Secure guest virtual machine support in apparition
Pages 17 - 30
Abstract
Recent research utilizing Secure Virtual Architecture (SVA) has demonstrated that compiler-based virtual machines can protect applications from side-channel attacks launched by compromised operating system kernels. However, SVA provides no instructions for using hardware virtualization features such as Intel’s Virtual Machine Extensions (VMX) and AMD’s Secure Virtual Machine (SVM). Consequently, operating systems running on top of SVA cannot run guest operating systems using features such as Linux’s Kernel Virtual Machine (KVM) and FreeBSD’s bhyve.
This paper presents a set of new SVA instructions that allow an operating system kernel to configure and use the Intel VMX hardware features. Additionally, we use these new instructions to create Shade. Shade extends Apparition (an SVA-based system) to ensure that a compromised host operating system cannot use the new VMX virtual instructions to attack host applications (either directly or via page-fault and last-level-cache side-channel attacks).
References
[1]
2017. AMD64 Architecture Programmer's Manual. Advanced Micro Devices.
[2]
2018. FreeBSD Handbook. https://www.freebsd.org/doc/handbook/index.html Revision 52666.
[3]
Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2009. Control-Flow Integrity Principles, Implementations, and Applications. ACM Transactions on Information Systems Security 13, Article 4 (November 2009), 40 pages. Issue 1.
[4]
Vikram Adve, Chris Lattner, Michael Brukman, Anand Shukla, and Brian Gaeke. 2003. LLVA: A Low-level Virtual Instruction Set Architecture. In Proceedings of the 36th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO-36). IEEE Computer Society, Washington, DC, USA, 205-216. http://dl.acm.org/citation.cfm?id=956417.956545
[5]
Robert L. Bocchino, Jr. and Vikram S. Adve. 2006. Vector LLVA: A Virtual Vector Instruction Set for Media Processing. In Proceedings of the 2nd International Conference on Virtual Execution Environments (VEE '06). ACM, New York, NY, USA, 46-56.
[6]
D. P. Bovet and Marco Cesati. 2003. Understanding the LINUX Kernel (2nd ed.). O'Reilly, Sebastopol, CA.
[7]
Stephen Checkoway and Hovav Shacham. 2013. Iago Attacks: Why the System Call API is a Bad Untrusted RPC Interface. In Proceedings of the 18th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '13). ACM, New York, NY, USA, 253-264.
[8]
Sanchuan Chen, Xiaokuan Zhang, Michael K. Reiter, and Yinqian Zhang. 2017. Detecting Privileged Side-Channel Attacks in Shielded Execution with Déjà Vu. In Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security (ASIA CCS'17). 7-18.
[9]
John Criswell. 2014. Secure Virtual Architecture: Security for Commodity Software Systems. Ph.D. Dissertation. Computer Science Department, University of Illinois at Urbana-Champaign, Urbana, IL.
[10]
John Criswell, Nathan Dautenhahn, and Vikram Adve. 2014. KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels. In Proceedings of the 35th IEEE Symposium on Security and Privacy (SP'14). San Jose, CA, 292-307.
[11]
John Criswell, Nathan Dautenhahn, and Vikram Adve. 2014. Virtual Ghost: Protecting Applications from Hostile Operating Systems. In Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS'14). 81-96.
[12]
John Criswell, Nicolas Geoffray, and Vikram Adve. 2009. Memory Safety for Low-level Software/Hardware Interactions. In Proceedings of the 18th USENIX Security Symposium (Security'09). 83-100. http://dl.acm.org/citation.cfm?id=1855768.1855774
[13]
John Criswell, Andrew Lenharth, Dinakar Dhurjati, and Vikram Adve. 2007. Secure Virtual Architecture: A Safe Execution Environment for Commodity Operating Systems. In Proceedings of the 21st ACM SIGOPS Symposium on Operating Systems Principles (SOSP'07). Stevenson, WA, 351-366.
[14]
John Criswell, Brent Monroe, and Vikram Adve. 2006. A Virtual Instruction Set Interface for Operating System Kernels. In Workshop on the Interaction between Operating Systems and Computer Architecture. Boston, MA, USA, 26-33.
