research-article

Nioh-PT: Virtual I/O Filtering for Agile Protection against Vulnerability Windows

Authors:
Mana Senuki

Dept. of Information and Computer Science, Keio University, Yokohama, Japan

Dept. of Information and Computer Science, Keio University, Yokohama, Japan

https://orcid.org/0000-0003-4876-6585
View Profile

,
Kenta Ishiguro

Hosei University, Tokyo, Japan

Hosei University, Tokyo, Japan

https://orcid.org/0000-0003-0302-1600
View Profile

,
Kenji Kono

Dept. of Information and Computer Science, Keio University, Yokohama, Japan

Dept. of Information and Computer Science, Keio University, Yokohama, Japan

https://orcid.org/0000-0002-8650-9822
View Profile

SAC '23: Proceedings of the 38th ACM/SIGAPP Symposium on Applied ComputingMarch 2023Pages 1293–1300https://doi.org/10.1145/3555776.3577687

Published:07 June 2023Publication History

SAC '23: Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing

Pages 1293–1300

ABSTRACT

Hypervisor vulnerabilities cause severe security issues in multi-tenant cloud environments because hypervisors guarantee isolation among virtual machines (VMs). Unfortunately, hypervisor vulnerabilities are continuously reported, and device emulation in hypervisors is one of the hotbeds because of its complexity. Although applying patches to fix the vulnerabilities is a common way to protect hypervisors, it takes time to develop the patches because the internal knowledge on hypervisors is mandatory. The hypervisors are exposed to the threat of the vulnerabilities exploitation until the patches are released.

This paper proposes Nioh-PT, a framework for filtering illegal I/O requests, which reduces the vulnerability windows of the device emulation. The key insight of Nioh-PT is that malicious I/O requests contain illegal I/O sequences, a series of I/O requests that are not issued during normal I/O operations. Nioh-PT filters out those illegal I/O sequences and protects device emulators against the exploitation. The filtering rules, which define illegal I/O sequences for virtual device exploits, can be specified without the knowledge on the internal implementation of hypervisors and virtual devices, because Nioh-PT is decoupled from hypervisors and the device emulators. We develop 11 filtering rules against four real-world vulnerabilities in device emulation, including CVE-2015-3456 (VENOM) and CVE-2016-7909. We demonstrate that Nioh-PT with these filtering rules protects against the virtual device exploits and introduces negligible overhead by up to 8% for filesystem and storage benchmarks.

