Results 1 - 10
of
13
Design, Implementation and Verification of an eXtensible and Modular Hypervisor Framework*
"... Abstract — We present the design, implementation, and verification of XMHF – an eXtensible and Modular Hypervisor Framework. XMHF is designed to achieve three goals – modular extensibility, automated verification, and high performance. XMHF includes a core that provides functionality common to many ..."
Abstract
-
Cited by 12 (3 self)
- Add to MetaCart
(Show Context)
Abstract — We present the design, implementation, and verification of XMHF – an eXtensible and Modular Hypervisor Framework. XMHF is designed to achieve three goals – modular extensibility, automated verification, and high performance. XMHF includes a core that provides functionality common to many hypervisor-based security architectures and supports extensions that augment the core with additional security or functional properties while preserving the fundamental hypervisor security property of memory integrity (i.e., ensuring that the hypervisor’s memory is not modified by software running at a lower privilege level). We verify the memory integrity of the XMHF core – 6018 lines of code – using a combination of automated and manual techniques. The model checker CBMC automatically verifies 5208 lines of C code in about 80 seconds using less than 2GB of RAM. We manually audit the remaining 422 lines of C code and388 lines of assembly language code that are stable and unlikely to change as development proceeds. Our experiments indicate that XMHF’s performance is comparable to popular high-performance general-purpose hypervisors for the single guest that it supports.
Taming Hosted Hypervisors with (Mostly) Deprivileged Execution
"... Recent years have witnessed increased adoption of hosted hypervisors in virtualized computer systems. By non-intrusively extending commodity OSs, hosted hypervi-sors can effectively take advantage of a variety of mature and stable features as well as the existing broad user base of commodity OSs. Ho ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Recent years have witnessed increased adoption of hosted hypervisors in virtualized computer systems. By non-intrusively extending commodity OSs, hosted hypervi-sors can effectively take advantage of a variety of mature and stable features as well as the existing broad user base of commodity OSs. However, virtualizing a computer system is still a rather complex task. As a result, existing hosted hypervisors typically have a large code base (e.g., 33.6K SLOC for KVM), which inevitably introduces exploitable software bugs. Unfortunately, any compromised hosted hy-pervisor can immediately jeopardize the host system and subsequently affect all running guests in the same physical machine. In this paper, we present a system that aims to dramati-cally reduce the exposed attack surface of a hosted hypervi-sor by deprivileging its execution to user mode. In essence, by decoupling the hypervisor code from the host OS and deprivileging its execution, our system demotes the hyper-visor mostly as a user-level library, which not only substan-tially reduces the attack surface (with a much smaller TCB), but also brings additional benefits in allowing for better de-velopment and debugging as well as concurrent execution of multiple hypervisors in the same physical machine. To evaluate its effectiveness, we have developed a proof-of-concept prototype that successfully deprivileges ∼ 93.2% of the loadable KVM module code base in user mode while only adding a small TCB (2.3K SLOC) to the host OS ker-nel. Additional evaluation results with a number of bench-mark programs further demonstrate its practicality and ef-ficiency. 1
HyperCheck: A Hardware-Assisted Integrity Monitor
"... Abstract—The advent of cloud computing and inexpensive multi-core desktop architectures has led to the widespread adoption of virtualization technologies. Furthermore, security researchers embraced virtual machine monitors (VMMs) as a new mechanism to guarantee deep isolation of untrusted software c ..."
