Skip to main content
SpringerLink
Log in

Requirements for an Integrity-Protected Hypervisor on the x86 Hardware Virtualized Architecture

  • Conference paper
Trust and Trustworthy Computing (Trust 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6101))

Included in the following conference series:

Abstract

Virtualization has been purported to be a panacea for many security problems. We analyze the feasibility of constructing an integrity-protected hypervisor on contemporary x86 hardware that includes virtualization support, observing that without the fundamental property of hypervisor integrity, no secrecy properties can be achieved. Unfortunately, we find that significant issues remain for constructing an integrity-protected hypervisor on such hardware. Based on our analysis, we describe a set of necessary rules that must be followed by hypervisor developers and users to maintain hypervisor integrity. No current hypervisor we are aware of adheres to all the rules. No current x86 hardware platform we are aware of even allows for the construction of an integrity-protected hypervisor. We provide a perspective on secure virtualization and outline a research agenda for achieving truly secure hypervisors.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Elevated privileges. CVE-2007-4993 (2007)

    Google Scholar 

  2. Multiple integer overflows allow execution of arbitrary code. CVE-2007-5497 (2007)

    Google Scholar 

  3. The CPU hardware emulation does not properly handle the Trap flag. CVE-2008-4915 (under review) (2008)

    Google Scholar 

  4. Directory traversal vulnerability in the shared folders feature. CVE-2008-0923 (under review) (2008)

    Google Scholar 

  5. Multiple buffer overflows in openwsman allow remote attackers to execute arbitrary code. CVE-2008-2234 (2008)

    Google Scholar 

  6. AMD64 virtualization: Secure virtual machine architecture reference manual. AMD Publication no. 33047 rev. 3.01 (2005)

    Google Scholar 

  7. Anderson, J.P.: Computer security technology planning study. Technical Report ESD-TR-73-51, Air Force Electronic Systems Division, Hanscom AFB (1972)

    Google Scholar 

  8. Boileau, A.: Hit by a bus: Physical access attacks with firewire. RuxCon (2006)

    Google Scholar 

  9. Bratus, S., D’Cunha, N., Sparks, E., Smith, S.W.: TOCTOU, traps, and trusted computing. In: Proc. Conference on Trusted Computing and Trust in Information Technologies, TRUST (2008)

    Google Scholar 

  10. Budruk, R., Anderson, D., Shanley, T.: PCI Express System Architecture. Addison-Wesley, Reading (2004)

    Google Scholar 

  11. Datta, A., Franklin, J., Garg, D., Kaynar, D.: A logic of secure systems and its applications to trusted computing. In: Proc. IEEE Symposium on Security and Privacy (2009)

    Google Scholar 

  12. Duflot, L., Levillain, O., Morin, B., Grumelard, O.: Getting into the SMRAM: SMM reloaded. In: Central Directorate for Information Systems Security (2009)

    Google Scholar 

  13. Findeisen, R.: Buggy south bridge in HP dc5750. Personal communication (April 2008)

    Google Scholar 

  14. Franklin, J., Seshadri, A., Qu, N., Chaki, S., Datta, A.: Attacking, repairing, and verifying SecVisor: A retrospective on the security of a hypervisor. CMU Cylab Technical Report CMU-CyLab-08-008 (2008)

    Google Scholar 

  15. Härtig, H., Hohmuth, M., Liedtke, J., Schönberg, S., Wolter, J.: The performance of microkernel-based systems. In: Proceedings of the ACM Symposium on Operating Systems Principles (SOSP) (October 1997)

    Google Scholar 

  16. Heasman, J.: Implementing and detecting a PCI rootkit. NGSSoftware Insight Security Research (2006)

    Google Scholar 

  17. Heasman, J.: Implementing and detecting an ACPI BIOS rootkit. Black Hat USA (2006)

    Google Scholar 

  18. Heasman, J.: Hacking the extensible firware interface. Black Hat USA (2007)

    Google Scholar 

  19. Heiser, G., Elphinstone, K., Kuz, I., Klein, G., Petters, S.M.: Towards trustworthy computing systems: Taking microkernels to the next level. In: Proc. ACM Operating Systems Review (2007)

    Google Scholar 

  20. Hewlett-Packard, et al.: Advanced configuration and power interface specification. Revision 3.0b (October 2006)

    Google Scholar 

  21. Intel virtualization technology specification for the IA-32 Intel architecture. Intel Publication no. C97063-002 (April 2005)

    Google Scholar 

  22. Intel trusted execution technology – measured launched environment developer’s guide. Document no. 315168-005 (June 2008)

    Google Scholar 

  23. Intel Corporation. The extensible firmware interface specification (2002), http://www.intel.com/technology/efi/

  24. International Organization for Standardization. Information technology – Security techniques – evaluation criteria for IT security – Part 1: Introduction and general model, Part 2: Security functional requirements, Part 3: Security assurance requirements. ISO/IEC 15408-1, 15408-2, 15408-3 (1999)

    Google Scholar 

  25. Karger, P.A.: Multi-level security requirements for hypervisors. In: Proc. Annual Computer Security Applications Conference (ACSAC) (December 2005)

