IPSJ SIG Technical Report IaaS VM 1 1 1, 2 IaaS VM VM VM VM VM VM IaaS VM VM VM FBCrypt-V FBCrypt-V VM VMM FBCrypt-V Xen TightVNC VM Preventing Inform

IaaS VM 1 1 1, 2 IaaS VM VM VM VM VM VM IaaS VM VM VM FBCrypt-V FBCrypt-V VM VMM FBCrypt-V Xen TightVNC VM Preventing Information Leakage from Screens via Management VMs in IaaS Naoki Nishimura, 1 Tomohisa Egawa 1 and Kenichi Kourai 1, 2 In IaaS clouds, the users manage their virtual machines (user VMs) remotely. Even at failures on user VMs, they can perform remote management if they access their VMs via privileged VMs called management VMs. However, since management VMs are not always trustworthy in IaaS, screen information of user VMs may leak. To solve this problem, this paper proposes FBCrypt-V, which prevents information leakage from screens of the user VMs via the management VMs. FBCrypt-V replicates and encrypts the virtual frame buffers of the user VMs in the VMM and decrypts them in the client sides. We have implemented FBCrypt-V in Xen and TightVNC and confirmed that screen information does not leak. 1 2 CREST 1. Infrastructure as a Service IaaS VM VM VNC SSH VM VM Desktop as a Service DaaS VM OS VM VM VM VM VM VM VM IaaS VM VM VM VM VM VM FBCrypt-V FBCrypt-V VM VFB VMM VM VFB 2 VFB VMM VFB VM FBCrypt-V VMM Linux FBCrypt-V Xen 4.1.1 1) TightVNC Java Viewer 2.0.95 2) VMM VM VM VFB VM VFB VM VNC 2 VFB VFB RC5 3) FBCrypt-V VM VNC VM 1 c 2012 Information Processing Society of Japan

2 IaaS 3 FBCrypt-V 4 5 FBCrypt-V 6 7 2. VM IaaS VNC VM VNC VM VM VNC VM VM VNC VM OS OS VNC VM 1 VM VNC VM VM VM VM VM VM VM VM VM OS IaaS Xen VMware ESX VM VM VM VM VM IaaS VM VM VM VM VM VM VM VM VM 1 VM VNC 1 VNC VNC VPN SSH VM VM VNC VM VNC VM VM VM DaaS 3. FBCrypt-V VM VM FBCrypt-V 3.1 FBCrypt-V VM VM VM VM 2 c 2012 Information Processing Society of Japan

3 2 FBCrypt-V VM VM PC VNC 3.2 FBCrypt-V FBCrypt-V 2 VMM VM VFB VFB VM VFB VM VFB VMM VM VFB 2 VFB VM VNC VFB VNC VNC VM FBCrypt-V VM VM VM VM VFB VFB VMM VFB VM VNC VNC VM VFB FBCrypt-V VMM VMM TPM VMM VNC VMM 3 VM VMM VMM IaaS VMM VNC VMM VM VM VMM VMM VNC VMM VNC VMM TPM VMM 3 c 2012 Information Processing Society of Japan

VM VMM 4. FBCrypt-V Xen 4.1.1 1) TightVNC Java Viewer 2.0.95 2) Xen VM 0 VM U VM QEMU VNC VM OS Linux 2.6.39.3 4.1 FBCrypt-V U VFB Linux U VFB 0 U Linux fbfront VFB U VFB 0 VFB 0 FBCrypt-V VMM U VFB VMM U VFB 0 0 U VFB FBCrypt-V 0 VFB 2 VFB U VFB 0 VMM VFB 0 VFB 0 VNC VFB VNC VNC U VFB VNC 4.2 VFB FBCrypt VMM VFB VMM VFB VFB U 0 U VFB 0 VFB U 0 XenStore 4 U VFB VMM U XenStore VFB 0 VFB VFB VMM U OS U XenStore VMM U 0 XenBus XenBus XenStore XenStore 2 U XenStore 16 XenStore XenStore VFB device/vfb/0/page-ref VFB XenBus 0 VMM XenStore VMM XenStore 1 VFB VFB VMM U 0 U XenStore XenStore 0 U VMM VMM U 4 c 2012 Information Processing Society of Japan

