ABSTRACT
We propose SecVisor, a tiny hypervisor that ensures code integrity for commodity OS kernels. In particular, SecVisor ensures that only user-approved code can execute in kernel mode over the entire system lifetime. This protects the kernel against code injection attacks, such as kernel rootkits. SecVisor can achieve this propertyeven against an attacker who controls everything but the CPU, the memory controller, and system memory chips. Further, SecVisor can even defend against attackers with knowledge of zero-day kernel exploits.
Our goal is to make SecVisor amenable to formal verificationand manual audit, thereby making it possible to rule out known classes of vulnerabilities. To this end, SecVisor offers small code size and small external interface. We rely on memory virtualization to build SecVisor and implement two versions, one using software memory virtualization and the other using CPU-supported memory virtualization. The code sizes of the runtime portions of these versions are 1739 and 1112 lines, respectively. The size of the external interface for both versions of SecVisor is 2 hypercalls. It is easy to port OS kernels to SecVisor. We port the Linux kernel version 2.6.20 by adding 12 lines and deleting 81 lines, out of a total of approximately 4.3 million lines of code in the kernel.
Supplemental Material
Available for Download
Supplemental material for SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes
- Advanced Micro Devices. AMD64 Architecture Programmer's Manual Volume 2: System Programming, 3.12 edition, September 2006.Google Scholar
- Advanced Micro Devices. AMD64 Architecture Programmer's Manual Volume 3: General-Purpose and System Instructions, 3.12 edition, September 2006.Google Scholar
- M. Becher, M. Dornseif, and C.N. Klein. FireWire all your memory are belong to us. In Proceedings of CanSecWest, 2005.Google Scholar
- S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data attacks are realistic threats. In Proceedings of the 14th USENIX Security Symposium, pages 177--192, August 2005. Google Scholar
Digital Library
- A. Chuvakin. Ups and downs of UNIX/Linux host-based security solutions. ;login: The Magazine of USENIX and SAGE, 28(2), April 2003.Google Scholar
- J. Criswell, A. Lenharth, D. Dhurjati, and V. Adve. Secure virtual architecture: A safe execution environment for commodity operating systems. In Proceedings of ACM Symposium on Operating Systems Principles, Oct 2007. Google Scholar
Digital Library
- J. Dyer, M. Lindemann, R. Perez, R. Sailer, L. van Doorn, S.W. Smith, and S. Weingart. Building the IBM 4758 Secure Coprocessor. IEEE Computer, 34(10):57--66, 2001. Google Scholar
Digital Library
- T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A virtual machine--based platform for trusted computing. In In Proceedings of ACM Symposium on Operating Systems Principles (SOSP), 2003. Google Scholar
Digital Library
- T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proc. Network and Distributed Systems Security Symposium, February 2003.Google Scholar
- Intel Corporation. Trusted eXecution Technology -- preliminary architecture specification and enabling considerations. Document number 31516803, November 2006.Google Scholar
- K. J. Jones. Loadable Kernel Modules. ;login: The Magazine of USENIX and SAGE, 26(7), November 2001.Google Scholar
- P. Jones. RFC3174: US Secure Hash Algorithm 1 (SHA-1). http://www.faqs.org/rfcs/rfc3174.html, September 2001.Google Scholar
- K. Kaneda. Tiny virtual machine monitor. http://www.yl.is.s.u--tokyo.ac.jp/~kaneda/tvmm/.Google Scholar
- V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In Proceedings of the 11th USENIX Security Symposium, August 2002. Google Scholar
Digital Library
- L. McVoy and C. Staelin. lmbench: Portable tools for performance analysis. In Proceedings of the USENIX 1996 Annual Technical Conference, Jan 1996. Google Scholar
Digital Library
- R. Minnich, J. Hendricks, and D. Webster. The Linux BIOS. In Proceedings of the 4th Annual Linux Showcase and Conference, Oct 2000. Google Scholar
Digital Library
- N. Petroni, T. Fraser, J. Molina, and W. Arbaugh. Copilot -- a coprocessor-based kernel runtime integrity monitor. In Proceedings of USENIX Security Symposium, pages 179--194, 2004. Google Scholar
Digital Library
- R. Russell. Lguest: The simple x86 hypervisor. http://lguest.ozlabs.org/.Google Scholar
- J. Rutkowska. Beyond the CPU: Defeating hardware based RAM acquisition. In Proceedings of BlackHat DC 2007, Feb 2007.Google Scholar
- A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doorn, and P. Khosla. Pioneer: Verifying integrity and guaranteeing execution of code on legacy platforms. In Proceedings of ACM Symposium on Operating Systems Principles (SOSP), pages 1--15, October 2005. Google Scholar
Digital Library
- H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security, Oct 2007. Google Scholar
Digital Library
- S.W. Smith and S.H. Weingart. Building a high-performance, programmable secure coprocessor. Computer Networks (Special Issue on Computer Network Security), 31:831--960, 1999. Google Scholar
Digital Library
- J. von Neumann. First draft of a report on the EDVAC. In B. Randall, editor, The origins of digital computers: selected papers, pages 383--392. 1982.Google Scholar
- Y. Wang, R. Roussev, C. Verbowski, A. Johnson, and D. Ladd. AskStrider: What has changed on my machine lately? Technical Report MSR--TR-2004--03, Microsoft Research, 2004.Google Scholar
- Y. Wang, B. Vo, R. Roussev, C. Verbowski, and A. Johnson. Strider GhostBuster: Why it's a bad idea for stealth software to hide files. Technical Report MSR-TR-2004-71, Microsoft Research, 2004.Google Scholar
- G. Wurster, P. van Oorschot, and A. Somayaji. A generic attack on checksumming-based software tamper resistance. In Proceedings of IEEE Symposium on Security and Privacy, May 2005. Google Scholar
Digital Library
Index Terms
SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes
Recommendations
SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes
SOSP '07We propose SecVisor, a tiny hypervisor that ensures code integrity for commodity OS kernels. In particular, SecVisor ensures that only user-approved code can execute in kernel mode over the entire system lifetime. This protects the kernel against code ...
Cerberus: A Novel Hypervisor to Provide Trusted and Isolated Code Execution
ISME '10: Proceedings of the 2010 International Conference of Information Science and Management Engineering - Volume 01Cerberus is a tiny x86 virtual machine monitor. It allows security sensitive codes to be executed in an isolated circumstance. The codes could attest their integrity to a remote party by a two-step attestation provided by Cerberus. Cerberus does not ...
Virtual Machine Migration Method between Different Hypervisor Implementations and Its Evaluation
WAINA '12: Proceedings of the 2012 26th International Conference on Advanced Information Networking and Applications WorkshopsVirtualization technologies are an important building block for cloud services. Each service will run on virtual machines (VMs) deployed over different hyper visors in the future. Therefore, a VM migration method between different hyper visor ...







Comments