ABSTRACT
Hypervisor vulnerabilities cause severe security issues in multi-tenant cloud environments because hypervisors guarantee isolation among virtual machines (VMs). Unfortunately, hypervisor vulnerabilities are continuously reported, and device emulation in hypervisors is one of the hotbeds because of its complexity. Although applying patches to fix the vulnerabilities is a common way to protect hypervisors, it takes time to develop the patches because the internal knowledge on hypervisors is mandatory. The hypervisors are exposed to the threat of the vulnerabilities exploitation until the patches are released.
This paper proposes Nioh-PT, a framework for filtering illegal I/O requests, which reduces the vulnerability windows of the device emulation. The key insight of Nioh-PT is that malicious I/O requests contain illegal I/O sequences, a series of I/O requests that are not issued during normal I/O operations. Nioh-PT filters out those illegal I/O sequences and protects device emulators against the exploitation. The filtering rules, which define illegal I/O sequences for virtual device exploits, can be specified without the knowledge on the internal implementation of hypervisors and virtual devices, because Nioh-PT is decoupled from hypervisors and the device emulators. We develop 11 filtering rules against four real-world vulnerabilities in device emulation, including CVE-2015-3456 (VENOM) and CVE-2016-7909. We demonstrate that Nioh-PT with these filtering rules protects against the virtual device exploits and introduces negligible overhead by up to 8% for filesystem and storage benchmarks.
- 2020. Filebench. https://github.com/filebench/filebenchGoogle Scholar
- 2022. Crate predicates. https://docs.rs/predicates/latest/predicates/Google Scholar
- 2022. git://git.qemu.org/qemu.git. https://git.qemu.org/?p=qemu.gitGoogle Scholar
- Alexandru Agache, Marc Brooker, Alexandra Iordache, Anthony Liguori, Rolf Neugebauer, Phil Piwonka, and Diana-Maria Popa. 2020. Firecracker: Lightweight virtualization for serverless applications. In 17th USENIX symposium on networked systems design and implementation (NSDI 20). USENIX Association, 419--434.Google Scholar
- AMD. 2021. AMD64 Architecture Programmer's Manual Volume 2: System Programming. https://www.amd.com/system/files/TechDocs/24593.pdfGoogle Scholar
- Nadav Amit, Dan Tsafrir, Assaf Schuster, Ahmad Ayoub, and Eran Shlomo. 2015. Virtual CPU Validation. In Proceedings of the 25th Symposium on Operating Systems Principles (SOSP '15). ACM, 311--327.Google ScholarDigital Library
- Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. 2003. Xen and the art of virtualization. In Proceedings of the nineteenth ACM symposium on Operating systems principles (SOSP '03). ACM, 164--177.Google ScholarDigital Library
- Fabrice Bellard. 2005. QEMU, a Fast and Portable Dynamic Translator. In 2005 USENIX Annual Technical Conference (USENIX ATC 05). USENIX Association.Google Scholar
- CrowdStrike. 2015. VENOM Vulnerability Details. https://www.crowdstrike.com/blog/venom-vulnerability-details/Google Scholar
- Liang Deng, Peng Liu, Jun Xu, Ping Chen, and Qingkai Zeng. 2017. Dancing with Wolves: Towards Practical Event-Driven VMM Monitoring. In Proceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE '17). ACM, 83--96.Google ScholarDigital Library
- Pedro Fonseca, Xi Wang, and Arvind Krishnamurthy. 2018. MultiNyx: A Multi-Level Abstraction Framework for Systematic Analysis of Hypervisors. In Proceedings of the Thirteenth EuroSys Conference (EuroSys '18). ACM, Article 23.Google ScholarDigital Library
- Google. 2022. crosvm - The Chrome OS Virtual Machine Monitor. https://chromium.googlesource.com/chromiumos/platform/crosvm/Google Scholar
- Red Hat. 2022. Red Hat Bugzilla - Main Page. https://bugzilla.redhat.com/Google Scholar
- Andrew Henderson, Heng Yin, Guang Jin, Hao Han, and Hongmei Deng. 2017. VDF: Targeted Evolutionary Fuzz Testing of Virtual Devices. In International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 3--25.Google Scholar
- Intel. [n. d.]. Intel Virtualization Technology (Intel VT). https://www.intel.com/content/www/us/en/virtualization/virtualization-technology/intel-virtualization-technology.htmlGoogle Scholar
- Avi Kivity, Yaniv Kamay, Dor Laor, Uri Lublin, and Anthony Liguori. 2007. KVM: the Linux Virtual Machine Monitor. In In Proceedings of the 2007 Ottawa Linux Symposium (OLS'07).Google Scholar
- Shih-Wei Li, John S. Koh, and Jason Nieh. 2019. Protecting Cloud Virtual Machines from Hypervisor and Host Operating System Exploits. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, 1357--1374.Google Scholar
- Zeyu Mi, Dingji Li, Haibo Chen, Binyu Zang, and Haibing Guan. 2020. (Mostly) Exitless VM protection from untrusted hypervisor through disaggregated nested virtualization. In Proceedings of the 29th USENIX Conference on Security Symposium. USENIX Association, 1695--1712.Google Scholar
- National Institute of Standards and Technology. 2020. CVE-2016-7909. https://nvd.nist.gov/vuln/detail/CVE-2016-7909Google Scholar
