secure in-vm monitoring using hardware virtualization
DESCRIPTION
Author: Monirul Sharif, Wenke Lee, Weidong Cui, Andrea Lanzi Reportor: Chun-Chih Wu Advisor: Hsing-Kuo Pao Select: CCS09’. Secure In-VM Monitoring Using Hardware Virtualization. Outline. Introduction Secure In-VM Monitoring Implementation Experimental Evaluation Conclusion. Introduction. - PowerPoint PPT PresentationTRANSCRIPT
Author: Monirul Sharif, Wenke Lee, Weidong Cui, Andrea Lanzi
Reportor: Chun-Chih Wu
Advisor: Hsing-Kuo Pao
Select: CCS09’
Outline
Introduction Secure In-VM Monitoring Implementation Experimental Evaluation Conclusion
Introduction
Malicious programs compromise the kernel of an operating system.
Many security approaches require the ability to monitor frequently executing events.
Secure In-VM Monitoring (SIM), a general-purpose framework based on hardware virtualization features.
contributions:hardware virtualization and memory
protection features.implemented a prototype of the SIM
framework based on KVM and Windows guest OS.
systematic security analysis of SIM against a number of possible threats, and show that SIM provides no less security guarantees than what can be achieved by out-of-VM monitors.
In-VM monitoring
H HandlerCM Monitor codeDM Monitor dataR Response
A Adversary programDP Program data
CP Program codeK HookDK Hook data
Out-of-VM monitoring
H HandlerCM Monitor codeDM Monitor dataR Response
A Adversary programDP Program data
CP Program codeK HookDK Hook data
performance requirements(P1) Fast invocation:
○ not involve any privilege level changes.
(P2) Data read/write at native speed:○ without any hypervisor intervention
security requirements:(S1) Isolation of the monitor’s code (CM)
and data (DM)(S2) Designated point for switching into CM(S3) A handler (hi) is called if and only if the
corresponding hook (ki) executes(S4) The behavior of Monitor is not
maliciously alterable
Secure In-VM Monitoring
The SIM address space
SIM Data/Code The monitor itself Visible only within SIM address
space
Invocation checker Verifies call chain is legit Visible only in SIM space
Entry/exit gates Visible in both Writable only in SIM space Tiny, well crafted
Kernel code/data Not executable in SIM space
(can't accidentally run insecure code)10
Entry/exit gates Entry:
Disable interrupts (Untrusted VM)Save CPU state to the stackSwitch address spaceRe-disable interrupts (SIM VM)Switch stack to a SIM-restricted oneRun invocation checker
Exit:Restore stack, page table, CPU stateRe-enable interruptsJump to return point
security requirements1. Isolation of the monitor’s code and data
hypervisor to not allow the monitor code and data to be mappable to any untrusted address space in the guest VM.
2. Designated point for switching into CM : only method to enter the trusted address space from the
untrusted one is via the entry gates.3. A handler is called if and only if the corresponding hook
executes each hook invokes a corresponding entry gate, which eventually
calls a corresponding handler, and each invoker of the entry gate is checked by the invocation checking routine
The behavior of Monitor is not maliciously alterable: not allow any code from the untrusted domain to be executable
in the trusted address space, not allow the monitor to call into the untrusted kernel
Implementation Host: Linux distribution guest OS : Windows XP SP2
Initialization1. reserve virtual address ranges in the system
address space for use in entry and exit gate creation
2. creation of the SIM virtual address space by the hypervisor component
3. loading a security monitor application into the SIM address space
4. relevant routines to perform switching into the SIM address space
Experimental EvaluationMonitor type
Avg. time (μ sec)
Std. dev. (μ sec)
SIM approach 0.469 0.051
Out-of-VM approach
5.055 0.132
Monitor Invocation Overhead Comparison
Monitor typeAverage time
(μ sec)Relative
overhead (%)Traditional 3.487 ×Out-of-VM approach
28.039 690.50%
SIM approach 3.967 13.70%
Process creation monitor performance results
Benchmark BareOut-of-VM overhead
SIM overhead
Memory Latency 10.42 MAcc/s 84.58% 7.97%
HTML Render 1.12 pg/s 52.42% 5.83%
File Compress 3.4 MB/s 3.97% 0.59%
File Encrypt 20.56 MB/s 7.85% 0.89%
File Decrypt 78.21 MB/s 2.53% 0.45%
HDD 15.29 MB/s 41.68% 3.74%
Text Edit 82.73 pg/s 128.84% 9.64%
Average - 46.10% 4.15%
System call tracing macrobenchmarks
Conclusion a general-purpose SIM framework provides the same security guarantees of out-
of-VM monitoring low performance overhead of in-VM monitoring.
the SIM framework reduce monitoring overhead by 11 times if only monitor invocation time is considered.
SIM introduces an overhead of to 13.7% out-of-VM approach compared 690.5%.
SIM overall overhead below 10% out-of-VM approach overhead : 128%.