[15]
Komail Dharsee, Ethan Johnson, and John Criswell. 2017. Hardware Vulnerability and Mitigation Survey. Technical Report TR 1000. http://hdl.handle.net/1802/32871
[16]
Komail Dharsee, Ethan Johnson, and John Criswell. 2017. A Software Solution for Hardware Vulnerabilities. In 2017 IEEE Cybersecurity Development (SecDev). 27-33.
[17]
Dinakar Dhurjati, Sumant Kowshik, and Vikram Adve. 2006. SAFE-Code: Enforcing Alias Analysis for Weakly Typed Languages. In ACM SIGPLAN Conference on Programming Language Design and Implementation. Ottawa, Canada.
[18]
Xiaowan Dong, Zhuojia Shen, John Criswell, Alan Cox, and Sandhya Dwarkadas. 2018. Spectres, Virtual Ghosts, and Hardware Support. In Proceedings of the 7th International Workshop on Hardware and Architectural Support for Security and Privacy (HASP'18). ACM, New York, NY, USA, Article 5, 9 pages.
[19]
Xiaowan Dong, Zhuojia Shen, John Criswell, Alan L. Cox, and Sandhya Dwarkadas. 2018. Shielding Software From Privileged Side-Channel Attacks. In Proceedings of the 27th USENIX Security Symposium (Security'18). 1441-1458. https://www.usenix.org/conference/usenixsecurity18/presentation/dong
[20]
Marcus Hähnel, Weidong Cui, and Marcus Peinado. 2017. High-Resolution Side Channels for Untrusted Operating Systems. In Proceedings of the 2017 USENIX Annual Technical Conference (USENIX ATC'17). USENIX Association, Santa Clara, CA, 299-312. https://www.usenix.org/conference/atc17/technical-sessions/presentation/hahnel
[21]
Intel Corporation 2016. Intel 64 and IA-32 Architectures Software Developer's Manual. Intel Corporation.
[22]
Avi Kivity, Yaniv Kamay, Dor Laor, Uri Lublin, and Anthony Liguori. 2007. kvm: the Linux Virtual Machine Monitor. In Proceedings of the Linux Symposium, Vol. 1. Ottawa, Ontario, Canada, 225-230. https://www.kernel.org/doc/mirror/ols2007v1.pdf#page=225
[23]
Chris Lattner and Vikram Adve. 2004. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In Proceedings of the International Symposium on Code Generation and Optimization: Feedback-directed and Runtime Optimization (CGO'04). Palo Alto, CA, 75-86. http://dl.acm.org/citation.cfm?id=977395.977673
[24]
Fangfei Liu and Ruby B. Lee. 2014. Random Fill Cache Architecture. In Proceedings of the 47th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'14). 203-215.
[25]
Robert Martin, John Demme, and Simha Sethumadhavan. 2012. Time-Warp: Rethinking Timekeeping and Performance Monitoring Mechanisms to Mitigate Side-channel Attacks. In Proceedings of the 39th Annual International Symposium on Computer Architecture (ISCA'12). 118-129. http://dl.acm.org/citation.cfm?id=2337159.2337173
[26]
Marshall Kirk McKusick, George V. Neville-Neil, and Robert N. M. Watson. 2015. The Design and Implementation of the FreeBSD Operating System (second ed.). Pearson Education.
[27]
Larry McVoy and Carl Staelin. 1996. lmbench: Portable Tools for Performance Analysis. In Proceedings of the USENIX Annual Technical Conference (ATC). San Diego, CA, 23-23. http://dl.acm.org/citation.cfm?id=1268299.1268322
[28]
Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. 2009. SoftBound: Highly Compatible and Complete Spatial Memory Safety for C. In Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '09). ACM, New York, NY, USA, 245-258.
[29]
Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. 2010. CETS: Compiler Enforced Temporal Safety for C. In Proceedings of the 2010 International Symposium on Memory management (ISMM '10). ACM, New York, NY, USA, 31-40.
