Presentation is loading. Please wait.

Presentation is loading. Please wait.

H YPER S AFE : A L IGHTWEIGHT A PPROACH TO P ROVIDE L IFETIME H YPERVISOR C ONTROL -F LOW I NTEGRITY Self Protection for the Hypervisor.

Published byAllen Lynch Modified over 8 years ago

Similar presentations

Presentation on theme: "H YPER S AFE : A L IGHTWEIGHT A PPROACH TO P ROVIDE L IFETIME H YPERVISOR C ONTROL -F LOW I NTEGRITY Self Protection for the Hypervisor."— Presentation transcript:

1 H YPER S AFE : A L IGHTWEIGHT A PPROACH TO P ROVIDE L IFETIME H YPERVISOR C ONTROL -F LOW I NTEGRITY Self Protection for the Hypervisor

2 I NTRODUCTION Paper: HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity Authors: Zhi Wang and Xuxian Jiang Department of Computer Science, North Carolina State University Presented at: 31st IEEE Symposium on Security & Privacy, Oakland, CA USA, May 2010

3 I NTRODUCTION Figures in presentation credited to original paper and presentation Presentation by Jon Rhoades – Digital Forensics Program – UCF Questions during presentation are welcome

4 F OR C ONTEXT W HAT IS IT ? Present HyperSafe A framework capability to protect Virtualization Hypervisors from security threats Primary Two Techniques Non-bypassable memory lockdown Restricted pointer indexing The framework has been used for a prototype system for BitVisor and Xen

5 H YPERVISOR Virtual Machine Manager Controls when and how the Virtual Machines start and stop Access to VM settings Allocates and manages resources for the Virtual Machines Established Running Examples of Hypervisors Xen, VMware ESX

6 W HAT ARE THE T HREATS VMs vulnerable if Hypervisor is hacked Xen 2007-9 26 security vulnerabilities identified* VMware ESX 2007-9 18 security vulnerabilities identified* Code base for Hypervisors growing Xen 230K lines of code Hypervisor runs at lowest level of software stack * Source: National Vulnerability Database

7 W HY P ROTECT T HE H YPERVISOR Rapid growth in adoption of Virtual Machines 16% of server workload in 2010 50% by 2012 (estimated) VM escape attacks Break out of a VM and access HyperVisor Hypervisor based rootkits If you get control of Hypervisor you have control of the VMs Console access Physical access

8 T YPES OF H YPERVISORS Type I –No underlying OS ( VMware ESXi, Citirix XexServer) II – Hypervisor loaded onto an OS ( Microsoft Virtual PC, VMware Server) Type I is also referred to as bare metal or native hypervisor

9 G OALS OF H YPER S AFE Enable self protection of commodity type-I (bare- metal) hypervisors Not require significant changes to the existing hypervisor design and function Efficiently implemented on commodity hardware Assumptions Trustworthy hardware Software bugs in hypervisor

10 H OW DOES H YPER S AFE W ORK ? Protects the memory space the hypervisor runs in Provides structure for calls and returns Two main Techniques Non-bypassable memory lockdown Current hypervisors all page tables are writable Restricted pointer indexing Control what functions can be called and acceptable return addresses

11 N ON - BYPASSABLE M EMORY L OCKDOWN Most significant technique Divides memory (physical and virtual) into page tables Each table has a number of page table entries. (512 in x86_64) Each entry has certain bits to specify protection attributes (writable(r/w), executable, or specify user or supervisor(u/s)) A page can either be executable OR writable Hypervisor code is write protected Sometime it needs to be updated (benign update)

12 B ENIGN U PDATE Sometimes executable memory needs to be updated / written to Supervisor only not User Technique uses the W P bit (Write Protect) in hardware On initial load set page tables read only and W P bit on On benign update clear W P bit, make the change, then set the W P bit on HyperSafe can ensure the action matches a security policy During process disable interrupts then re-enable

13 U PDATES Effectively locks down access to hypervisor code to ensure integrity

14 R ESTRICTED P OINTER I NDEXING Restrict control of functions and return addresses from the user space Establishes tables maintained in protected memory for approved function and ret calls The table contains the pointers to the approved functions and returns

15 R ESTRICTED P OINT I NDEXING

16 P RODUCTION U SE Prototype developed for BitVisor and Xen HyperSafe protection Used attacks mimicking those in the National Vulnerability Database Performed as designed Writing to protected page tables generated error codes Attempts to change control flow were silently defeated

17 P ERFORMANCE O VERHEAD Performance hit of about 5% (3% for –m) HyperSafe-m is HyperSafe with some optimization

18 C ONTRIBUTIONS A framework with two techniques to protect hypervisors Protect the memory space Protect control flow Actually did it vs. just talk about what is possible

19 W EAKNESS Not actionable for IT security groups I can’t get it and use it No commercial or open source plans Not clear to me on how you deploy HyperSafe Assumption is modify the source code of hypervisor software and kernel and recompile it

20 I MPROVEMENT Get it in the field Partner with hypervisor vendors VMware would be a big one

Download ppt "H YPER S AFE : A L IGHTWEIGHT A PPROACH TO P ROVIDE L IFETIME H YPERVISOR C ONTROL -F LOW I NTEGRITY Self Protection for the Hypervisor."

Similar presentations

Virtualization Dr. Michael L. Collard

Virtualization Dr. Michael L. Collard
Virtualisation From the Bottom Up From storage to application.

Virtualisation From the Bottom Up From storage to application.
Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang Department of Computer Science, North Carolina State University Xiaolan Zhang IBM T.J. Watson Research.

Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang Department of Computer Science, North Carolina State University Xiaolan Zhang IBM T.J. Watson Research.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Difference Engine: Harnessing Memory Redundancy in Virtual Machines by Diwaker Gupta et al. presented by Jonathan Berkhahn.

Difference Engine: Harnessing Memory Redundancy in Virtual Machines by Diwaker Gupta et al. presented by Jonathan Berkhahn.
Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.

Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.
Chapter 6 Limited Direct Execution

Chapter 6 Limited Direct Execution
InkTag: Secure Applications on an Untrusted Operating system

InkTag: Secure Applications on an Untrusted Operating system
Memory Management 2010.

Memory Management 2010.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
Supporting ethtool with Linux Integration Service Open Source Technology Center Microsoft.

Supporting ethtool with Linux Integration Service Open Source Technology Center Microsoft.
Threads CS 416: Operating Systems Design, Spring 2001 Department of Computer Science Rutgers University

Threads CS 416: Operating Systems Design, Spring 2001 Department of Computer Science Rutgers University
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
Virtualization for Cloud Computing

Virtualization for Cloud Computing
Virtualization 101.

Virtualization 101.
LINUX Virtualization Running other code under LINUX.

LINUX Virtualization Running other code under LINUX.
5205 – IT Service Delivery and Support

5205 – IT Service Delivery and Support
Virtualization 101.

Virtualization 101.
Tanenbaum 8.3 See references

Tanenbaum 8.3 See references
Microkernels, virtualization, exokernels Tutorial 1 – CSC469.

Microkernels, virtualization, exokernels Tutorial 1 – CSC469.

Similar presentations

Ads by Google