Abstract
-
Cited by 1 (1 self)
- Add to MetaCart
(Show Context)
Abstract—The advent of cloud computing and inexpensive multi-core desktop architectures has led to the widespread adoption of virtualization technologies. Furthermore, security researchers embraced virtual machine monitors (VMMs) as a new mechanism to guarantee deep isolation of untrusted software components, which, coupled with their popularity, promoted VMMs as a prime target for exploitation. In this paper, we present HyperCheck, a hardware-assisted tampering detection framework designed to protect the integrity of hypervisors and operating systems. Our approach leverages System Management Mode (SMM), a CPU mode in 86 architecture, to transparently and securely acquire and transmit the full state of a protected machine to a remote server. We have implement two prototypes based on our framework design: HyperCheck-I and HyperCheck-II, that vary in their security assumptions and OS code dependence. In our experiments, we are able to identify rootkits that target the integrity of both hypervisors and operating systems. We show that HyperCheck can defend against attacks that attempt to evade our system. In terms of performance, we measured that HyperCheck can communicate the entire static code of Xen hypervisor and CPU register states in less than 90 million CPU cycles, or 90 ms on a 1 GHz CPU. Index Terms—Hypervisor, system management mode, kernel, Coreboot Ç
Auditing Cloud Administrators Using Information Flow Tracking
"... In the last few years, cloud computing has evolved from being a promising business concept to one of the fastest growing segments of the IT industry. However, one im-pediment to widespread adoption by enterprise customers is the threat of attack by a malicious cloud administrator. To address this se ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
(Show Context)
In the last few years, cloud computing has evolved from being a promising business concept to one of the fastest growing segments of the IT industry. However, one im-pediment to widespread adoption by enterprise customers is the threat of attack by a malicious cloud administrator. To address this security and privacy challenge, we propose H-one, a new auditing mechanism for cloud. H-one uses in-formation flow tracking techniques to implement complete, efficient and privacy-preserving logs that will enable the au-diting of the administrators of the cloud infrastructure, thus increasing the customer’s trust in cloud services.
SecPod: A Framework for Virtualization-based Security Systems
"... abstract The OS kernel is critical to the security of a computer system. Many systems have been proposed to improve its security. A fundamental weakness of those systems is that page tables, the data structures that control the memory protection, are not isolated from the vulnerable kernel, and thu ..."
Abstract
- Add to MetaCart
(Show Context)
abstract The OS kernel is critical to the security of a computer system. Many systems have been proposed to improve its security. A fundamental weakness of those systems is that page tables, the data structures that control the memory protection, are not isolated from the vulnerable kernel, and thus subject to tampering. To address that, researchers have relied on virtualization for reliable kernel memory protection. Unfortunately, such memory protection requires to monitor every update to the guest's page tables. This fundamentally conflicts with the recent advances in the hardware virtualization support. In this paper, we propose SecPod, an extensible framework for virtualization-based security systems that can provide both strong isolation and the compatibility with modern hardware. SecPod has two key techniques: paging delegation delegates and audits the kernel's paging operations to a secure space; execution trapping intercepts the (compromised) kernel's attempts to subvert SecPod by misusing privileged instructions. We have implemented a prototype of SecPod based on KVM. Our experiments show that SecPod is both effective and efficient.
GEEC ∗ All the Way Down
"... How do we formally verify security properties in to-day’s malleable and evolving Commodity System Soft-ware (COSS) ecosystem? Recent advances in applying formal methods to systems software, e.g., IronClad [16] and seL4 [19], promise that this vision is not a fool’s er-rand after all. In this positio ..."
Abstract
- Add to MetaCart
How do we formally verify security properties in to-day’s malleable and evolving Commodity System Soft-ware (COSS) ecosystem? Recent advances in applying formal methods to systems software, e.g., IronClad [16] and seL4 [19], promise that this vision is not a fool’s er-rand after all. In this position paper we explore the chal-lenges involved in this problem, what research questions the state of the art leaves still open, and our proposal for the next step towards realizing this vision. 1 Problem Statement Today’s commodity system software (COSS) stack com-prises chiefly the BIOS, hypervisor (e.g., cloud), and the OS. These components are complex since they deal with low-level hardware features, especially at early stages of initialization. The complexity increases considerably with extensions required to enable additional platform functionality. For example, BIOS extensions such as op-tion ROMs allow device-specific initialization, and EFI BIOS extensions enable filesystem and network access. Similarly, although hypervisors and VMMs started off as monolithic software aimed at managing virtual ma-chines, they evolved to a convenient point of observation and mediation of useful (security) services that are real-
ARMlock: Hardware-based Fault Isolation for ARM
"... ABSTRACT Software fault isolation (SFI) is an effective mechanism to confine untrusted modules inside isolated domains to protect their host applications. Since its debut, researchers have proposed different SFI systems for many purposes such as safe execution of untrusted native browser plugins. H ..."
