Kernel Protection Using Hardware- Based Virtualization. Jun Nakajima and Sainath Grandhi

Similar documents
Hybrid Virtualization The Next Generation of XenLinux

Running Windows 8 on top of Android with KVM. 21 October Zhi Wang, Jun Nakajima, Jack Ren

Virtualization in Linux KVM + QEMU

Nested Virtualization

Intel Virtualization Technology (VT) in Converged Application Platforms

Uses for Virtual Machines. Virtual Machines. There are several uses for virtual machines:

Virtual Machines. COMP 3361: Operating Systems I Winter

Virtualization Technology. Zhiming Shen

COLO: COarse-grain LOck-stepping Virtual Machine for Non-stop Service. Eddie Dong, Tao Hong, Xiaowei Yang

The Microsoft Windows Hypervisor High Level Architecture

Intel Ethernet and Configuring Single Root I/O Virtualization (SR-IOV) on Microsoft* Windows* Server 2012 Hyper-V. Technical Brief v1.

Advanced Computer Networks. Network I/O Virtualization

Intel Virtualization Technology Overview Yu Ke

Compromise-as-a-Service

Page Modification Logging for Virtual Machine Monitor White Paper

Kernel Virtual Machine

COLO: COarse-grain LOck-stepping Virtual Machine for Non-stop Service

Full and Para Virtualization

Intel Media SDK Library Distribution and Dispatching Process

Virtual machines and operating systems

Windows Server Virtualization & The Windows Hypervisor

x86 ISA Modifications to support Virtual Machines

COS 318: Operating Systems. Virtual Machine Monitors

How To Understand The Power Of A Virtual Machine Monitor (Vm) In A Linux Computer System (Or A Virtualized Computer)

Intel Trusted Platforms Overview

Intel Virtualization Technology FlexMigration Application Note

Attacking Hypervisors via Firmware and Hardware

Intel Service Assurance Administrator. Product Overview

Intel SSD 520 Series Specification Update

Hypervisors and Virtual Machines

PCI-SIG SR-IOV Primer. An Introduction to SR-IOV Technology Intel LAN Access Division

RAID and Storage Options Available on Intel Server Boards and Systems

Virtualization. Pradipta De

A Superior Hardware Platform for Server Virtualization

Cloud^H^H^H^H^H Virtualization Technology. Andrew Jones May 2011

kvm: Kernel-based Virtual Machine for Linux

MODULE 3 VIRTUALIZED DATA CENTER COMPUTE

The QEMU/KVM Hypervisor

Architecture of the Kernel-based Virtual Machine (KVM)

Creating Overlay Networks Using Intel Ethernet Converged Network Adapters

Virtualization. Types of Interfaces

How to Configure Intel X520 Ethernet Server Adapter Based Virtual Functions on Citrix* XenServer 6.0*

Intel Identity Protection Technology Enabling improved user-friendly strong authentication in VASCO's latest generation solutions

KVM: Kernel-based Virtualization Driver

RPM Brotherhood: KVM VIRTUALIZATION TECHNOLOGY

VMware and CPU Virtualization Technology. Jack Lo Sr. Director, R&D

The Transition to PCI Express* for Client SSDs

Virtualization. ! Physical Hardware. ! Software. ! Isolation. ! Software Abstraction. ! Encapsulation. ! Virtualization Layer. !

Basics of Virtualisation

Intel 810 and 815 Chipset Family Dynamic Video Memory Technology

Introduction to Virtualization & KVM

Intel Cloud Builder Guide: Cloud Design and Deployment on Intel Platforms

BHyVe. BSD Hypervisor. Neel Natu Peter Grehan

How to Configure Intel Ethernet Converged Network Adapter-Enabled Virtual Functions on VMware* ESXi* 5.1

Intel Ethernet Switch Load Balancing System Design Using Advanced Features in Intel Ethernet Switch Family

Intel Cyber Security Briefing: Trends, Solutions, and Opportunities. Matthew Rosenquist, Cyber Security Strategist, Intel Corp

OSes. Arvind Seshadri Mark Luk Ning Qu Adrian Perrig SOSP2007. CyLab of CMU. SecVisor: A Tiny Hypervisor to Provide

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

Specification Update. January 2014

Enabling Intel Virtualization Technology Features and Benefits

Solution Recipe: Improve PC Security and Reliability with Intel Virtualization Technology

Intel Desktop Board D945GCPE Specification Update

Intel Identity Protection Technology (IPT)

Attacking Hypervisors via Firmware and Hardware

Intel Desktop Board D945GCPE

Virtualization and the U2 Databases

Brian Walters VMware Virtual Platform. Linux J. 1999, 63es, Article 6 (July 1999).