References

2020. Filebench. https://github.com/filebench/filebenchGoogle Scholar
2022. Crate predicates. https://docs.rs/predicates/latest/predicates/Google Scholar
2022. git://git.qemu.org/qemu.git. https://git.qemu.org/?p=qemu.gitGoogle Scholar
Alexandru Agache, Marc Brooker, Alexandra Iordache, Anthony Liguori, Rolf Neugebauer, Phil Piwonka, and Diana-Maria Popa. 2020. Firecracker: Lightweight virtualization for serverless applications. In 17th USENIX symposium on networked systems design and implementation (NSDI 20). USENIX Association, 419--434.Google Scholar
AMD. 2021. AMD64 Architecture Programmer's Manual Volume 2: System Programming. https://www.amd.com/system/files/TechDocs/24593.pdfGoogle Scholar
Nadav Amit, Dan Tsafrir, Assaf Schuster, Ahmad Ayoub, and Eran Shlomo. 2015. Virtual CPU Validation. In Proceedings of the 25th Symposium on Operating Systems Principles (SOSP '15). ACM, 311--327.Google ScholarDigital Library
Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. 2003. Xen and the art of virtualization. In Proceedings of the nineteenth ACM symposium on Operating systems principles (SOSP '03). ACM, 164--177.Google ScholarDigital Library
Fabrice Bellard. 2005. QEMU, a Fast and Portable Dynamic Translator. In 2005 USENIX Annual Technical Conference (USENIX ATC 05). USENIX Association.Google Scholar
CrowdStrike. 2015. VENOM Vulnerability Details. https://www.crowdstrike.com/blog/venom-vulnerability-details/Google Scholar
Liang Deng, Peng Liu, Jun Xu, Ping Chen, and Qingkai Zeng. 2017. Dancing with Wolves: Towards Practical Event-Driven VMM Monitoring. In Proceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE '17). ACM, 83--96.Google ScholarDigital Library
Pedro Fonseca, Xi Wang, and Arvind Krishnamurthy. 2018. MultiNyx: A Multi-Level Abstraction Framework for Systematic Analysis of Hypervisors. In Proceedings of the Thirteenth EuroSys Conference (EuroSys '18). ACM, Article 23.Google ScholarDigital Library
Google. 2022. crosvm - The Chrome OS Virtual Machine Monitor. https://chromium.googlesource.com/chromiumos/platform/crosvm/Google Scholar
Red Hat. 2022. Red Hat Bugzilla - Main Page. https://bugzilla.redhat.com/Google Scholar
Andrew Henderson, Heng Yin, Guang Jin, Hao Han, and Hongmei Deng. 2017. VDF: Targeted Evolutionary Fuzz Testing of Virtual Devices. In International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 3--25.Google Scholar
Intel. [n. d.]. Intel Virtualization Technology (Intel VT). https://www.intel.com/content/www/us/en/virtualization/virtualization-technology/intel-virtualization-technology.htmlGoogle Scholar
Avi Kivity, Yaniv Kamay, Dor Laor, Uri Lublin, and Anthony Liguori. 2007. KVM: the Linux Virtual Machine Monitor. In In Proceedings of the 2007 Ottawa Linux Symposium (OLS'07).Google Scholar
Shih-Wei Li, John S. Koh, and Jason Nieh. 2019. Protecting Cloud Virtual Machines from Hypervisor and Host Operating System Exploits. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, 1357--1374.Google Scholar
Zeyu Mi, Dingji Li, Haibo Chen, Binyu Zang, and Haibing Guan. 2020. (Mostly) Exitless VM protection from untrusted hypervisor through disaggregated nested virtualization. In Proceedings of the 29th USENIX Conference on Security Symposium. USENIX Association, 1695--1712.Google Scholar
National Institute of Standards and Technology. 2020. CVE-2016-7909. https://nvd.nist.gov/vuln/detail/CVE-2016-7909Google Scholar
National Institute of Standards and Technology. 2020. CVE-2020-13361. https://nvd.nist.gov/vuln/detail/CVE-2020-13361Google Scholar
National Institute of Standards and Technology. 2021. CVE-2015-3456. https://nvd.nist.gov/vuln/detail/CVE-2015-3456Google Scholar
National Institute of Standards and Technology. 2021. CVE-2015-5279. https://nvd.nist.gov/vuln/detail/CVE-2015-5279Google Scholar
National Institute of Standards and Technology. 2021. CVE-2020-15863. https://nvd.nist.gov/vuln/detail/CVE-2020-15863Google Scholar
National Institute of Standards and Technology. 2022. CVE-2020-13800. https://nvd.nist.gov/vuln/detail/CVE-2020-13800Google Scholar
Tu Dinh Ngoc, Boris Teabe, Alain Tchana, Gilles Muller, and Daniel Hagimont. 2021. Mitigating vulnerability windows with hypervisor transplant. In Proceedings of the Sixteenth European Conference on Computer Systems (EuroSys '21). ACM, 162--177.Google ScholarDigital Library
Anh Nguyen, Himanshu Raj, Shravan Rayanchu, Stefan Saroiu, and Alec Wolman. 2012. Delusional boot: securing hypervisors without massive re-engineering. In Proceedings of the 7th ACM european conference on Computer Systems (EuroSys '12). ACM, 141--154.Google ScholarDigital Library
Junya Ogasawara and Kenji Kono. 2017. Nioh: Hardening The Hypervisor by Filtering Illegal I/O Requests to Virtual Devices. In Proceedings of the 33rd Annual Computer Security Applications Conference (ACSAC 2017). ACM, 542--552.Google ScholarDigital Library
ORACLE. 2022. Oracle VM VirutalBox. https://www.virtualbox.orgGoogle Scholar
Tavis Ormandy. 2007. An empirical study into the security exposure to hosts of hostile virtualized environments (CanSecWest '07).Google Scholar
Gaoning Pan, Xingwei Lin, Xuhong Zhang, Yongkang Jia, Shouling Ji, Chunming Wu, Xinlei Ying, Jiashui Wang, and Yanjun Wu. 2021. V-Shuttle: Scalable and Semantics-Aware Hypervisor Virtual Device Fuzzing. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS '21). ACM, 2197--2213.Google ScholarDigital Library
Rust Team. 2022. Rust. https://www.rust-lang.org/Google Scholar
Sergej Schumilo, Cornelius Aschermann, Ali Abbasi, Simon Wörner, and Thorsten Holz. 2021. Nyx: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 2597--2614.Google Scholar
Sergej Schumilo, Cornelius Aschermann, Ali Abbasi, Simon Wörner, and Thorsten Holz. 2020. HYPER-CUBE: High-Dimensional Hypervisor Fuzzing. In 27th Annual Network and Distributed System Security Symposium, NDSS. The Internet Society.Google Scholar
Lei Shi, Yuming Wu, Yubin Xia, Nathan Dautenhahn, Haibo Chen, Binyu Zang, and Jinming Li. 2017. Deconstructing Xen. In 24th Annual Network and Distributed System Security Symposium, NDSS. The Internet Society.Google Scholar
Udo Steinberg and Bernhard Kauer. 2010. NOVA: A Microhypervisor-Based Secure Virtualization Architecture. In Proceedings of the 5th European Conference on Computer Systems (EuroSys '10). ACM, 209--222.Google ScholarDigital Library
Jakub Szefer, Eric Keller, Ruby B. Lee, and Jennifer Rexford. 2011. Eliminating the Hypervisor Attack Surface for a More Secure Cloud. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS '11). ACM, 401--412.Google ScholarDigital Library
Zhi Wang, Chiachih Wu, Michael Grace, and Xuxian Jiang. 2012. Isolating Commodity Hosted Hypervisors with HyperLock. In Proceedings of the 7th ACM European Conference on Computer Systems (EuroSys '12). ACM, 127--140.Google ScholarDigital Library
Chiachih Wu, Zhi Wang, and Xuxian Jiang. 2013. Taming Hosted Hypervisors with (Mostly) Deprivileged Execution. In 20th Annual Network and Distributed System Security Symposium, NDSS. The Internet Society.Google Scholar
Fengzhe Zhang, Jin Chen, Haibo Chen, and Binyu Zang. 2011. CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles (SOSP '11). ACM, 203--216.Google ScholarDigital Library