5 VFB CPU RSI VMM VFB VFB VFB VFB VFB VFB VFB U VFB VMM VFB VFB VMM VFB VFB VFB FBCrypt-V 0 U VFB 0 U VMM 0 VFB VMM VFB 4.3 VFB FBCrypt-V U VFB VMM VFB U fbfront XenBus 0 VNC XenBus U 0 VMM VFB VFB I/O I/O 0 VMM 2 VFB VFB U X x 0 VFB VFB VMM RC5 3) RC5 Xen VFB 32 FBCrypt-V RC5 x y FBCrypt-V 2 Xen VNC 32 8 32 VNC 24 2 48 I/O x VNC VNC Xen 2 5 c 2012 Information Processing Society of Japan

6 7 5. VM Intel Core i7 870 CPU 4GB VNC Intel Xeon W3550 CPU 6GB VMM FBCrypt-V Xen 4.1.1 0 U OS Linux 2.6.39.3 0 2GB U 1GB VNC FBCrypt-V TightVNC Java Viewer 2.0.95 Windows 7 Java 1.6.0 24 5.1 0 U VNC VFB VFB U FBCrypt-V VNC 6 FBCrypt-V VMM VFB VM VM 6 FBCrypt-V VM VM 5.2 FBCrypt-V 800 600 U 1.4MB RC5 16 192 7 13ms VMM C TighetVNC Java 5.3 FBCrypt-V VNC U VNC VNC 6 c 2012 Information Processing Society of Japan

8 9 VNC U 8 FBCrypt-V 48ms VNC FBCrypt-V VMM FBCrypt-V 1 3 9 VNC VM 1 6. FBCrypt 4) VM VM VNC VMM VM VM VMCrypt 5) VM VM VM VM VMM VM VM VM VFB FBCrypt-V VFB VMCrypt VFB VMware vsphere Hypervisor (ESXi) 6) VMM VNC VMM VM VM VM VNC FBCrypt-V VNC VMM VMM 7 c 2012 Information Processing Society of Japan

Xoar 7) VNC QEMU QemuVM VM Xen QEMU VM VM OS mini-os VM VNC BitVisor 8) OS VMM OS I/O VMM USB PC BitVisor VM VMM VMM CloudVisor 9) VMM VM CloudVisor VM VMM VM VM VMM Xen VNC Proxy xvp 10) VM VM xvp VM VM VM xvp VNC 7. VM VM FBCrypt-V FBCrypt-V VM VFB VMM VNC VM FBCrypt-V Xen TightVNC VM AES AES 128 16 VNC FBCrypt VM Windows OS 1) P.Barham, B.Dragovic, K.Fraser, S.Hand, T.Harris, A.Ho, R.Neugebauer, I.Pratt, and A.Warfield. Xen and the Art of Virtualization. In Proc. of the 19th Symposium on Operating Systems Principles, pp. 164 177, 2003. 2) TightVNC Group. TightVNC. http://www.tightvnc.com/. 3) RonaldL. Rivest. The RC5 Encryption Algorithm. 2001. 4),. VM. 118 OS, 2011. 5),,. IaaS VM. 117 OS, 2011. 6) VMware Inc. VMware vsphere Hypervisor. http://www.vmware.com/. 7) Patrick Colp, Mihir Nanavati, Jun Zhu, William Aiello, George Coker, Tim Deegan, Pete Loscocco, and Andrew Warfield. Breaking Up is Hard to Do: Security and Functionality in a Commodity Hypervisor. 23rd ACM Symposium on Operating Systems Principles (SOSP), 2011. 8) Takahiro Shinagawa, Hideki Eiraku, Kouichi Tanimoto, Kazumasa Omote, Shoichi Hasegawa, Takashi Horie, Manabu Hirano, Kenichi Kourai, Yoshihiro Oyama, Eiji Kawai, Kenji Kono, Shigeru Chiba, Yasushi Shinjo, and Kazuhiko Kato. BitVisor. Proc. Intl. Conf. Virtual Execution Environments and VEE 09, pp. 121 130, 2009. 9) Fengzhe Zhang, Jin Chen, Haibo Chen, and Binyu Zang. CloudVisor: Retrofitting Protection of Virtual Machines in Multi-tenant Cloud with Nested Virtualization. 2011. 10) xvp Project. Xen VNC Proxy Cross-platform VNC-based and Web-based Management for Citrix XenServer and Xen Cloud Platform. http://www.xvpsource.org/. 8 c 2012 Information Processing Society of Japan