Nested Virtual Machines and Proxies for Easily Implementable Rollback

of Secure Communication

Problem: Implementations of secure communication have vulnerabilities. (Current target is Transport Layer Security and Secure Socket Layer: TLS/SSL) Approach: Verify the implementation by fuzzing test. It requires to check many states of protocol. The states are verified repeatedly by rollback. Challenge :

• Fine-grained (packet level) control of snapshot & rollback to check states of protocol • Re-connect secure communication when resuming, because rollback cuts the connection • Rollback must include packets on network and computing environment (random number, etc)

Straight solution requires heavy customization on existing rollback implementation, because it does not treat status of packets on network and network connection. We propose

• new protocol which capsulates TLS/SSL packets and controls VM’s snapshot / rollback • rollback technique which integrates nested VMs and proxies

Merits: • Easy implementation which utilizes existing nested VM’s snapshot/rollback • Development is internal and external proxies only • This technique is applied on another nested VM implementation • Snapshots are transferred to other real machines and resumed for parallel test

・ This technique is used for TLS/SSL fuzzing (Fig 2). ・ The part of client will be replaced with protocol fuzzing generator which is developing now. ・Snapshot images are transferred to other machines and restart them. It makes possible for parallel test.

Client Hello

Server Hello

Server Certificate

Server Hello Done

Take Snapshot

[fuzz]Client Key Exchange

Resume

[fuzz] Client Key Exchange

Snapshot

Rollback

Client2 Server2VM-C2 VM-S2

[fuzz] Client Key Exchange

Send snapshot images to try fuzzing test on other machines

……

…

Client1 Server2VM-C1 VM-S2

(Fuzz Generator)

Load VM

・ New protocol encapsulates TLS/SSL packets and manages status on the network. ・ The external VM’s snapshot keeps the connection between internal VM and internal proxy. ・ When rolling back, the connection is re- established between external & internal proxies using new protocol. ・ VM includes all computing environment and makes possible to check code which depends on environment (e.g., random number generator). ・ The rollback technique is implemented with KVM and QEMU. Proxies uses Perl.

Proposed Protocol

Action

Capsule Sending Internal proxy encapsulates TLS/SSL packet. Receiving Internal proxy decapsulates control packet.

Take Snapshot Take VM snapshot image. Packets between internal proxies are purged. Return snapshot ID.

Rollback (with ID)

Rollback snapshot image. Connection between internal proxies is dis- and re-connected when rolling back.

Figure 1. Overview of rollback with nested VM and proxies

Figure 2. Image of fuzzing test

Table 1. Protocol which capsulates existing protocol and controls VM

Server (Real Machine)

External VM

Internal VM

ＩｎｔｅｒａｌＰｒｏｘｙ

TLS server

The connection is cut when external VM takes snapshot. All packets are flushed before the snapshot using control packet.

Client (Real Machine)

External VM

Internal VM

ExternalＰｒｏｘｙ

Internal Ｐｒｏｘｙ

Add VM Control packet (Snapshot,Rollback)

Encapsulate TLS/SSL packetWith control packet.

Decapsulate control packet

Port forward

External VMInternal VM

SSHKeep connection

External VMInternal VM

TLS clientKeep connection

Snapshots

External VMInternal VM

SSHKeep connection

External VMInternal VM

TLS serverKeep connection

SnapshotsExternal Proxy controls two external VMs for snapshot & rollback.External Proxy manages re-connection with internal proxies when rolling back.

TLS client(fuzzing)

Kuniyasu Suzaki*, Kengo Iijima*, Akira Tanaka*, Yutaka Oiwa*, Etsuya Shibayama*,‡ * National Institute of Advanced Industrial Science and Technology (AIST), ‡ The University of Tokyo