Securing virtualization: techniques and applications

Virtualization is being widely adopted in today’s computing systems. Its unique advantages in isolating and introspecting commodity OSes as virtual machines have enabled a wide spectrum of applications. However, a common, fundamental assumption of all these virtualization-based systems is the presence of a trustworthy hypervisor. Unfortunately, recent successful attacks against hypervisors, in addition to the bloated trusted computing base and highly complex internal logic of commodity (type-I and type-II) hypervisors, seriously question the validity of this assumption. In this dissertation, we first present two systems to mitigate the threats posed by vulnerable type-I and type-II hypervisors, respectively: HyperSafe is a lightweight approach that enables control flow integrity of type-I hypervisors for their self-protection. It has two key techniques: non-bypassable memory lockdown reliably protects the hypervisor’s code integrity even in the presence of exploitable memory corruption bugs, and restricted pointer indexing enforces control flow integrity by converting control data into restricted pointer indexes; HyperLock is a systematic approach to strictly isolate vulnerable type-II hypervisors from compromising the host OSes. It also has two key techniques: hypervisor isolation runtime securely isolates a hypervisor in its own dedicated address space and restricts its instruction set for safe execution, and hypervisor shadowing efficiently creates an individual shadow hypervisor for each guest so that a compromised hypervisor can affect only the paired guest, not others. We have built a prototype for both systems based respectively on two open-source type-I hypervisors (i.e., BitVisor and Xen) and one type-II hypervisor (i.e., KVM). The security experiments and performance measurements of these prototypes demonstrated the practicality and effectiveness of our approaches. The above two systems lay a solid foundation for secure virtualization-based systems. A wide range of virtualization-based security mechanisms can benefit from them. HookSafe, the third system presented in this dissertation, is one such system designed to mitigate serious threats from kernel rootkits. Specifically, many kernel rootkits hide their presence and activities by subverting kernel hooks (function pointers). A critical step toward eliminating kernel rootkits is to protect such hooks from being hijacked. This remains as a challenge due to the so-called protection granularity gap: kernel hook protection requires byte-level granularity but commodity hardware only provides page-level protection. HookSafe leverages the virtualization technology to address this problem. A key observation behind our approach is that a kernel hook, once initialized, may be frequently read but rarely changed. As such, HookSafe relocates those kernel hooks to dedicated memory pages and regulates accesses to them efficiently with hardware-based page-level protection. Our experiments with a prototype of HookSafe demonstrate that HookSafe can enable large-scale hook protection with a small overhead.

[1]  Trent Jaeger,et al.  PRIMA: policy-reduced integrity measurement architecture , 2006, SACMAT '06.

[2]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[3]  Pradeep K. Khosla,et al.  SWATT: softWare-based attestation for embedded devices , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[4]  Zhi Wang,et al.  Defeating return-oriented rootkits with "Return-Less" kernels , 2010, EuroSys '10.

[5]  Zhi Wang,et al.  HyperSentry: enabling stealthy in-context measurement of hypervisor integrity , 2010, CCS '10.

[6]  Elaine Shi,et al.  BIND: a fine-grained attestation service for secure distributed systems , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[7]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[8]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[9]  Somesh Jha,et al.  The design and implementation of microdrivers , 2008, ASPLOS.

[10]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[11]  Xi Wang,et al.  Software fault isolation with API integrity and multi-principal modules , 2011, SOSP.

[12]  Abhinav Srivastava,et al.  Efficient Monitoring of Untrusted Kernel-Mode Execution , 2011, NDSS.

[13]  A. Kivity,et al.  kvm : the Linux Virtual Machine Monitor , 2007 .

[14]  Robert N. M. Watson,et al.  Capsicum: Practical Capabilities for UNIX , 2010, USENIX Security Symposium.

[15]  Jennifer Rexford,et al.  Eliminating the hypervisor attack surface for a more secure cloud , 2011, CCS '11.

[16]  Brian N. Bershad,et al.  Improving the reliability of commodity operating systems , 2005, TOCS.

[17]  RICHARD J. FEIERTAG,et al.  The foundations of a provably secure operating system (PSOS) , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[18]  Yi-Min Wang,et al.  Detecting stealth software with Strider GhostBuster , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[19]  Xuxian Jiang,et al.  Mapping kernel objects to enable systematic integrity checking , 2009, CCS.

[20]  Zhenkai Liang,et al.  HookFinder: Identifying and Understanding Malware Hooking Behaviors , 2008, NDSS.

[21]  Elaine Shi,et al.  Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems , 2005, SOSP '05.

[22]  Shigeru Chiba,et al.  BitVisor: a thin hypervisor for enforcing i/o device security , 2009, VEE '09.

