HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity

Virtualization is being widely adopted in today’s computing systems. Its unique security advantages in isolating and introspecting commodity OSes as virtual machines (VMs) have enabled a wide spectrum of applications. However, a common, fundamental assumption is the presence of a trustworthy hypervisor. Unfortunately, the large code base of commodity hypervisors and recent successful hypervisor attacks (e.g., VM escape) seriously question the validity of this assumption. In this paper, we present HyperSafe, a lightweight approach that endows existing Type-I bare-metal hypervisors with a unique self-protection capability to provide lifetime control flow integrity. Specifically, we propose two key techniques. The first one, non-bypassable memory lockdown, reliably protects the hypervisor’s code and static data from being compromised even in the presence of exploitable memory corruption bugs (e.g., buffer overflows), therefore successfully providing hypervisor code integrity. The second one, restricted pointer indexing, introduces one layer of indirection to convert the control data into pointer indexes. These pointer indexes are restricted such that the corresponding call/return targets strictly follow the hypervisor control flow graph, hence expanding protection to control-flow integrity. We have built a prototype and used it to protect two open-source Type-I hypervisors: BitVisor and Xen. The experimental results with synthetic hypervisor exploits and benchmarking programs show HyperSafe can reliably enable the hypervisor self-protection and provide the integrity guarantee with a small performance overhead.

[1]  Trent Jaeger,et al.  PRIMA: policy-reduced integrity measurement architecture , 2006, SACMAT '06.

[2]  John Wilander,et al.  A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention , 2003, NDSS.

[3]  Xuxian Jiang,et al.  Countering kernel rootkits with lightweight hook protection , 2009, CCS.

[4]  Ben Hardekopf,et al.  Semi-sparse flow-sensitive pointer analysis , 2009, POPL '09.

[5]  Wenke Lee,et al.  Secure in-VM monitoring using hardware virtualization , 2009, CCS.

[6]  Felix C. Freiling,et al.  Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms , 2009, USENIX Security Symposium.

[7]  Helen J. Wang,et al.  SubVirt: implementing malware with virtual machines , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[8]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[9]  Mark A. Hillebrand,et al.  Balancing the Load , 2009, Journal of Automated Reasoning.

[10]  Michael W. Hicks,et al.  Automated detection of persistent kernel control-flow attacks , 2007, CCS '07.

[11]  Zhi Wang,et al.  Defeating return-oriented rootkits with "Return-Less" kernels , 2010, EuroSys '10.

[12]  Gernot Heiser,et al.  Hype and Virtue , 2007, HotOS.

[13]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[14]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[15]  Pradeep K. Khosla,et al.  SWATT: softWare-based attestation for embedded devices , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[16]  Elaine Shi,et al.  BIND: a fine-grained attestation service for secure distributed systems , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[17]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[18]  Ondrej Lhoták,et al.  Points-to analysis using BDDs , 2003, PLDI '03.

[19]  Tal Garfinkel,et al.  VMwareDecoupling Dynamic Program Analysis from Execution in Virtual Environments , 2008, USENIX Annual Technical Conference.

[20]  Chun-Kun,et al.  Lecture Note Sel4: Formal Verification of an Os Kernel , 2022 .

[21]  Zhenkai Liang,et al.  HookFinder: Identifying and Understanding Malware Hooking Behaviors , 2008, NDSS.

[22]  RICHARD J. FEIERTAG,et al.  The foundations of a provably secure operating system (PSOS) , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[23]  Xuxian Jiang,et al.  Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing , 2008, RAID.

[24]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[25]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[26]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[27]  Xuxian Jiang,et al.  Mapping kernel objects to enable systematic integrity checking , 2009, CCS.

[28]  Elaine Shi,et al.  Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems , 2005, SOSP '05.

[29]  Shigeru Chiba,et al.  BitVisor: a thin hypervisor for enforcing i/o device security , 2009, VEE '09.

[30]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[31]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[32]  Dawson R. Engler,et al.  Bugs as deviant behavior: a general approach to inferring errors in systems code , 2001, SOSP.

[33]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[34]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[35]  Xuxian Jiang,et al.  Multi-aspect profiling of kernel rootkit behavior , 2009, EuroSys '09.

[36]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[37]  No License,et al.  Intel ® 64 and IA-32 Architectures Software Developer ’ s Manual Volume 3 A : System Programming Guide , Part 1 , 2006 .

[38]  Wenke Lee,et al.  K-Tracer: A System for Extracting Kernel Malware Behavior , 2009, NDSS.

[39]  Alexander Aiken,et al.  A theory of type qualifiers , 1999, PLDI '99.

[40]  Alexander Aiken,et al.  Verifying the Safety of User Pointer Dereferences , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[41]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.