Taming Hosted Hypervisors with (Mostly) Deprivileged Execution

Similar documents
Virtualization in Linux KVM + QEMU

Nested Virtualization

Full and Para Virtualization

Isolating Commodity Hosted Hypervisors with HyperLock

Intel Virtualization Technology Overview Yu Ke

Uses for Virtual Machines. Virtual Machines. There are several uses for virtual machines:

Hybrid Virtualization The Next Generation of XenLinux

Kernel Virtual Machine

Virtual Machines. COMP 3361: Operating Systems I Winter

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

Virtualization. ! Physical Hardware. ! Software. ! Isolation. ! Software Abstraction. ! Encapsulation. ! Virtualization Layer. !

Virtualization VMware Inc. All rights reserved

Virtual Switching Without a Hypervisor for a More Secure Cloud

Brian Walters VMware Virtual Platform. Linux J. 1999, 63es, Article 6 (July 1999).

Nested Virtualization

Virtualization Technology. Zhiming Shen

The Turtles Project: Design and Implementation of Nested Virtualization

Cloud^H^H^H^H^H Virtualization Technology. Andrew Jones May 2011

VMware and CPU Virtualization Technology. Jack Lo Sr. Director, R&D

Attacking Hypervisors via Firmware and Hardware

Virtualization. Dr. Yingwu Zhu

Architecture of the Kernel-based Virtual Machine (KVM)

matasano Hardware Virtualization Rootkits Dino A. Dai Zovi

The Xen of Virtualization

Compromise-as-a-Service

Virtualization. Types of Interfaces

The NOVA Microhypervisor

Chapter 5 Cloud Resource Virtualization

Virtualization. Jukka K. Nurminen

Virtualization. Jia Rao Assistant Professor in CS

CPET 581 Cloud Computing: Technologies and Enterprise IT Strategies. Virtualization of Clusters and Data Centers

Intel Virtualization Technology and Extensions

Virtualization for Cloud Computing

KVM Architecture Overview

CS5460: Operating Systems. Lecture: Virtualization 2. Anton Burtsev March, 2013

Microkernels, virtualization, exokernels. Tutorial 1 CSC469

Hypervisors. Introduction. Introduction. Introduction. Introduction. Introduction. Credits:

Virtualization. Pradipta De

Jukka Ylitalo Tik TKK, April 24, 2006

Nested Virtualization

Hypervisor Memory Forensics

CS 695 Topics in Virtualization and Cloud Computing. More Introduction + Processor Virtualization

x86 ISA Modifications to support Virtual Machines

Introduction to Virtualization & KVM

OS Virtualization. CSC 456 Final Presentation Brandon D. Shroyer

Cloud Computing. Dipl.-Wirt.-Inform. Robert Neumann

Intel Virtualization Technology Processor Virtualization Extensions and Intel Trusted execution Technology

KVM: A Hypervisor for All Seasons. Avi Kivity avi@qumranet.com

Survey On Hypervisors

FRONT FLYLEAF PAGE. This page has been intentionally left blank

COS 318: Operating Systems. Virtual Machine Monitors

Privacy Protection in Virtualized Multi-tenant Cloud: Software and Hardware Approaches

Basics in Energy Information (& Communication) Systems Virtualization / Virtual Machines

Hardware virtualization technology and its security

Bare-Metal Performance for x86 Virtualization

Secure In-VM Monitoring Using Hardware Virtualization

Distributed Systems. Virtualization. Paul Krzyzanowski

Platform Virtualization: Model, Challenges and Approaches

Outline. Outline. Why virtualization? Why not virtualize? Today s data center. Cloud computing. Virtual resource pool

Understanding Full Virtualization, Paravirtualization, and Hardware Assist. Introduction...1 Overview of x86 Virtualization...2 CPU Virtualization...

Virtualization Technologies

Performance Profiling in a Virtualized Environment

Virtualization System Vulnerability Discovery Framework. Speaker: Qinghao Tang Title:360 Marvel Team Leader

Introduction to Virtual Machines

Clouds, Virtualization and Security or Look Out Below

Chapter 16: Virtual Machines. Operating System Concepts 9 th Edition

RPM Brotherhood: KVM VIRTUALIZATION TECHNOLOGY

Virtualization. P. A. Wilsey. The text highlighted in green in these slides contain external hyperlinks. 1 / 16

Virtualisation Without a Hypervisor in Cloud Infrastructures: An Initial Analysis

Tracing Kernel Virtual Machines (KVM) and Linux Containers (LXC)

KVM: Kernel-based Virtualization Driver

Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extensions

Using Linux as Hypervisor with KVM

Enabling Intel Virtualization Technology Features and Benefits

9/26/2011. What is Virtualization? What are the different types of virtualization.