[23]  Xuxian Jiang,et al.  Countering kernel rootkits with lightweight hook protection , 2009, CCS.

[24]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[25]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[26]  David Lie,et al.  Hypervisor Support for Identifying Covertly Executing Binaries , 2008, USENIX Security Symposium.

[27]  Helen J. Wang,et al.  SubVirt: implementing malware with virtual machines , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[28]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[29]  Tal Garfinkel,et al.  VMwareDecoupling Dynamic Program Analysis from Execution in Virtual Environments , 2008, USENIX Annual Technical Conference.

[30]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[31]  Alexander Aiken,et al.  A theory of type qualifiers , 1999, PLDI '99.

[32]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[33]  Rusty Russell,et al.  virtio: towards a de-facto standard for virtual I/O devices , 2008, OPSR.

[34]  Tal Garfinkel,et al.  Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools , 2003, NDSS.

[35]  Stephen McCamant,et al.  Evaluating SFI for a CISC Architecture , 2006, USENIX Security Symposium.

[36]  Bryan Ford,et al.  Vx32: Lightweight User-level Sandboxing on the x86 , 2008, USENIX Annual Technical Conference.

[37]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[38]  Lars Ole Andersen,et al.  Program Analysis and Specialization for the C Programming Language , 2005 .

[39]  Wenke Lee,et al.  Secure in-VM monitoring using hardware virtualization , 2009, CCS.

[40]  Scott A. Rotondo Trusted Computing Group , 2011, Encyclopedia of Cryptography and Security.

[41]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[42]  Felix C. Freiling,et al.  Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms , 2009, USENIX Security Symposium.

[43]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[44]  Michael W. Hicks,et al.  Automated detection of persistent kernel control-flow attacks , 2007, CCS '07.

[45]  Andrew Warfield,et al.  Xen and the art of virtualization , 2003, SOSP '03.

[46]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[47]  Zhi Wang,et al.  Countering Persistent Kernel Rootkits through Systematic Hook Discovery , 2008, RAID.

[48]  Ben Hardekopf,et al.  Semi-sparse flow-sensitive pointer analysis , 2009, POPL '09.

[49]  Jiang Wang,et al.  HyperCheck: A Hardware-AssistedIntegrity Monitor , 2014, IEEE Transactions on Dependable and Secure Computing.

[50]  Udo Steinberg,et al.  NOVA: a microhypervisor-based secure virtualization architecture , 2010, EuroSys '10.

[51]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[52]  Gernot Heiser,et al.  Hype and Virtue , 2007, HotOS.

[53]  Dawson R. Engler,et al.  Bugs as deviant behavior: a general approach to inferring errors in systems code , 2001, SOSP.

[54]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[55]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[56]  Silas Boyd-Wickizer,et al.  Tolerating Malicious Device Drivers in Linux , 2010, USENIX Annual Technical Conference.

[57]  Xuxian Jiang,et al.  Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing , 2008, RAID.

[58]  Jun Zhu,et al.  Breaking up is hard to do: security and functionality in a commodity hypervisor , 2011, SOSP.

[59]  Mark A. Hillebrand,et al.  Balancing the Load , 2009, Journal of Automated Reasoning.

[60]  Donghai Tian,et al.  Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extensions , 2011, NDSS.

[61]  Steven Hand,et al.  Improving Xen security through disaggregation , 2008, VEE '08.

[62]  William A. Arbaugh,et al.  An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data , 2006, USENIX Security Symposium.

[63]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[64]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[65]  John Wilander,et al.  A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention , 2003, NDSS.

[66]  Emin Gün Sirer,et al.  Device Driver Safety Through a Reference Validation Mechanism , 2008, OSDI.

[67]  Wenke Lee,et al.  K-Tracer: A System for Extracting Kernel Malware Behavior , 2009, NDSS.

[68]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[69]  Alexander Aiken,et al.  Verifying the Safety of User Pointer Dereferences , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[70]  Zhi Wang,et al.  HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity , 2010, 2010 IEEE Symposium on Security and Privacy.

[71]  Adam Lackorzynski,et al.  Virtual machines jailed: virtualization in systems with small trusted computing bases , 2009, VDTS '09.

[72]  Ondrej Lhoták,et al.  Points-to analysis using BDDs , 2003, PLDI '03.

[73]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[74]  Xuxian Jiang,et al.  Multi-aspect profiling of kernel rootkit behavior , 2009, EuroSys '09.

[75]  Muli Ben-Yehuda,et al.  The Turtles Project: Design and Implementation of Nested Virtualization , 2010, OSDI.

[76]  Neha Narula,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, IEEE Symposium on Security and Privacy.

[77]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[78]  Galen C. Hunt,et al.  Detours: binary interception of Win32 functions , 1999 .