- National Institute of Standards and Technology. 2020. CVE-2020-13361. https://nvd.nist.gov/vuln/detail/CVE-2020-13361Google Scholar
- National Institute of Standards and Technology. 2021. CVE-2015-3456. https://nvd.nist.gov/vuln/detail/CVE-2015-3456Google Scholar
- National Institute of Standards and Technology. 2021. CVE-2015-5279. https://nvd.nist.gov/vuln/detail/CVE-2015-5279Google Scholar
- National Institute of Standards and Technology. 2021. CVE-2020-15863. https://nvd.nist.gov/vuln/detail/CVE-2020-15863Google Scholar
- National Institute of Standards and Technology. 2022. CVE-2020-13800. https://nvd.nist.gov/vuln/detail/CVE-2020-13800Google Scholar
- Tu Dinh Ngoc, Boris Teabe, Alain Tchana, Gilles Muller, and Daniel Hagimont. 2021. Mitigating vulnerability windows with hypervisor transplant. In Proceedings of the Sixteenth European Conference on Computer Systems (EuroSys '21). ACM, 162--177.Google ScholarDigital Library
- Anh Nguyen, Himanshu Raj, Shravan Rayanchu, Stefan Saroiu, and Alec Wolman. 2012. Delusional boot: securing hypervisors without massive re-engineering. In Proceedings of the 7th ACM european conference on Computer Systems (EuroSys '12). ACM, 141--154.Google ScholarDigital Library
- Junya Ogasawara and Kenji Kono. 2017. Nioh: Hardening The Hypervisor by Filtering Illegal I/O Requests to Virtual Devices. In Proceedings of the 33rd Annual Computer Security Applications Conference (ACSAC 2017). ACM, 542--552.Google ScholarDigital Library
- ORACLE. 2022. Oracle VM VirutalBox. https://www.virtualbox.orgGoogle Scholar
- Tavis Ormandy. 2007. An empirical study into the security exposure to hosts of hostile virtualized environments (CanSecWest '07).Google Scholar
- Gaoning Pan, Xingwei Lin, Xuhong Zhang, Yongkang Jia, Shouling Ji, Chunming Wu, Xinlei Ying, Jiashui Wang, and Yanjun Wu. 2021. V-Shuttle: Scalable and Semantics-Aware Hypervisor Virtual Device Fuzzing. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS '21). ACM, 2197--2213.Google ScholarDigital Library
- Rust Team. 2022. Rust. https://www.rust-lang.org/Google Scholar
- Sergej Schumilo, Cornelius Aschermann, Ali Abbasi, Simon Wörner, and Thorsten Holz. 2021. Nyx: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 2597--2614.Google Scholar
- Sergej Schumilo, Cornelius Aschermann, Ali Abbasi, Simon Wörner, and Thorsten Holz. 2020. HYPER-CUBE: High-Dimensional Hypervisor Fuzzing. In 27th Annual Network and Distributed System Security Symposium, NDSS. The Internet Society.Google Scholar
- Lei Shi, Yuming Wu, Yubin Xia, Nathan Dautenhahn, Haibo Chen, Binyu Zang, and Jinming Li. 2017. Deconstructing Xen. In 24th Annual Network and Distributed System Security Symposium, NDSS. The Internet Society.Google Scholar
- Udo Steinberg and Bernhard Kauer. 2010. NOVA: A Microhypervisor-Based Secure Virtualization Architecture. In Proceedings of the 5th European Conference on Computer Systems (EuroSys '10). ACM, 209--222.Google ScholarDigital Library
- Jakub Szefer, Eric Keller, Ruby B. Lee, and Jennifer Rexford. 2011. Eliminating the Hypervisor Attack Surface for a More Secure Cloud. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS '11). ACM, 401--412.Google ScholarDigital Library
- Zhi Wang, Chiachih Wu, Michael Grace, and Xuxian Jiang. 2012. Isolating Commodity Hosted Hypervisors with HyperLock. In Proceedings of the 7th ACM European Conference on Computer Systems (EuroSys '12). ACM, 127--140.Google ScholarDigital Library
- Chiachih Wu, Zhi Wang, and Xuxian Jiang. 2013. Taming Hosted Hypervisors with (Mostly) Deprivileged Execution. In 20th Annual Network and Distributed System Security Symposium, NDSS. The Internet Society.Google Scholar
- Fengzhe Zhang, Jin Chen, Haibo Chen, and Binyu Zang. 2011. CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles (SOSP '11). ACM, 203--216.Google ScholarDigital Library
Index Terms
- Nioh-PT: Virtual I/O Filtering for Agile Protection against Vulnerability Windows
Recommendations
Nioh: Hardening The Hypervisor by Filtering Illegal I/O Requests to Virtual Devices
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications ConferenceVulnerabilities in hypervisors are crucial in multi-tenant clouds since they can undermine the security of all virtual machines (VMs) consolidated on a vulnerable hypervisor. Unfortunately, 107 vulnerabilitiesin KVM+QEMU and 38 vulnerabilities in Xen ...
Architectural support for hypervisor-secure virtualization
ASPLOS '12Virtualization has become a standard part of many computer systems. A key part of virtualization is the all-powerful hypervisor which manages the physical platform and can access all of its resources, including memory assigned to the guest virtual ...
A memory-deduplication side-channel attack to detect applications in co-resident virtual machines
SAC '18: Proceedings of the 33rd Annual ACM Symposium on Applied ComputingVirtualization offers the possibility of hosting services of multiple customers on shared hardware. When more than one Virtual Machine (VM) run on the same host, memory deduplication can save physical memory by merging identical pages of the VMs. ...
Comments