Virtual Computing and VMWare. Module 4

Enterprise-Class Virtualization with Open Source Technologies

Cloud Architecture and Virtualisation. Lecture 4 Virtualisation

Cloud Computing #6 - Virtualization

Virtual Machine Monitors. Dr. Marc E. Fiuczynski Research Scholar Princeton University

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation

Detection of virtual machine monitor corruptions

Hardware Based Virtualization Technologies. Elsie Wahlig Platform Software Architect

ELI: Bare-Metal Performance for I/O Virtualization

A quantitative comparison between xen and kvm

Advanced Computer Networks. Network I/O Virtualization

COM 444 Cloud Computing

Clouds Under the Covers. Elgazzar - CISC Fall

Virtual Machines. Virtualization

Virtualization Technology. Zhonghong Ou Data Communications Software Lab, Aalto University

IOS110. Virtualization 5/27/2014 1

Hypervisors and Virtual Machines

Virtual machines and operating systems

ARM VIRTUALIZATION FOR THE MASSES. Christoffer Dall

Networking for Caribbean Development

Virtualization. Michael Tsai 2015/06/08

Transcription:

Taming Hosted Hypervisors with (Mostly) Deprivileged Execution Chiachih Wu, Zhi Wang *, Xuxian Jiang North Carolina State University, * Florida State University

Virtualization is Widely Used 2 There are now hundreds of thousands of companies around the world using AWS to run all their business, or at least a portion of it. They are located across 190 countries, which is just about all of them on Earth. Werner Vogels, CTO at Amazon AWS Summit 12 Virtualization penetration has surpassed 50% of all server workloads, and continues to grow. Magic Quadrant for x86 Server Virtualization Infrastructure June 12

Threats to Hypervisors 3 Large Code Bases Hypervisor Xen (4.0) VMware ESXi 1 Hyper-V 1 SLOC 194K 200K 100K KVM (2.6.32.28) 33.6K 1: Data source: NOVA (Steinberg et al., EuroSys 10) Vulnerabilities Hypervisor Vulnerabilities Xen 41 KVM 24 VMware ESXi 43 VMware Workstation 49 Data source: National Vulnerability Database ( 09~ 12)

Threats to Hosted Hypervisors 4 Applications Applications Guest OS Guest OS Hypervisor Host OS Physical Hardware Can we prevent the compromised hypervisor from attacking the rest of the system?

DeHype 5 Decomposing the KVM hypervisor codebase De-privileged part user-level (93.2% codebase) Privileged part small kernel module (2.3 KSLOC) Guest VM Applications Applications Applications Applications Guest OS Guest OS Guest OS Guest OS De-privilege DeHyped KVM DeHyped KVM KVM Host OS HypeLet Host OS ~4% overhead Physical Hardware Physical Hardware

Challenges 6 Providing the OS services in user mode Minimizing performance overhead Supporting hardware-assisted memory virtualization at user-level

Challenge I 7 Providing the OS services in user mode De-privileged Hypervisor Hypervisor User Kernel Hypervisor HypeLet Host OS Physical Hardware Host OS Physical Hardware Original Hosted Hypervisor DeHype d Hosted Hypervisor

Dependency Decoupling 8 Abstracting the host OS interface and providing OS functionalities in user mode For example Memory allocator: kmalloc/kfree, alloc_page, etc. Kernel APIs for memory access: virt_to_page, etc. Scheduling, signal handling, invoking system calls Leveraging GLIBC

Dependency Decoupling 9 Name VMREAD VMWRITE GUEST_RUN GUEST_RUN_POST RDMSR WRMSR INVVPID INVEPT INIT_VCPU MAP_HVA_TO_PFH 10 privileged services provided by HypeLet Function Read VMCS fields Write VMCS fields Perform host-to-guest world switches Perform guest-to-host world switches Read MSR registers Write MSR registers Invalidate TLB mappings based on VPID Invalidate EPT mappings Initialize vcpu Translate host virtual address to physical frame Privileged instrustions Service routines