Virtualization VMware Inc. All rights reserved

Intel Desktop Board DG41BI

Hardware Based Virtualization Technologies. Elsie Wahlig Platform Software Architect

Virtual Machine Monitors. Dr. Marc E. Fiuczynski Research Scholar Princeton University

Virtualization. Clothing the Wolf in Wool. Wednesday, April 17, 13

The Art of Virtualization with Free Software

Intel Desktop Board DG43RK

Intel Embedded Virtualization Manager

Taming Hosted Hypervisors with (Mostly) Deprivileged Execution

Achieving Real-Time Performance on a Virtualized Industrial Control Platform

A Hypervisor IPS based on Hardware assisted Virtualization Technology

x86 Virtualization Hardware Support Pla$orm Virtualiza.on

Virtualization. P. A. Wilsey. The text highlighted in green in these slides contain external hyperlinks. 1 / 16

Virtualization. Dr. Yingwu Zhu

Intel Desktop Board DG41TY

AMD 64 Virtualization

RAID and Storage Options Available on Intel Server Boards and Systems based on Intel 5500/5520 and 3420 PCH Chipset

Intel Desktop Board DG41WV

Intel Desktop Board DG31PR

Intel Desktop Board DP55WB

Xen and the Art of. Virtualization. Ian Pratt

Nested Virtualization

Knut Omang Ifi/Oracle 19 Oct, 2015

Vendor Update Intel 49 th IDC HPC User Forum. Mike Lafferty HPC Marketing Intel Americas Corp.

WHITE PAPER. AMD-V Nested Paging. AMD-V Nested Paging. Issue Date: July, 2008 Revision: 1.0. Advanced Micro Devices, Inc.

Citrix and Intel Deliver Client Virtualization

The Xen of Virtualization

Intel Solid-State Drive Pro 2500 Series Opal* Compatibility Guide

Intel Desktop Board DP43BF

Intel Core i5 processor 520E CPU Embedded Application Power Guideline Addendum January 2011

Xen in Embedded Systems. Ray Kinsella Senior Software Engineer Embedded and Communications Group Intel Corporation

Intel Storage System SSR212CC Enclosure Management Software Installation Guide For Red Hat* Enterprise Linux

Transcription:

Kernel Protection Using Hardware- Based Virtualization Jun Nakajima and Sainath Grandhi 1

Legal Disclaimer INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. INTEL PRODUCTS ARE NOT INTENDED FOR USE IN MEDICAL, LIFE SAVING, OR LIFE SUSTAINING APPLICATIONS. Intel may make changes to specifications and product descriptions at any time, without notice. All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice. Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request. Intel and the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others. Copyright 2016 Intel Corporation. 2

Agenda Hardware-Based Virtualization Monitoring/Protecting the Kernel in Virtualization Policy and Incident Handling Architecture and Implementation VM and Bare Metal Beyond Kernel Protection 3

Hardware Virtual Machines (VMs) App App... App VM 0 App App App VM 1 App App App Operating System Physical Host Hardware GFX A new layer of software... Guest OS 0... Guest OS 1 Processors Memory Graphics Virtual Machine Monitor (VMM) Physical Host Hardware Network Storage Keyboard / Mouse Without VMs: Single OS owns all hardware resources With VMs: Multiple OSes share hardware resources 4

Virtual Machine Monitor (VMM) Virtualization Non-Root Mode (Guest) Virtual Machines (VMs) VM 0 OS VM 1 OS VM 2 OS VM n OS VMM (a.k.a., hypervisor) Higher-level VMM Functions: Resource Discovery / Provisioning / Scheduling / User Interface Processor Virtualization Memory Virtualization I/O Device Virtualization State Control Context Switching PMEM Translation I/O DMA Remapping Linux Host/KVM Interrupt Remapping I/O Device Emulation Physical Platform Resources CPU 0 CPU n Storage Network Processors Memory I/O Devices 5

Overview of Kernel Protection VM (Guest) Memory: Monitoring Write-protection (RO) Processor (VCPU): CPU control monitoring/locking Extensions for security IOMMU: Monitoring Write-Protection Linux Kernel Processor Virtualization Memory Virtualization I/O Device Virtualization State Control VCPUs Higher-level VMM Functions: Resource Discovery / Provisioning / Scheduling / User Interface Context Switching Ext. PMEM Translation RO I/O DMA Remapping Linux Host/KVM RO Interrupt Remapping IOMMU I/O Device Emulation 6

Benefits of Virtualization-Based Kernel Protection More monitoring and isolation capabilities in virtualization than in native: Monitoring, isolation, and protection Hypervisor as Ring -1 or Virtualization Root Mode Security feature extensions to the CPUs so that the kernel can harden itself No or minimal modifications to guest Linux kernel: Can be implemented inside the hypervisor (e.g. KVM) Hot patches Applicable to bare metal kernel: Bare-metal Linux can de-privilege itself to become Virtualization Non-Root Mode Additional protection when running bare-metal containers, HPC without overhead 7

Kernel Memory Protection VM (Guest) Kernel can write-protect its own code or data by RO (Read-Only) permission for the page But the page can be modified by: Changing the permission, or Establishing different mapping with RW permission H/W-based virtualization can add enforcement by: RO permission for GPA* to HPA translation VM exit upon attempt to write the page *:GPA: Guest Physical Address, HPA: Host Physical Address RW RO RO Linux Kernel Page Tables GPA RW GPA GPA to HPA CPU 0 RO CPU n EPT or NPT Processors Memory 8

