Requirements for an Integrity-Protected Hypervisor on the x86 Hardware Virtualized Architecture

Virtualization has been purported to be a panacea for many security problems. We analyze the feasibility of constructing an integrity-protected hypervisor on contemporary x86 hardware that includes virtualization support, observing that without the fundamental property of hypervisor integrity, no secrecy properties can be achieved. Unfortunately, we find that significant issues remain for constructing an integrity-protected hypervisor on such hardware. Based on our analysis, we describe a set of necessary rules that must be followed by hypervisor developers and users to maintain hypervisor integrity. No current hypervisor we are aware of adheres to all the rules. No current x86 hardware platform we are aware of even allows for the construction of an integrity-protected hypervisor. We provide a perspective on secure virtualization and outline a research agenda for achieving truly secure hypervisors.

[1]  Cynthia E. Irvine,et al.  Analysis of the Intel Pentium's Ability to Support a Secure Virtual Machine Monitor , 2000, USENIX Security Symposium.

[2]  Gerald J. Popek,et al.  Formal requirements for virtualizable third generation architectures , 1974, SOSP '73.

[3]  J. Heasman Implementing and Detecting a PCI Rootkit , 2006 .

[4]  Dilsun Kirli Kaynar,et al.  A Logic of Secure Systems and its Application to Trusted Computing , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[5]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[6]  Gernot Heiser,et al.  Hype and Virtue , 2007, HotOS.

[7]  Rafal Wojtczuk Subverting the Xen hypervisor , 2008 .

[8]  John Heasman Rootkits: Rootkit threats , 2006 .

[9]  Elaine Shi,et al.  Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems , 2005, SOSP '05.

[10]  Scott A. Rotondo Trusted Computing Group , 2011, Encyclopedia of Cryptography and Security.

[11]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[12]  Bernhard Kauer OSLO: Improving the Security of Trusted Computing , 2007, USENIX Security Symposium.

[13]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[14]  Stefan M. Petters,et al.  Towards trustworthy computing systems: taking microkernels to the next level , 2007, OPSR.

[15]  Arvind Seshadri,et al.  Attacking , Repairing , and Verifying SecVisor : A Retrospective on the Security of a Hypervisor , 2008 .

[16]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[17]  Paul A. Karger,et al.  Multi-level security requirements for hypervisors , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[18]  Chun-Kun,et al.  Lecture Note Sel4: Formal Verification of an Os Kernel , 2022 .

[19]  Sergey Bratus,et al.  TOCTOU, Traps, and Trusted Computing , 2008, TRUST.

[20]  Jochen Liedtke,et al.  The performance of μ-kernel-based systems , 1997, SOSP.