[30]
Oracle Corporation. 2018. Oracle® VM VirtualBox® User Manual. https://www.virtualbox.org/manual/UserManual.html
[31]
Oracle Corporation. 2018. VirtualBox. https://www.virtualbox.org
[32]
Intel Corporation. 2017. 6th Generation Intel® Processor Family Specification Update. http://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/desktop-6th-gen-core-family-spec-update.pdf
[33]
Intel Corporation. 2017. 7th Generation Intel® Processor Family Specification Update. https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/7th-gen-core-family-spec-update.pdf
[34]
Ming-Wei Shih, Sangho Lee, Taesoo Kim, and Marcus Peinado. 2017. T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs. In Proceedings of the Network and Distributed System Security Symposium (NDSS).
[35]
Jo Van Bulck, Nico Weichbrodt, Rüdiger Kapitza, Frank Piessens, and Raoul Strackx. 2017. Telling Your Secrets without Page Faults: Stealthy Page Table-Based Attacks on Enclaved Execution. In Proceedings of the 26th USENIX Security Symposium (SEC'17). USENIX Association, 1041-1056. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/van-bulck
[36]
Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. 1993. Efficient Software-Based Fault Isolation. In Proceedings of the 14th ACM Symposium on Operating Systems Principles (SOSP'93). Asheville, NC, 203-216.
[37]
Yao Wang, Andrew Ferraiuolo, Danfeng Zhang, Andrew C. Myers, and G. Edward Suh. 2016. SecDCP: Secure Dynamic Cache Partitioning for Efficient Timing Channel Protection. In Proceedings of the 53rd Annual Design Automation Conference (DAC '16). ACM, New York, NY, USA, Article 74, 6 pages.
[38]
David A. Wheeler. 2014. SLOCCount. http://www.dwheeler.com/sloccount/
[39]
Y. Xu, W. Cui, and M. Peinado. 2015. Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems. In 2015 IEEE Symposium on Security and Privacy. 640-656.
[40]
Mengjia Yan, Bhargava Gopireddy, Thomas Shull, and Josep Torrellas. 2017. Secure Hierarchy-Aware Cache Replacement Policy (SHARP): Defending Against Cache-Based Side Channel Atacks. In Proceedings of the 44th Annual International Symposium on Computer Architecture (ISCA'17). 347-360.
Index Terms
- Secure guest virtual machine support in apparition
Recommendations
Spectres, virtual ghosts, and hardware support
HASP '18: Proceedings of the 7th International Workshop on Hardware and Architectural Support for Security and PrivacySide-channel attacks, such as Spectre and Meltdown, that leverage speculative execution pose a serious threat to computing systems. Worse yet, such attacks can be perpetrated by compromised operating system (OS) kernels to bypass defenses that protect ...
Securing virtual machine monitors: what is needed?
ASIACCS '09: Proceedings of the 4th International Symposium on Information, Computer, and Communications SecurityIt is widely believed that the use of a virtual machine monitor (VMM) is at least as secure, if not more secure than separate systems. A recent Information Week survey [6] reports that 55% of responding business technology professionals believe that a ...
Eliminating the hypervisor attack surface for a more secure cloud
CCS '11: Proceedings of the 18th ACM conference on Computer and communications securityCloud computing is quickly becoming the platform of choice for many web services. Virtualization is the key underlying technology enabling cloud providers to host services for a large number of customers. Unfortunately, virtualization software is large, ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
April 2019
206 pages
ISBN:9781450360203
DOI:10.1145/3313808
- General Chair:
- Jennifer Sartor,
- Program Chairs:
- Mayur Naik,
- Chris Rossbach
Copyright © 2019 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 14 April 2019
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
VEE '19: 15th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments
April 14, 2019
RI, Providence, USA
Acceptance Rates
Overall Acceptance Rate 80 of 235 submissions, 34%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 573Total Downloads
- Downloads (Last 12 months)144
- Downloads (Last 6 weeks)26
Reflects downloads up to 01 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in