Kernel Memory Protection (cont.) Examples of code/data to monitor or protect: Kernel code and page tables entries for such mappings Syscall table IDT (Interrupt Descriptor Table) Various data structures, e.g. kernel data declared as const... 9

Protecting CPU State Control Linux kernel does not change the setting for CPU control at runtime: Control Registers CR0 PG, CD, WP, PE, CR4 UMIP, VMXE, SMXE, SMEP, SMAP, PKE, MSRs EFER PAT MISC_ENBLE Linux Kernel CPU 0 VCPUs: CR0, CR4, MSRs, VM (Guest) CPU n Processors 10

Security Feature Extensions to CPUs Implement new or future H/W security features in virtualization so that the current or older CPUs can take advantage of them Example: UMIP (User-Mode Instruction Prevention) can be mostly emulated by the exiting H/W virtualization feature Para-virtualization Requires modifications to the kernel 11

Protecting IOMMU State Control Setup once and never modified: Root Table Address Invalidation Queue Address Interrupt Remapping Table Address Feature Enabling: DMA Translation Interrupt Remapping Queued Invalidation 12

Policy and Incident Handling Monitor and protect specific kernel data/code and system resources (assets): <Which asset to monitor>, <Permission>, <Action upon Permission Violation> <Which asset to monitor> := Bits of a control register, MSRs, memory pages, or I/O ports, <Permission> := RO (Read-Only), XO (Execution Only), NA (No Access Allowed) <Action(s)> := Omit the attempt and log, Allow the attempt and log, 13

Architecture Overview (KVM Guests Only) Virt. Non-Root Mode Extend KVM: Kernel Monitoring/Protection VM 0 VM 1 User Process User Process OS OS Linux Kernel KVM Kernel Monitoring/Protection Physical Host Hardware 14

Architecture Overview (Host and KVM Guests) Virt. Non-Root Mode Extend KVM: VM 0 VM 1 Kernel Monitoring/Protection User Process User Process OS OS Thin Hypervisor for bare metal: Integrated into KVM Does not require QEMU Activated/deactivated at runtime from user-level Linux Kernel Passthrough KVM Platform Protection Kernel Monitoring/Protection Thin Hypervisor Physical Host Hardware 15

Bare-Metal Linux in Virtualization Non-Root Mode Bare-metal Linux can run like the native with Virtualization Non-Root Mode enabled: Pass-through I/O devices, interrupt controllers, timers, power management, No VM exits (Done by VM Exit Control ) Identity mapping (+ protection): EPT (Extended page tables) EPT(GPA) == HPA Use the bare metal kernel No additional memory for virtualization (except EPT) Platform protection Prevent access to platform resources Platform-specific MSRs, ports, I/O spaces 16

Switching from Virt. Non-Root to KVM (Virt. Root) Go back to Virtualization Root Mode to run guests on top of KVM: Avoid nested virtualization Current Implementation: 1. VM Exit in the kernel (e.g VMXOFF instruction) 2. VM Exit handler for the baremetal kernel 3. IRET to the next instruction that caused the VM exit (one after VMXOFF) User Process Linux Kernel Platform Protection User Process Passthrough Virt. Non-Root Mode VM 0 VM Entry/Exit Physical Host Hardware OS KVM VM 1 OS Kernel Monitoring/Protection 17

Prototype Implementation of Non-Root Mode Bare- Metal Linux User Process Add new IOCTLs to KVM De-privilege and privilege the current CPU (switch_and_exit) Start running in Virtualization Non-Root Mode from the next instruction in the KVM module Generate a dedicated VM exit to go back to Virtualization Root Mode Separate VM exit handler Monitoring and protection EPT is constructed in advance or at runtime (optional) Code changes are well contained in KVM module De-privileging Case switch_and_exit Construct VMCS VMCS.GUEST_RIP VM Entry point (Virt. Non-Root Mode) /dev/kvm KVM module 18

Comparison of Overhead Using lmbench (micro benchmark) and kernel build lmbench Kernel build 1.8 1.6 microsecond lmbench3 Results 1.2 % overhead with bare-metal kernel in Virtualization Non-Root Mode 1.4 1.2 1 0.8 0.6 0.4 0.2 0 null read write stat fstat open Bare Metal Non-Root Bare Metal KVM Guest lat_sys_call -P 1 -W 1000000 -N 1000 null *KVM guest - qemu-system-x86_64 -enable-kvm -cpu host - smp 4 -m 4096 -hda image_file -serial stdio 19

Beyond Kernel Protection Debugging: Monitor specific behaviors or events for debugging More operations are available in virtualization (Virtualization Non-Root Mode): PML (Page Modification Logging) Can be used to monitor memory activities, which guest physical memory pages are modified frequently #VE (Virtualization Exception) Additional exception regarding GPA to HPA translation (access to non-present guest physical memory) Hot patching and Intercepting exceptions (examples): Intercept #DE in the kernel (oftentimes used as DoS) Patching in the KVM module without modifying the kernel code 20

Current Status and Next Step Current Status: PoC has been done (< 1000 lines of code changes to KVM module only) Adding policies and actions Planning to share the patches and findings with the community Feedbacks are welcome Next Step: Reflect feedback to the design and patches Send out RFC 21

Q & A

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information