Abstract
- Add to MetaCart
(Show Context)
ABSTRACT Software fault isolation (SFI) is an effective mechanism to confine untrusted modules inside isolated domains to protect their host applications. Since its debut, researchers have proposed different SFI systems for many purposes such as safe execution of untrusted native browser plugins. However, most of these systems focus on the x86 architecture. In recent years, ARM has become the dominant architecture for mobile devices and gains in popularity in data centers. Hence there is a compelling need for an efficient SFI system for the ARM architecture. Unfortunately, existing systems either have prohibitively high performance overhead or place various limitations on the memory layout and instructions of untrusted modules. In this paper, we propose ARMlock, a hardware-based fault isolation for ARM. It uniquely leverages the memory domain support in ARM processors to create multiple sandboxes. Memory accesses by the untrusted module (including read, write, and execution) are strictly confined by the hardware, and instructions running inside the sandbox execute at the same speed as those outside it. ARMlock imposes virtually no structural constraints on untrusted modules. For example, they can use self-modifying code, receive exceptions, and make system calls. Moreover, system calls can be interposed by ARMlock to enforce the policies set by the host. We have implemented a prototype of ARMlock for Linux that supports the popular ARMv6 and ARMv7 sub-architecture. Our security assessment and performance measurement show that ARMlock is practical, effective, and efficient.
Design and Implementation of an eXtensible and Modular Hypervisor Framework*
, 2012
"... This paper presents our efforts in developing XMHF, an eXtensible and Modular Hypervisor Framework. XMHF takes adeveloper-centric approachtohypervisordesignandimplementation, and strives to be a comprehensible and flexible platform for performing hypervisor research and development. XMHF encapsulate ..."
Abstract
- Add to MetaCart
(Show Context)
This paper presents our efforts in developing XMHF, an eXtensible and Modular Hypervisor Framework. XMHF takes adeveloper-centric approachtohypervisordesignandimplementation, and strives to be a comprehensible and flexible platform for performing hypervisor research and development. XMHF encapsulates common hypervisor core functionality in a framework that allows others to build custom hypervisor-based solutions (called “hypapps”) while freeing them from a considerable amount of wheel-reinventing that is often associated with such efforts. We are encouraged by the end result – a clean, barebones hypervisor framework with desirable performance characteristics and an architecture amenable to formal analysis. Keywords eXtensibleModularHypervisorFramework,hypervisor-based applications, hypapps, dynamic root of trust, nested (2dimensional) paging
Keywords:
, 2015
"... upsurges the capabilities of the hardware resources by optimal and shared utilization. ud provid tion [78]. omers to p extraordinary expertise pertaining to the cloud specific technologies [5]. The management of the technology and s has moved from user to the service provider’s end [5]. ..."
Abstract
- Add to MetaCart
(Show Context)
upsurges the capabilities of the hardware resources by optimal and shared utilization. ud provid tion [78]. omers to p extraordinary expertise pertaining to the cloud specific technologies [5]. The management of the technology and s has moved from user to the service provider’s end [5].
Design, Implementation and Verification of an eXtensible and Modular Hypervisor Framework*
"... Abstract — We present the design, implementation, and verification of XMHF – an eXtensible and Modular Hypervisor Framework. XMHF is designed to achieve three goals – modu-lar extensibility, automated verification, and high performance. XMHF includes a core that provides functionality common to many ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract — We present the design, implementation, and verification of XMHF – an eXtensible and Modular Hypervisor Framework. XMHF is designed to achieve three goals – modu-lar extensibility, automated verification, and high performance. XMHF includes a core that provides functionality common to many hypervisor-based security architectures and supports extensions that augment the core with additional security or functional properties while preserving the fundamental hyper-visor security property of memory integrity (i.e., ensuring that the hypervisor’s memory is not modified by software running at a lower privilege level). We verify the memory integrity of the XMHF core – 6018 lines of code – using a combination of automated and manual techniques. The model checker CBMC automatically verifies 5208 lines of C code in about 80 seconds using less than 2GB of RAM. We manually audit the remaining 422 lines of C code and 388 lines of assembly language code that are stable and unlikely to change as development proceeds. Our experiments indicate that XMHF’s performance is comparable to popular high-performance general-purpose hypervisors for the single guest that it supports.
