Security
Opportunistic
services
Duke Systems
Sensor networks
 Expose information about environment
 Light, pressure, temperature readings
 Expands vantage point of owner
 Hundreds of observation points
 Streamed/aggregated to central location
 Mote price-performance ratio
 Cheap nodes allow large deployments
 (cover large area, overcome failures)
 Powerful nodes allow complex applications
Duke Systems
Mobile phones as sensors
 Expose information about environment
 Network events, MAC addresses, ESSIDs
 Expands vantage point of owner
 Hundreds of observation points
 Streamed/aggregated to central location
 Phone price-performance ratio
 Cheap nodes allow large deployments
 (cover large area, overcome mobility)
 Powerful nodes allow complex applications
Duke Systems
Opportunistic services
 COPSE (new project at Duke)
 Concurrent opportunistic sensor environment
 “A thicket of small trees cut for economic purposes.”
 Allow execution of untrusted service instances
 Enables mobile testbeds, opportunistic sensor nets
 Hypervisor ensures isolation (performance, energy)
 Key tension
 Encourage volunteers to participate
 Support useful services
Duke Systems
Internet
What are the disincentives to participate?
Duke Systems
Example disincentive
Duke
Franc
Home
Adversaries
shouldn’t be
able to upload
Duke
location
Franc
Home
trackers.
Duke Systems
Location privacy
 Could enforce execution regions
 Only execute guests within a physical region
 Requires access to a location service
 Could “scrub” MAC addresses
 Hypervisor manages device namespace
 Translate names between VM and network
Duke Systems
App
App
App
App
Guest OS
Guest OS
Guest OS
Guest OS
N2 =
00:30:65:0D:11:61
N2 =
00:30:65:0D:11:61
N1 =
00:13:21:B7:94:B9
N1 =
00:13:21:B7:94:B9
VDriver
VDriver
VDriver
VDriver
Hypervisor
Hypervisor
00:0C:29:4E:F4:1C 
00:30:65:0D:11:61
Machine Driver
00:18:DE:2C:A3:8A 
00:13:21:B7:94:B9
Machine Driver
Wireless NIC
Wireless NIC
00:18:DE:2C:A3:8A
00:0C:29:4E:F4:1C
Node One (N1)
Node Two (N2)
Duke Systems
Conclusions
 Pocket hypervisors are practical and useful
 Practicality
 Commodity devices support for virtualization
 Devices resources are becoming more plentiful
 Usefulness
 Device security
 Opportunistic services
Duke Systems