skip to main content
10.1145/1294261.1294294acmconferencesArticle/Chapter ViewAbstractPublication PagessospConference Proceedingsconference-collections
Article

SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes

Published:14 October 2007Publication History

ABSTRACT

We propose SecVisor, a tiny hypervisor that ensures code integrity for commodity OS kernels. In particular, SecVisor ensures that only user-approved code can execute in kernel mode over the entire system lifetime. This protects the kernel against code injection attacks, such as kernel rootkits. SecVisor can achieve this propertyeven against an attacker who controls everything but the CPU, the memory controller, and system memory chips. Further, SecVisor can even defend against attackers with knowledge of zero-day kernel exploits.

Our goal is to make SecVisor amenable to formal verificationand manual audit, thereby making it possible to rule out known classes of vulnerabilities. To this end, SecVisor offers small code size and small external interface. We rely on memory virtualization to build SecVisor and implement two versions, one using software memory virtualization and the other using CPU-supported memory virtualization. The code sizes of the runtime portions of these versions are 1739 and 1112 lines, respectively. The size of the external interface for both versions of SecVisor is 2 hypercalls. It is easy to port OS kernels to SecVisor. We port the Linux kernel version 2.6.20 by adding 12 lines and deleting 81 lines, out of a total of approximately 4.3 million lines of code in the kernel.

Skip Supplemental Material Section

Supplemental Material

Video

References

  1. Advanced Micro Devices. AMD64 Architecture Programmer's Manual Volume 2: System Programming, 3.12 edition, September 2006.Google ScholarGoogle Scholar
  2. Advanced Micro Devices. AMD64 Architecture Programmer's Manual Volume 3: General-Purpose and System Instructions, 3.12 edition, September 2006.Google ScholarGoogle Scholar
  3. M. Becher, M. Dornseif, and C.N. Klein. FireWire all your memory are belong to us. In Proceedings of CanSecWest, 2005.Google ScholarGoogle Scholar
  4. S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data attacks are realistic threats. In Proceedings of the 14th USENIX Security Symposium, pages 177--192, August 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. A. Chuvakin. Ups and downs of UNIX/Linux host-based security solutions. ;login: The Magazine of USENIX and SAGE, 28(2), April 2003.Google ScholarGoogle Scholar
  6. J. Criswell, A. Lenharth, D. Dhurjati, and V. Adve. Secure virtual architecture: A safe execution environment for commodity operating systems. In Proceedings of ACM Symposium on Operating Systems Principles, Oct 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. J. Dyer, M. Lindemann, R. Perez, R. Sailer, L. van Doorn, S.W. Smith, and S. Weingart. Building the IBM 4758 Secure Coprocessor. IEEE Computer, 34(10):57--66, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A virtual machine--based platform for trusted computing. In In Proceedings of ACM Symposium on Operating Systems Principles (SOSP), 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proc. Network and Distributed Systems Security Symposium, February 2003.Google ScholarGoogle Scholar
  10. Intel Corporation. Trusted eXecution Technology -- preliminary architecture specification and enabling considerations. Document number 31516803, November 2006.Google ScholarGoogle Scholar
  11. K. J. Jones. Loadable Kernel Modules. ;login: The Magazine of USENIX and SAGE, 26(7), November 2001.Google ScholarGoogle Scholar
  12. P. Jones. RFC3174: US Secure Hash Algorithm 1 (SHA-1). http://www.faqs.org/rfcs/rfc3174.html, September 2001.Google ScholarGoogle Scholar
  13. K. Kaneda. Tiny virtual machine monitor. http://www.yl.is.s.u--tokyo.ac.jp/~kaneda/tvmm/.Google ScholarGoogle Scholar
  14. V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In Proceedings of the 11th USENIX Security Symposium, August 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. L. McVoy and C. Staelin. lmbench: Portable tools for performance analysis. In Proceedings of the USENIX 1996 Annual Technical Conference, Jan 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. R. Minnich, J. Hendricks, and D. Webster. The Linux BIOS. In Proceedings of the 4th Annual Linux Showcase and Conference, Oct 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. N. Petroni, T. Fraser, J. Molina, and W. Arbaugh. Copilot -- a coprocessor-based kernel runtime integrity monitor. In Proceedings of USENIX Security Symposium, pages 179--194, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. R. Russell. Lguest: The simple x86 hypervisor. http://lguest.ozlabs.org/.Google ScholarGoogle Scholar
  19. J. Rutkowska. Beyond the CPU: Defeating hardware based RAM acquisition. In Proceedings of BlackHat DC 2007, Feb 2007.Google ScholarGoogle Scholar
  20. A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doorn, and P. Khosla. Pioneer: Verifying integrity and guaranteeing execution of code on legacy platforms. In Proceedings of ACM Symposium on Operating Systems Principles (SOSP), pages 1--15, October 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security, Oct 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. S.W. Smith and S.H. Weingart. Building a high-performance, programmable secure coprocessor. Computer Networks (Special Issue on Computer Network Security), 31:831--960, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. J. von Neumann. First draft of a report on the EDVAC. In B. Randall, editor, The origins of digital computers: selected papers, pages 383--392. 1982.Google ScholarGoogle Scholar
  24. Y. Wang, R. Roussev, C. Verbowski, A. Johnson, and D. Ladd. AskStrider: What has changed on my machine lately? Technical Report MSR--TR-2004--03, Microsoft Research, 2004.Google ScholarGoogle Scholar
  25. Y. Wang, B. Vo, R. Roussev, C. Verbowski, and A. Johnson. Strider GhostBuster: Why it's a bad idea for stealth software to hide files. Technical Report MSR-TR-2004-71, Microsoft Research, 2004.Google ScholarGoogle Scholar
  26. G. Wurster, P. van Oorschot, and A. Somayaji. A generic attack on checksumming-based software tamper resistance. In Proceedings of IEEE Symposium on Security and Privacy, May 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!