Index Terms

Nioh-PT: Virtual I/O Filtering for Agile Protection against Vulnerability Windows
1. Security and privacy
  1. Systems security
    1. Operating systems security
      1. Virtualization and security

Recommendations

Nioh: Hardening The Hypervisor by Filtering Illegal I/O Requests to Virtual Devices
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference

Vulnerabilities in hypervisors are crucial in multi-tenant clouds since they can undermine the security of all virtual machines (VMs) consolidated on a vulnerable hypervisor. Unfortunately, 107 vulnerabilitiesin KVM+QEMU and 38 vulnerabilities in Xen ...
Read More
Architectural support for hypervisor-secure virtualization
ASPLOS '12

Virtualization has become a standard part of many computer systems. A key part of virtualization is the all-powerful hypervisor which manages the physical platform and can access all of its resources, including memory assigned to the guest virtual ...
Read More
A memory-deduplication side-channel attack to detect applications in co-resident virtual machines
SAC '18: Proceedings of the 33rd Annual ACM Symposium on Applied Computing

Virtualization offers the possibility of hosting services of multiple customers on shared hardware. When more than one Virtual Machine (VM) run on the same host, memory deduplication can save physical memory by merging identical pages of the VMs. ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SAC '23: Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing
March 2023
1932 pages
ISBN:9781450395175
DOI:10.1145/3555776
Conference Chairs:
Jiman Hong
Soongsil University, South Korea
,
Maart Lanperne
Tallinn University, Estonia
,
Program Chairs:
Juw Won Park
University of Louisville, USA
,
Tomas Cerny
Baylor University, USA
,
Publication Chair:
Hossain Shahriar
Kennesaw State University, USA
Copyright © 2023 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 7 June 2023
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
security
virtualization
virtual device
cloud computing
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate1,650of6,669submissions,25%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 0
  Total Citations
  View Citations
- 59
  Total Downloads
- Downloads (Last 12 months)59
- Downloads (Last 6 weeks)10
Other Metrics
View Author Metrics
Cited By
This publication has not been cited yet

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Nioh-PT: Virtual I/O Filtering for Agile Protection against Vulnerability Windows

SAC '23: Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing

ABSTRACT

References

Cited By

Index Terms

Recommendations

Nioh: Hardening The Hypervisor by Filtering Illegal I/O Requests to Virtual Devices

Architectural support for hypervisor-secure virtualization

A memory-deduplication side-channel attack to detect applications in co-resident virtual machines