HyperVerify: A VM-assisted Architecture for Monitoring Hypervisor Non-control Data

Continuing bug reports and exploits in hyper visors indicate that hyper visors face similar integrity threats as tradition software. Previous approaches to protect a hyper visor that utilize hardware features are not easy to be extended. Besides, they mainly focus on code or control data integrity, without pay much attention to protecting non-control data. In this paper, we present Hyper Verify, a novel architecture to monitor hyper visor non-control data using a trusted VM. Since a VM cannot directly access a hyper visor's memory, Hyper Verify programs a popular device driver to read the hyper visor's hardware state in the trusted VM. Then a memory analysis library is used to translate the low-level hardware state into the high level hyper visor context. Several monitoring processes use such context to monitor hyper visor non-control data integrity. Each of the processes is responsible for monitoring one kind of non-control data. It is flexible for Hyper Verify to support monitoring new kinds of data structure. The experimental evaluation of our prototype shows that Hyper Verify incurs at most 4% performance overhead to end users.

[1]  Jiang Wang,et al.  HyperCheck: A Hardware-AssistedIntegrity Monitor , 2014, IEEE Transactions on Dependable and Secure Computing.

[2]  Shravan K. Rayanchu,et al.  Delusional Boot : Securing Cloud Hypervisors without Massive Re-engineering , 2012 .

[3]  Jaehyuk Huh,et al.  Architectural support for secure virtualization under a vulnerable hypervisor , 2011, 2011 44th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[4]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[5]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[6]  Steven Hand,et al.  Improving Xen security through disaggregation , 2008, VEE '08.

[7]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[8]  Alec Wolman,et al.  Delusional boot: securing hypervisors without massive re-engineering , 2012, EuroSys '12.

[9]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[10]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[11]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[12]  Michael W. Hicks,et al.  Automated detection of persistent kernel control-flow attacks , 2007, CCS '07.

[13]  Zhi Wang,et al.  Isolating commodity hosted hypervisors with HyperLock , 2012, EuroSys '12.

[14]  Yeping He,et al.  Return-Oriented Programming Attack on the Xen Hypervisor , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[15]  Jonathon T. Giffin,et al.  2011 IEEE Symposium on Security and Privacy Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection , 2022 .

[16]  Haibo Chen,et al.  CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization , 2011, SOSP.

[17]  Jennifer Rexford,et al.  NoHype: virtualized cloud infrastructure without the virtualization , 2010, ISCA.

[18]  Yeping He,et al.  Systemic threats to hypervisor non-control data , 2013, IET Inf. Secur..

[19]  R. Sailer,et al.  sHype : Secure Hypervisor Approach to Trusted Virtualized Systems , 2005 .

[20]  Arati Baliga,et al.  Lurking in the Shadows: Identifying Systemic Threats to Kernel Data , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[21]  Zhi Wang,et al.  HyperSentry: enabling stealthy in-context measurement of hypervisor integrity , 2010, CCS '10.

[22]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[23]  Rafal Wojtczuk Subverting the Xen hypervisor , 2008 .

[24]  Yeping He,et al.  Improving Flask Implementation Using Hardware Assisted In-VM Isolation , 2012, SEC.

[25]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[26]  David Lie,et al.  Hypervisor Support for Identifying Covertly Executing Binaries , 2008, USENIX Security Symposium.

[27]  Udo Steinberg,et al.  NOVA: a microhypervisor-based secure virtualization architecture , 2010, EuroSys '10.

[28]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[29]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[30]  Rafal Wojtczuk,et al.  Following the White Rabbit : Software attacks against Intel ( R ) VT-d technology , 2011 .

[31]  Shanell Shanay Frazer Analyzing Security Incidents Reported by The United States Computer Emergency Readiness Team , 2015 .

[32]  Xuxian Jiang,et al.  Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing , 2008, RAID.

[33]  Ruby B. Lee,et al.  Architectural support for hypervisor-secure virtualization , 2012, ASPLOS XVII.

[34]  Zhi Wang,et al.  HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity , 2010, 2010 IEEE Symposium on Security and Privacy.

[35]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[36]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[37]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[38]  Shigeru Chiba,et al.  BitVisor: a thin hypervisor for enforcing i/o device security , 2009, VEE '09.

[39]  No License,et al.  Intel ® 64 and IA-32 Architectures Software Developer ’ s Manual Volume 3 A : System Programming Guide , Part 1 , 2006 .

[40]  Zhi Wang,et al.  DKSM: Subverting Virtual Machine Introspection for Fun and Profit , 2010, 2010 29th IEEE Symposium on Reliable Distributed Systems.