Challenge II 10 Minimizing performance overhead QEMU 1system call 1function call 195187 privileged instructions DeHyped KVM QEMU User Kernel HypeLet ~10% 195187 system calls Time

Optimization: Caching VMCS 11 VMCS (Virtual Machine Control Structure) ~90% of the privileged instructions issued by the hypervisor are for accessing VMCS Accessed by the hypervisor for monitoring or controlling the behavior of the guest VM Indirectly affected by the guest VM throughout the running period in guest mode

Optimization: Caching VMCS 12 Maintaining cached copy of VMCS in user-level Caching only the most frequently accessed fields Caching 8 VMWRITE d fields: 98.28% VMWRITE system calls reduced Top 8 Most Frequently VMWRITE d VMCS Fields CPU_BASED_VM_EXEC_CONTROL EPT_POINTER_HIGH EPT_POINTER GUEST_RIP VM_ENTRY_INTR_INFO_FIELD GUEST_RFLAGS GUEST_CR3 GUEST_RSP Caching 28 VMREAD d fields: 99.86% VMREAD system calls reduced

Challenge III 13 Supporting hardware-assisted memory virtualization at user-level Maintaining nested page tables which translate guest-physical to host-physical addresses Memory may be paged out Virtual-physical mapping information is unknown Preventing the untrusted hypervisors from accessing memory areas not belonged to them Bactch-processing NPT updates with sanity checks in HypeLet

Implementation and Evaluation 14 Prototype KVM 2.6.32.28 with qemu-kvm-0.14.0 ~93.2% of KVM codebase is de-privileged 2.3K SLOC small kernel module (HypeLet) Evaluation Security benefits Non-security benefits Performance

Testing real-world vulnerabilities 15 CVE-2010-0435 Guest OS causing a NULL pointer dereference (accessing debug registers with MOV) in KVM running in privileged mode Guest VM Applications Applications Applications Applications Guest OS Guest OS Whole System Crashes Guest OS KVM Host OS Guest OS DeHype KVM HypeLet Host OS KVM Particular Instance of QEMU+KVM Crashes Only Physical Hardware Physical Hardware

Facilitating hypervisor development 16 e.g., debugging the NPT fault handler with GDB continue the program set breakpoint NPT fault occurs register dump call trace

Running multiple hypervisors 17 Running each hypervisor in a different security level Suspicious guests: running on VMI-enabled hypervisors Others: running on normal hypervisors Live-migrating guests to another hypervisor in the same host computer 1. New vulnerability reported and fixed 2. Starting a patched hypervisor 3. Live-migrating all guests one-by-one

Performance Evaluation 18 Test platform Dell OptiPlex 980: Intel Core i7 860 + 3G RAM Host: Ubuntu 11.10 desktop + Linux kernel 2.6.32.28 Guests: Ubuntu 10.04.2 LTS server Benchmarks Software Package Version Configuration SPEC CPU2006 v1.0.1 Reportable int Bonnie++ 1.03e bonnie++ -f -n 256 Linux kernel 2.6.39.2 untar_kernel: tar zfx <KERNEL- TARBALL> make_kernel: make defconfig vmlinux

Relative Performance 19 100% 99% 98% 97% 96% 95% 94% 93% DeHype DeHype+VMCS caching DeHype+VMCS caching+securely NPT updates

Discussion 20 HypeLet and the host OS are a part of the TCB HypeLet is the main attack surface in the cloud environment HypeLet is highly constrained (2.3 KSLOC, 10 services) Prototype limitations Pinning guest memory Could be extended with Linux MMU notifier Not supporting all KVM features SMP Para-virtualized I/O

Related Work 21 Improving hypervisor security sel4 (Klein et al., SOSP 09), NOVA (Steinberg et al., EuroSys 10), HyperLock (Wang et al., EuroSys 12) Isolating untrusted device drivers Nooks (Swift et al., SOSP 03), Microdrivers (Ganapathy et al., ASPLOS 08) Applying virtualization to host security HookSafe (Wang et al., CCS 09), Lockdown (Vasudevan et al., TRUST 12)

Conclusion 22 DeHype substantially reduces hosted hypervisor s attack surface and brings additional benefits Better development and debugging Concurrent execution of multiple hypervisors Applications Applications Guest OS Guest OS 93.2% of original KVM DeHyped KVM HypeLet Host OS DeHyped KVM 2.3 KSLOC Physical Hardware

