Google rolled out Shielded VMs in beta at its Cloud Next partner conference last month, promising that workloads running on Google Cloud using this technology would not be compromised by firmware rootkits and boot malware. Google made a lot of promises during the conference, and has finally provided some more details behind the technology.
Shielded VMs offer protection against a range of threats that are increasingly common in cloud environments, such as attacks exploiting malicious drivers and guest firmware, and vulnerabilities at the guest VM kernel, Google Cloud’s senior product manager Nelly Porter and technical program manager Sergey Simakov said in a blog post. Other threats include insider attacks and compromises.
"Unfortunately, these threats can stay undetected for a long time, and the infected virtual machine continues to boot in a compromised state even after you’ve installed legitimate software," Porter and Simakov said.
Shielded VMs ensures that when a VM boots up for the first time, it is running code that has not been previously tampered with. It does so by comparing the VM with a cryptographically-protected baseline of the VMs image. Shielded VMs also prevent a VM from being booted in a different context than it was originally deployed in, making it harder for attackers to steal VMs by creating a snapshot or otherwise duplicating VMs.
Rootkit Threats
Major cloud providers have rolled out a number of defenses for virtual machines and cloud application containers, including hardened operating system images and "confidential computing" models that prevent compromises of the underlying machine's operating system. Google’s Asylo framework run application containers in "trusted execution environments," or enclaves that prevent access to the data within those instances from being read by anything running on the underlying operating system or virtual environment.
While outright remote hacks of VMs on Amazon Web Services, Microsoft Azure, and Google Cloud Platform using operating system exploits remain rare. Most attacks against virtual machine infrastructure typically rely on stealing administrative credentials through spear phishing or finding misconfigured instances. Once they have control, attackers can make a snapshot of the VM and then steal information, or they can manipulate the VM by dropping rootkits and other malware.
“A guest OS can also be dynamically compromised by attacking its kernel components via remote attack, by local code gaining escalation privileges, or by insiders (e.g., your privileged employees),” Google’s engineers wrote.
What Lockdown Looks Like
The security features in Shielded VMs combines trusted firmware based on Unified Extended Firmware Interface (UEFI) version 2.3.1 and the virtual Trusted Platform Module. The operating system and operating system loader relies on the information contained in UEFI data tables for securely booting up an operating system and running pre-boot applications. The new UEFI-based firmware replaces legacy BIOS subsystems.
A virtual Trusted Platform Module (TPM) validates boot-level and pre-boot-level integrity of guest VMs in a cloud environment. The guest operating system uses vTPM to generate and store sealed encryption keys used for Secure Boot, which ensures that a VM only runs vetted, fully-trusted software, and Measured Boot, which checks against previous baselines of the VM’s configuration to provide greater visibility into the integrity of the boot process. Secure Boot and Measured Boot help defend against rootkits that may execute as the operating system boots up, as well as kernel-level malware.
The custom vTPM being used by Google Cloud is fully compatible with the Trusted Computing Group's industry standard specifications for TPMs. Google software engineering Josh Zimmerman gave more details about vTPM’s security functionalities in a separate post.
Putting Pieces Together
Shielded VMs are available to developers for Windows Server 2012 R2, Windows Server 2016, Windows Server version 1709 Datacenter Core, Windows server version 1803 Datacenter Core, Container-Optimized OS 68+ and Ubuntu 1804 images.
Before a Shielded VM can run, the TPM verifies the production server is using known firmware, and that the server boots up a secure, Google-approved operating system image. TPM also verifies the server has the credentials required to load the host operating system and hypervisor. The UEFI firmware ensures the image is configured properly and loads other software. At this point, a Shielded OS image is loaded into system memory and execution control passes to the guest operating system, Porter and Simakov said. The guest OS loads digitally signed kernel drivers and validates them using the vTPM.
"Once those steps are complete, you have a fully loaded Shielded VM up and running," they wrote.