Network Enhancements on BitVisor for BitVisor Summit 12

Network Enhancements on
BitVisor
2024/03/29 @ BitVisor Summit 12
Chen Chuang Jung

Agenda
- Mbed-TLS LTS support
- Brief intro Mbed-TLS
- Advantages for BitVisor
- Changes to adopt Mbed-TLS on BitVisor
- WireGuard support
- Brief intro WireGuard
- Changes to adopt WireGuard on BitVisor
- WireGuard for Guest OS
- Brief intro WireGuard for GuestOS
- Code change
- DEMO
1
Copyright© 2024 IGEL Co., Ltd. All Rights Reserved.

Mbed-TLS LTS support
- Brief intro Mbed-TLS
- Open-source and Lightweight
- Enables easy and low-impact integration.
- Designed for Embedded Systems
- Ideal for low-resource settings, less demanding than typical
SSL/TLS.
- User-friendly API
- Easily adds security to apps, no deep crypto knowledge needed.
- Support for Latest Crypto Standards
- Keeps data safe, private, and verified during communication.
- Long Term Support (LTS) Version 2.28
2

- Able to pick the libraries to compile
- LWIP stack compatible
- Customized items in header file for platform to select:
- HAVE_TIME,HAVE_TIME_DATE,
MBEDTLS_PLATFORM_TIME_MACRO,MBEDTLS_PLATFORM_C,
MBEDTLS_ENTROPY_HARDWARE_ALT,…
- Support for TLS Extensions :
- MBEDTLS_SSL_MAX_FRAGMENT_LENGTH,
MBEDTLS_SSL_SESSION_TICKETS,
MBEDTLS_SSL_SERVER_NAME_INDICATION,
MBEDTLS_SSL_RENEGOTIATION,...
3

- New defconfig items:
- CA_Certification
- Server_Certification
- Server_key
4
.tls = {
.ca_cert =
"-----BEGIN CERTIFICATE-----n"
"MIIDQjCCAiqgAwIBAgIUbdMMHizhHnz+psFMmF6Vs4h7wdMwDQYJKoZIhvcNAQELn"
...
"IngZtsfFXq+U8z6sMxaOSJg2/XEHvA==n"
"-----END CERTIFICATE-----n",
.srv_cert =
"-----BEGIN CERTIFICATE-----n"
"MIIC6TCCAdECFDiiW/aGv3Nm+qFpVKxyECyQeH/OMA0GCSqGSIb3DQEBCwUAMBExn"
...
"F7HKk0oI0ZjNOOUjPgWnqgwyYVDP2WyCr5g2cMs=n"
"-----END CERTIFICATE-----n",
.srv_key =
"-----BEGIN PRIVATE KEY-----n"
"MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAn"
...
"6JN9j0Vy/3SCNjleJ3rkVBQ+SmNNi8iyTjl94d+51elwsosY0lMouDJixUN3yvzsn"
"1PABsGsU4X//Us+1DL7/0J4=n"
"-----END PRIVATE KEY-----n",
},

- Add two versions of the random number generator:
- random_num_hw and random_num_sw implement the rand()
function. In random_num_hw, the rdrand instruction is
utilized.
- Used to generate the NONCE for handshaking.
- EPOCH time
- During boot, the time is retrieved once from UEFI and stored
in a static variable. Afterwards, each time a request for the
time is received, it is calculated based on the static variable
using CPU time/ACPI.
- Used to calculate the certificate's validity period.
- Echoctl
- Separate out the common features of Echoctl to allow the
future expansion for different protocols.
5

- Introduce TLS version echoctl applications
- TLS-ECHO-CLIENT
- TLS-ECHO-SERVER
- Documentation is ready
- Available at /docs/Mbed-TLS.md
- Create The Needed Keys And Certification
- Generate Root Certificate Authority Certificates
- Generate Server Certificates
- BitVisor As The Server
- BitVisor As The Client
6

Mbed-TLS
BitVisor
Network
LWIP
LWIP
BitVisor
Application
7
netif->input
ethernet_input
ip_input
altcp_mbedtls_lower_recv
mbedtls_ssl_read
altcp_mbedtls_pass_rx_data
tls_echo_recv
etharp_input
etharp_update_
arp_entry
nicfunc->net_recv_callback
netif->linkoutput
nicfunc->send
etharp_output
ethernet_output
altcp_mbedtls_write
tls_echo_send
mbedtls_ssl_write
altcp_output
etharp_ request
etharp_query
ARP
Response
ETH+IP packet
ARP packet
Found in ARP
table

BitVisor
Network
Driver
Linux system
eth0:10.16.165.1
TCP/IP OpenSSL Client
TLS-ECHO-SERVER
Host A
Host B
net_main
vm0:10.16.2.15
Plant text
TLS
Encrypted
packet
- Demo
LWIP
LWIP
Mbed-TLS Stack

WireGuard support
- Brief intro WireGuard
- A modern VPN protocol: simple and secure.
- Efficient Performance: Beats traditional VPNs with less
overhead.
- State-of-the-Art Security: Uses the latest cryptographic
techniques for enhanced privacy.
- Ease of Use: Simple to set up and manage. There are
existing websites that help generate a key pair.
- Cross-Platform: Works seamlessly across various
devices and operating systems.
9