23 Thanks, Questions? Chiachih Wu cwu10@ncsu.edu

24 Backup Slides

Memory Rebasing 25 virtual physical u_addr 3. u_addr k_addr 2. Remapping the pinned memory to user space user kernel u_base k_addr 4. k_addr p_addr p_addr k_bas e 1. Pre-allocating pinned memory in kernel space

Securely Update NPT Entries 26 i Preventing the untrusted hypervisor from updating the NPT tables directly R Recording the update operations into buffer Batch-processing the updates in next host-toguest switch with sanity check (by HypeLet) Issue: the hypervisor needs the actual NPTs to traverse the layer-based NPTs j A k B l m C Update entry l 1. Allocate A; R[i]=A 2. Allocate B; A[j]=B 3. Allocate C; B[k]=C 4. Update C[l] Update entry m 1. A=R[i] 2. B=A[j] 3. C=B[k] 4. Update C[m] Cannot traverse Recording only

Pseudo NPT 27 Privileged Service Request Pseudo NPTs (allocated from heap) Host mode, User-level VM Entry i k R j A B C Real NPTs (allocated from the remapped memory pool) Time Buffer Allocate A; R[i]=A Allocate B; A[j]=B Allocate C; B[k]=C i R j A k B C Guest Mode Access Guest Host mode, Kernel-level

Intel VT-x: World Switches 28 VM Entry Transition from VMM to Guest (VMLAUNCH/VMRESUME) Enters VMX non-root operation (guest mode) Saves VMM state in VMCS Loads Guest state and exit criteria from VMCS VM Exit Transition from Guest to VMM (VMEXIT) Enters VMX root operation (host mode) Saves Guest state in VMCS Loads VMM state from VMCS Virtual Machine Applications Guest OS Virtual Machine Applications Guest OS VM Entry VM Exit Hypervisor Host OS Physical Hardware

Optimization: Caching VMCS 29 Top 28 Most Frequently VMREAD ed VMCS Fields GUEST_INTERRUPTIBILITY_INFO EXIT_QUALIFICATION GUEST_CS_BAS E IDT_VECTORING_INO_FIELD GUEST_PHYSICAL_ADDRESS_HI GH GUEST_PHYSICAL_ADDRESS VM_EXIT_INTR_INFO VM_EXIT_INSTRUCTION_LEN CPU_BASED_VM_EXEC_CONTRO L GUEST_CS_SELECT OR GUEST_CS_AR_BYTE S GUEST_PDPTR0_HIG H GUEST_PDPTR1_HIG H GUEST_PDPTR2_HIG H GUEST_PDPTR3_HIG H GUEST_DS_BAS E GUEST_ES_BAS E GUEST_PDPTR0 GUEST_PDPTR1 GUEST_PDPTR2 GUEST_PDPTR3 GUEST_RSP GUEST_RIP GUEST_CR0 GUEST_CR3 GUEST_CR4 GUEST_RFLAGS VM_EXIT_REASON

Combining privileged instructions 30 VMPTRLD: a privileged instruction to load guest states before switching to guest mode QEMU KVM_RUN DeHype d KVM VMPTRLD VMRESUME VMEXIT guest HypeLet VMRESUME VMEXIT guest User Kernel Time CPU intensive workload KVM handles most VM Exits One VMPTRLD is followed by multiple runs of (VMRESUME, VMEXIT) The latency of VMPTRLD is not significant

Combining privileged instructions 31 IO intensive workload QEMU handles most VM exits for issuing IO instructions One VMPTRLD is followed by one run of (VMRESUME, VMEXIT) VMPTRLD introduces significant latency QEMU KVM_RUN DeHype d KVM HypeLet VMPTRLD VMRESUME VMEXIT guest HypeLet VMPTRLD VMRESUME VMEXIT guest User Kernel Time Postponing the VMPTRLD instruction until the first VMRESUME instruction

Testing real-world vulnerabilities 32 CVE-2009-4031 KVM attempting to interpret wrong-size (too long) instructions Being exploited Causing large latencies in non-preempt hosts With DeHype Instruction emulation is done in user-level where preemption is natively enabled

Testing real-world vulnerabilities 33 CVE-2010-3881 KVM copying certain data structures to user program without clearing the padding Being exploited QEMU processes potentially obtaining sensitive information from kernel stack With DeHype QEMU process obtaining information from the stack of the hypervisor paired with it, not from the kernel stack

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information