    Google Scholar 

  26. Kauer, B.: OSLO: Improving the security of Trusted Computing. In: Proc. USENIX Security Symposium (August 2007)

    Google Scholar 

  27. Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: Formal verification of an OS kernel. In: Proc. SOSP (2009)

    Google Scholar 

  28. Microsoft. Microsoft technet MS08-067: Vulnerability in server service could allow remote code execution (2008)

    Google Scholar 

  29. Microsoft. Hyper-V architecture. Microsoft Developers Network (2009)

    Google Scholar 

  30. Popek, G.J., Goldberg, R.P.: Formal requirements for virtualizable third generation architectures. ACM Comm. 17 (1974)

    Google Scholar 

  31. Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proc. ACM Conference on Computer and Communications Security, CCS (2009)

    Google Scholar 

  32. Robin, J.S., Irvine, C.E.: Analysis of the Intel Pentium’s ability to support a secure virtual machine monitor. In: Proc. USENIX Security Symposium (2000)

    Google Scholar 

  33. Roscoe, T., Elphinstone, K., Heiser, G.: Hype and virtue. In: Proc. HotOS Workshop (May 2007)

    Google Scholar 

  34. Rutkowska, J.: Subverting Vista kernel for fun and profit. SyScan and Black Hat Presentations (2006)

    Google Scholar 

  35. Sacco, A.L., Ortega, A.A.: Persistent BIOS infection. Core Security Technologies (2009)

    Google Scholar 

  36. Saltzer, J., Schroeder, M.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975)

    Article  Google Scholar 

  37. SecuriTeam. Opteron exposed: Reverse engineering AMD K8 microcode updates. SecuriTeam Security Reviews (2004)

    Google Scholar 

  38. Seshadri, A., Luk, M., Shi, E., Perrig, A., VanDoorn, L., Khosla, P.: Pioneer: Verifying integrity and guaranteeing execution of code on legacy platforms. In: Proc. SOSP (2005)

    Google Scholar 

  39. Sheshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proc. SOSP (2007)

    Google Scholar 

  40. tboot. Trusted boot (2009), http://sourceforge.net/projects/tboot/

  41. P. Technologies. Phoenix securecore (2009), http://www.phoenix.com

  42. tpmdd-devel. TPM driver problem on GM45. TPM Device Driver Mailing List (December 2008)

    Google Scholar 

  43. Trusted Computing Group. PC client specific TPM interface specification (TIS). Ver. 1.2, Rev. 1.0 (July 2005)

    Google Scholar 

  44. Trusted Computing Group. Trusted platform module main specification, Part 1: Design principles, Part 2: TPM structures, Part 3: Commands. Version 1.2, Revision 103 (July 2007)

    Google Scholar 

  45. VMware. VMware ESX server system architecture (2009), http://www.vmware.com/support/esx21/doc/esx21_admin_system_architecture.html

  46. VMware Communities. ESX 3.5 or Xen 4.1? (2008), http://communities.vmware.com/message/900657

  47. Wojtczuk, R.: Detecting and preventing the Xen hypervisor subversions. Invisible Things Lab (2008)

    Google Scholar 

  48. Wojtczuk, R.: Subverting the Xen hypervisor. Invisible Things Lab (2008)

    Google Scholar 

  49. Wojtczuk, R., Rutkowska, J.: Xen 0wning trilogy. Invisible Things Lab (2008)

    Google Scholar 

  50. Wojtczuk, R., Rutkowska, J.: Attacking SMM memory via Intel CPU cache poisoning. Invisible Things Lab (2009)

    Google Scholar 

  51. XenSource. Xen architecture overview. Version 1.2 (February 2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. CyLab, Carnegie Mellon University, Pittsburgh, PA, USA

    Amit Vasudevan, Jonathan M. McCune & Adrian Perrig

  2. Nvidia Corp., Santa Clara, CA, USA

    Ning Qu

  3. Advanced Micro Devices (AMD) Corp., Austin, TX, USA

    Leendert van Doorn

Authors
  1. Amit Vasudevan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jonathan M. McCune
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ning Qu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Leendert van Doorn
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Adrian Perrig
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Heinz College, Carnegie Mellon University, 5000 Forbes Avenue, HBH 2105C, 15213, Pittsburgh, PA, USA

    Alessandro Acquisti

  2. Department of Computer Science, 6211 Sudikoff Laboratory, Dartmouth College, 03755-3510, Hanover, NH, USA

    Sean W. Smith

  3. System Security Lab, Ruhr University Bochum, Universitätsstr. 150, 44780, Bochum, Germany

    Ahmad-Reza Sadeghi

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Vasudevan, A., McCune, J.M., Qu, N., van Doorn, L., Perrig, A. (2010). Requirements for an Integrity-Protected Hypervisor on the x86 Hardware Virtualized Architecture. In: Acquisti, A., Smith, S.W., Sadeghi, AR. (eds) Trust and Trustworthy Computing. Trust 2010. Lecture Notes in Computer Science, vol 6101. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-13869-0_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-13869-0_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-13868-3

  • Online ISBN: 978-3-642-13869-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation