Transcript Secure In-VM Monitoring Using Hardware Virtualization

Author: Monirul Sharif, Wenke Lee, Weidong Cui,
Andrea Lanzi
Reportor: Chun-Chih Wu
Advisor: Hsing-Kuo Pao
Select: CCS09’
Outline
Introduction
 Secure In-VM Monitoring
 Implementation
 Experimental Evaluation
 Conclusion

Introduction
Malicious programs compromise the
kernel of an operating system.
 Many security approaches require the
ability to monitor frequently executing
events.
 Secure In-VM Monitoring (SIM), a
general-purpose framework based on
hardware virtualization features.


contributions:
 hardware virtualization and memory
protection features.
 implemented a prototype of the SIM
framework based on KVM and Windows
guest OS.
 systematic security analysis of SIM against a
number of possible threats, and show that
SIM provides no less security guarantees
than what can be achieved by out-of-VM
monitors.
In-VM monitoring
A
DP
CP
K
DK
Adversary program
Program data
Program code
Hook
Hook data
H
CM
DM
R
Handler
Monitor code
Monitor data
Response
Out-of-VM monitoring
A
DP
CP
K
DK
Adversary program
Program data
Program code
Hook
Hook data
H
CM
DM
R
Handler
Monitor code
Monitor data
Response

performance requirements
(P1) Fast invocation:
○ not involve any privilege level changes.
(P2) Data read/write at native speed:
○ without any hypervisor intervention

security requirements:
 (S1) Isolation of the monitor’s code (CM)
and data (DM)
 (S2) Designated point for switching into CM
 (S3) A handler (hi) is called if and only if the
corresponding hook (ki) executes
 (S4) The behavior of Monitor is not
maliciously alterable
Secure In-VM Monitoring
The SIM address space
SIM Data/Code
The monitor itself
 Visible only within SIM address
space

Invocation checker


Verifies call chain is legit
Visible only in SIM space
Entry/exit gates
Visible in both
Writable only in SIM space
 Tiny, well crafted


Kernel code/data

Not executable in SIM space
(can't accidentally run insecure code)
10
Entry/exit gates

Entry:







Disable interrupts (Untrusted VM)
Save CPU state to the stack
Switch address space
Re-disable interrupts (SIM VM)
Switch stack to a SIM-restricted one
Run invocation checker
Exit:
 Restore stack, page table, CPU state
 Re-enable interrupts
 Jump to return point
security requirements
1.
Isolation of the monitor’s code and data
 hypervisor to not allow the monitor code and data to be
mappable to any untrusted address space in the guest VM.
2.
Designated point for switching into CM :
 only method to enter the trusted address space from the
untrusted one is via the entry gates.
3.
A handler is called if and only if the corresponding hook
executes
 each hook invokes a corresponding entry gate, which eventually
calls a corresponding handler, and each invoker of the entry gate
is checked by the invocation checking routine
4.
The behavior of Monitor is not maliciously alterable:
 not allow any code from the untrusted domain to be executable
in the trusted address space, not allow the monitor to call into
the untrusted kernel
Implementation

Host: Linux distribution
guest OS : Windows XP SP2

Initialization

1.
2.
3.
4.
reserve virtual address ranges in the system
address space for use in entry and exit gate
creation
creation of the SIM virtual address space by the
hypervisor component
loading a security monitor application into the SIM
address space
relevant routines to perform switching into the SIM
address space
Experimental Evaluation
Monitor type
Avg. time (μ
sec)
Std. dev. (μ
sec)
SIM approach
0.469
0.051
Out-of-VM
approach
5.055
0.132
Monitor Invocation Overhead Comparison
Monitor type
Traditional
Out-of-VM
approach
SIM approach
Average time
(μ sec)
3.487
Relative
overhead (%)
×
28.039
690.50%
3.967
13.70%
Process creation monitor performance results
Benchmark
Bare
Memory Latency 10.42 MAcc/s
Out-of-VM
overhead
SIM
overhead
84.58%
7.97%
HTML Render
1.12 pg/s
52.42%
5.83%
File Compress
3.4 MB/s
3.97%
0.59%
File Encrypt
20.56 MB/s
7.85%
0.89%
File Decrypt
78.21 MB/s
2.53%
0.45%
HDD
15.29 MB/s
41.68%
3.74%
Text Edit
82.73 pg/s
128.84%
9.64%
Average
-
46.10%
4.15%
System call tracing macrobenchmarks
Conclusion




a general-purpose SIM framework
provides the same security guarantees of outof-VM monitoring low performance overhead
of in-VM monitoring.
the SIM framework reduce monitoring
overhead by 11 times if only monitor
invocation time is considered.
SIM introduces an overhead of to 13.7%
 out-of-VM approach compared 690.5%.

SIM overall overhead below 10%
 out-of-VM approach overhead : 128%.