HyperSafe : A Light Apporoach
                to Provide Lifetime Hypervisor
                    Control-Flow Integrity
  ...
Background

       •
       •                    VMM
                •
                    •                              ...
Approach a secure hypervisor

       •                                        [seL4, SOSP’09]
                •
          ...
Objective


       •
                •    Control flow integrity

       •


2010   6   22                                4
cf).Control Flow Integrity [Abadi et.al. , CCS’05]



           •
                •   SFI   primitive

                • ...
Goal and Assumptions
       •                    Goal
                •
                •
                •
       • Threa...
HyperSafe

       •
                •   Type1-VMM
                •
       •2
                •   Non-bypassable memory lo...
lifetime hypervisor
                                 control-flow integrity


                load-time                    ...
1.Non-Bypassable Memory Lockdown



       •
                •   code

                •   control data
                  ...
1.Non-Bypassable Memory Lockdown (cont’d)

       •                                            read-only
                •...
2.Restricted Pointer Indexing (RPI)




       • Control flow integrity
                •   call/ret jmp




2010   6   22 ...
2.Restricted Pointer Indexing (cont’d)

       • control data
                •   call/ret, jmp           src/dst

       ...
2.Restricted Pointer Indexing (cont’d)


       • CFG(control flow graph)              Pointer analysis
                •  ...
Implementation

       • Non-bypassable memory lockdown : VMM
       • Restrict Pointer Indexing : LLVM
                • ...
• WP bit            OFF
                •                       <-RPI

       • subvert page table
                •      ...
Related Work
       •
                •   seL4[Klein et al, SOSP’09],WIT[Akritidis et al, IEEE
                    S&P’08]...
Summary
       • HyperSafe
         integrity
                               Type-1 Hypervisor control flow

              ...
Upcoming SlideShare
Loading in …5
×

Hypersafe (Introducing in japanese by third party)

1,052 views

Published on

Introducing HyperSafe research paper in Japanese.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,052
On SlideShare
0
From Embeds
0
Number of Embeds
38
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Hypersafe (Introducing in japanese by third party)

  1. 1. HyperSafe : A Light Apporoach to Provide Lifetime Hypervisor Control-Flow Integrity 31st IEEE Symposium on Security and Privacy (2010) 2010-06-21 id:yuzuhara 2010 6 22 1
  2. 2. Background • • VMM • • (VM escape attack) • hypervisor rootkit(blue pill etc..) 2010 6 22 2
  3. 3. Approach a secure hypervisor • [seL4, SOSP’09] • • Microkernel • • TPM&TXT measured launch • • 2010 6 22 3
  4. 4. Objective • • Control flow integrity • 2010 6 22 4
  5. 5. cf).Control Flow Integrity [Abadi et.al. , CCS’05] • • SFI primitive • jmp call src/dst • programming return-oriented 2010 6 22 5
  6. 6. Goal and Assumptions • Goal • • • • Threat model • • inject, modify, return-to-libc • out-of-band attacks Malicious DMA • TPM,TXT 2010 6 22 6
  7. 7. HyperSafe • • Type1-VMM • •2 • Non-bypassable memory lockdown • Restricted pointer indexing 2010 6 22 7
  8. 8. lifetime hypervisor control-flow integrity load-time run-time integrity control-flow integrity e.g. tboot 1.non-bypassable memory lockdown hypervisor hypervisor code integrity control-data integrity 2.restricted pointer indexing (RPI) Fig.1 A break-down of hypervisor integrity guarantees and corresponding key techniques in HyperSage 2010 6 22 8
  9. 9. 1.Non-Bypassable Memory Lockdown • • code • control data • control data... RPI Target Table 2010 6 22 9
  10. 10. 1.Non-Bypassable Memory Lockdown (cont’d) • read-only • W^X HW • WPbit OFF • WPbit ON Writable page tables (Traditional) Read-only page tables WP WP Benign Benign OFF ON Malicious Malicious 2010 6 22 10
  11. 11. 2.Restricted Pointer Indexing (RPI) • Control flow integrity • call/ret jmp 2010 6 22 11
  12. 12. 2.Restricted Pointer Indexing (cont’d) • control data • call/ret, jmp src/dst • static analysis CFG(Call Flow Graph) • CFG Target Table Call Site i Call Site i Target Table i eax Callee j eax Callee j func_j func_j: func_j func_j: call *%eax | call *%eax | Ri: ... ... | Ri: ... ... Target Table j | [esp] | [esp] | Ri Ri ret ret (a) Traditional indirection call (b) New indirection call 2010 6 22 12
  13. 13. 2.Restricted Pointer Indexing (cont’d) • CFG(control flow graph) Pointer analysis • LLVM • • BitVisor gs • call/ret control flow RPI 2010 6 22 13
  14. 14. Implementation • Non-bypassable memory lockdown : VMM • Restrict Pointer Indexing : LLVM • LLVM = low level virtual machine • • BitVisor 2 • Xen memory lockdown 2010 6 22 14
  15. 15. • WP bit OFF • <-RPI • subvert page table • <-RPI • Guest <-memory lockdown • Return-oriented programming <- memory lockdown, RPI 2010 6 22 15
  16. 16. Related Work • • seL4[Klein et al, SOSP’09],WIT[Akritidis et al, IEEE S&P’08],KLEE[Cadar et al, OSDI’08] • OS or • SIM[Sharif et al, CCS’09] SecVisor[Seshadri,et al, ’07]SBCFI [Petroni et al,CCS’07] • Trusted Computing • TrustVisor[McCune et al, Oakland’10], Flicker[McCune et al,Eurosys’08],Pioneer[Seshadri et al, SOSP’05] 2010 6 22 16
  17. 17. Summary • HyperSafe integrity Type-1 Hypervisor control flow lifetime hypervisor control-flow integrity load-time run-time integrity control-flow integrity e.g. tboot 1.non-bypassable memory lockdown hypervisor hypervisor code integrity control-data integrity 2.restricted pointer indexing 2010 6 22 17

×