ABSTRACT
Vulnerabilities in hypervisors are crucial in multi-tenant clouds and attractive for attackers because a vulnerability in the hypervisor can undermine all the virtual machine (VM) security. This paper focuses on vulnerabilities in instruction emulators inside hypervisors. Vulnerabilities in instruction emulators are not rare; CVE-2017-2583, CVE-2016-9756, CVE-2015-0239, CVE-2014-3647, to name a few. For backward compatibility with legacy x86 CPUs, conventional hypervisors emulate arbitrary instructions at any time if requested. This design leads to a large attack surface, making it hard to get rid of vulnerabilities in the emulator.
This paper proposes FWinst that narrows the attack surface against vulnerabilities in the emulator. The key insight behind FWinst is that the emulator should emulate only a small subset of instructions, depending on the underlying CPU micro-architecture and the hypervisor configuration. FWinst recognizes emulation contexts in which the instruction emulator is invoked, and identifies a legitimate subset of instructions that are allowed to be emulated in the current context. By filtering out illegitimate instructions, FWinst narrows the attack surface. In particular, FWinst is effective on recent x86 micro-architectures because the legitimate subset becomes very small. Our experimental results demonstrate FWinst prevents existing vulnerabilities in the emulator from being exploited on Westmere micro-architecture, and the runtime overhead is negligible.
- 2017. ab - Apache HTTP server benchmarking tool. https://httpd.apache.org/docs/2.4/programs/ab.html. (2017).Google Scholar
- 2017. sysbench. https://github.com/akopytov/sysbench. (2017).Google Scholar
- 2017. Unix Bench. https://github.com/kdlucas/byte-unixbench. (2017).Google Scholar
- Nadav Amit, Dan Tsafrir, Assaf Schuster, Ahmad Ayoub, and Eran Shlomo. 2015. Virtual CPU Validation. In Proceedings of the 25th Symposium on Operating Systems Principles (SOSP '15). ACM, New York, NY, USA, 311--327. Google ScholarDigital Library
- Andrea Arcangeli. 2008. Using Linux as Hypervisor with KVM. https://indico.cern.ch/event/39755/attachments/797208/1092716/slides.pdf. (2008).Google Scholar
- Liang Deng, Peng Liu, Jun Xu, Ping Chen, and Qingkai Zeng. 2017. Dancing with Wolves: Towards Practical Event-driven VMM Monitoring. In Proceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE '17). ACM, New York, NY, USA, 83--96. Google ScholarDigital Library
- Baozeng Ding, Yeping He, Yanjun Wu, and Yuqi Lin. 2013. HyperVerify: A VM-assisted Architecture for Monitoring Hypervisor Non-control Data. In Proceedings of the 2013 IEEE Seventh International Conference on Software Security and Reliability Companion (SERE-C '13). IEEE Computer Society, Washington, DC, USA, 26--34. Google ScholarDigital Library
- KVM. 2016. KVM. http://www.linux-kvm.org/page/Main_Page. (2016).Google Scholar
- Anh Nguyen, Himanshu Raj, Shravan Rayanchu, Stefan Saroiu, and Alec Wolman. 2012. Delusional Boot: Securing Hypervisors Without Massive Re-engineering. In Proceedings of the 7th ACM European Conference on Computer Systems (EuroSys '12). ACM, New York, NY, USA, 141--154. Google ScholarDigital Library
- Junya Ogasawara and Kenji Kono. 2017. Nioh: Hardening The Hypervisor by Filtering Illegal I/O Requests to Virtual Devices. In Proceedings of the 33rd Annual Computer Security Applications Conference (ACSAC 2017). ACM, New York, NY, USA, 542--552. Google ScholarDigital Library
- Paolo Bonzini. 2014. KVM: x86 emulator: emulate MOVAPS and MOVAPD SSE instructions. Linux Kernel Mailing List. https://lkml.org/lkml/2014/3/17/384. (2014).Google Scholar
- Lei Shi, Yuming Wu, Yubin Xia, Nathan Dautenhahn, Haibo Chen, Binyu Zang, Haibing Guan, and Jinming Li. 2017. Deconstructing Xen. In The Network and Distributed System Security Symposium 2017 (NDSS '17).Google Scholar
- Udo Steinberg and Bernhard Kauer. 2010. NOVA: A Microhypervisor-based Secure Virtualization Architecture. In Proceedings of the 5th European Conference on Computer Systems (EuroSys '10). ACM, New York, NY, USA, 209--222. Google ScholarDigital Library
- Jakub Szefer, Eric Keller, Ruby B. Lee, and Jennifer Rexford. 2011. Eliminating the Hypervisor Attack Surface for a More Secure Cloud. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS '11). ACM, New York, NY, USA, 401--412. Google ScholarDigital Library
- Xenproject.org Security Team. 2017. Xen Security Advisory. https://xenbits.xen.org/xsa/. (2017).Google Scholar
- Zhi Wang and Xuxian Jiang. 2010. HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity. In IEEE Symposium on Security and Privacy. IEEE, 380--395. Google ScholarDigital Library
- Zhi Wang, Chiachih Wu, Michael Grace, and Xuxian Jiang. 2012. Isolating Commodity Hosted Hypervisors with HyperLock. In Proceedings of the 7th ACM European Conference on Computer Systems (EuroSys '12). ACM, New York, NY, USA, 127--140. Google ScholarDigital Library
- Chiachih Wu, Zhi Wang, and Xuxian Jiang. 2013. Taming Hosted Hypervisors with (Mostly) Deprivileged Execution.. In NDSS (NDSS '13). The Internet Society.Google Scholar
Index Terms
- Hardening Hypervisors against Vulnerabilities in Instruction Emulators
Recommendations
Isolating commodity hosted hypervisors with HyperLock
EuroSys '12: Proceedings of the 7th ACM european conference on Computer SystemsHosted hypervisors (e.g., KVM) are being widely deployed. One key reason is that they can effectively take advantage of the mature features and broad user bases of commodity operating systems. However, they are not immune to exploitable software bugs. ...
Architectural support for hypervisor-secure virtualization
ASPLOS '12Virtualization has become a standard part of many computer systems. A key part of virtualization is the all-powerful hypervisor which manages the physical platform and can access all of its resources, including memory assigned to the guest virtual ...
Architectural support for hypervisor-secure virtualization
ASPLOS '12Virtualization has become a standard part of many computer systems. A key part of virtualization is the all-powerful hypervisor which manages the physical platform and can access all of its resources, including memory assigned to the guest virtual ...
Comments