WireGuard support
- There is a ready-to-use lwIP compatible package available
on Github.
- The total size of the source code files is only 270k bytes.
- Low Latency and lightweight
- Consumes minimal system resources.
- After BitVisor is ready, WireGuard starts working immediately.
- A Tunnel Between BitVisor and the WireGuard Server
- Allowing selective routing of packets through or not through
this tunnel as needed.
10

WireGuard support
- LWIP compatible package wireguard-lwip
- EPOCH time
- To prevent replay attacks during the initial handshake, a
TAI64N timestamp is included in the first message.
- WG Network parameters
- IP address, netmask, gateway
- allowed ip/netmask
- listening port
- Private key
- Wireguard peer parameters
- IP address (external)
- Public key
11

WireGuard support
- Use case for BitVisor
- ECHO-CLIENT
- ECHO-SERVER
- Documentation is ready
- Available at /docs/wireguard.md
- Setup wireguard on linux server
- Setup wireguard on BitVisor
- Start handshaking
- Sending message by telnet application
12

WireGuard
BitVisor
Network
LWIP
LWIP
BitVisor
Application
13
netif->input
ethernet_input
udp_input
wireguard_decrypt_packet
ip_input
tcp_input
echo_client_recv
etharp_input
etharp_update_
arp_entry
netif->linkoutput
nicfunc->send
wireguardif_peer_output
ethernet_output
tcp_output
echo_client_send
ip_output
wireguard_encrypt_packet
etharp_ request
etharp_query
ARP
Response
ETH+IP packet
ARP packet
Found in ARP
table
Encrypted packet
Decrypted packet
Encrypted packet
Find the netif
wireguardif_network_rx
udp_sendto
WireGuard support

BitVisor
WireGuard Stack
Network
Driver WireGuard
Tunnel
WireGuard Supported OS
eth0:10.16.165.1
wg0:192.168.3.1
TCP/IP Server
TCP/IP
Client
Host A
Host B
LWIP
net_main
vm0:10.16.2.15
wg1:192.168.3.2
Plant text
Encrypted
packet
WireGuard support
- Demo
WireGuard Stack

WireGuard for GuestOS
- Unlike the previous network setting where 'ip=pass', we
now route all IN/OUT IP packets of the Guest OS
through the WireGuard tunnel.
- BitVisor replies with customized ARP and DHCP packets
to the Guest OS, so that the remote WireGuard server is
treated as the gateway.
- There's no need for configuration efforts on the Guest
OS; In other words, a basic OS installation is sufficient.
15

BitVisor
Network
Driver WireGuard
Tunnel
WireGuard Supported OS
eth0:10.16.165.1
wg0:192.168.3.1
Guest OS
eth0:192.168.3.3
Host A
Host B
net_main_wg + LWIP
❏ Reply to the ARP
request for gateway
requesting.
❏ Reply to the the
DHCP request, make
the Guest OS believe
that HOST B is the
default gateway.
DHCP & ARP agent
net_main
vm0:10.16.2.15
wg1:192.168.3.2
Plant text
Encrypted
packet
WireGuard Stack

- Security
- Any data sent out by the Guest OS is encrypted, which
helps protect against snooping. This setup also blocks
VPN setting changes without the right permission.
- Isolation
- The Guest OS receives a private IP, which keeps it
separate from other networks.
- Ease of Management :
- It's easier to handle and watch over network traffic at the
VMM level and to enforce security rules.
17

- Code change :
- Input Output :
- Leverage the LWIP existed Hook function.
- Injecting packets into the wireguard lwip netif instance.
- DHCP/ARP agent in wg_net_main.c
- WG Network parameters
- Guest OS ip address, dns, mac_gateway
- Documentation is ready:
- Available at /docs/wireguard_guest_os.md
- Setup WireGuard on Linux server
- Setup WireGuard on BitVisor
- Observe handshaking in the log
- Observe the network traffic of the guest OS
18

LWIP
WireGuard
BitVisor
Network
LWIP
net_main_wg
BitVisor
Network
19
netif->input
ethernet_input
wireguard_decrypt_packet
ip_input
wg_ip4_input_hook
net_main_send_virt
etharp_input
etharp_update_
arp_entry
netif->linkoutput
nicfunc->send
ethernet_output
wg_gos_routing
net_ip_virt_recv
send_to_wg
wireguard_encrypt_packet
etharp_ request
etharp_query
ARP
Response
ETH+IP packet
ARP packet
Found in ARP
table
Encrypted packet
Decrypted packet
Encrypted packet
Inject to wg netif
wireguardif_network_rx
reply_arp
reply_dhcp
wireguardif_peer_output
udp_sendto
udp_input

DEMO
- Mbed-TLS
- BitVisor as an echo server interact with openssl
- WireGuard
- BitVisor as an echo client
- WireGuard Guest OS
- All the input/output packets are through the tunnel
20

Network Enhancements on BitVisor for BitVisor Summit 12

More Related Content

Similar to Network Enhancements on BitVisor for BitVisor Summit 12 (20)

Recently uploaded (20)

Network Enhancements on BitVisor for BitVisor Summit 12