Download as PDF, PPTX
![Approach a secure hypervisor
• [seL4, SOSP’09]
•
• Microkernel
•
• TPM&TXT measured launch
•
•
2010 6 22 3](https://image.slidesharecdn.com/hypersafeintro-100622085115-phpapp02/85/Hypersafe-Introducing-in-japanese-by-third-party-3-320.jpg)
![cf).Control Flow Integrity [Abadi et.al. , CCS’05]
•
• SFI primitive
• jmp call src/dst
• programming return-oriented
2010 6 22 5](https://image.slidesharecdn.com/hypersafeintro-100622085115-phpapp02/85/Hypersafe-Introducing-in-japanese-by-third-party-5-320.jpg)
![2.Restricted Pointer Indexing (cont’d)
• control data
• call/ret, jmp src/dst
• static analysis CFG(Call Flow Graph)
• CFG Target Table
Call Site i Call Site i Target Table i
eax Callee j eax Callee j
func_j func_j: func_j func_j:
call *%eax | call *%eax |
Ri: ... ... | Ri: ... ... Target Table j |
[esp] | [esp] |
Ri Ri
ret ret
(a) Traditional indirection call (b) New indirection call
2010 6 22 12](https://image.slidesharecdn.com/hypersafeintro-100622085115-phpapp02/85/Hypersafe-Introducing-in-japanese-by-third-party-12-320.jpg)
![Related Work
•
• seL4[Klein et al, SOSP’09],WIT[Akritidis et al, IEEE
S&P’08],KLEE[Cadar et al, OSDI’08]
• OS or
• SIM[Sharif et al, CCS’09] SecVisor[Seshadri,et al, ’07]SBCFI
[Petroni et al,CCS’07]
• Trusted Computing
• TrustVisor[McCune et al, Oakland’10], Flicker[McCune et
al,Eurosys’08],Pioneer[Seshadri et al, SOSP’05]
2010 6 22 16](https://image.slidesharecdn.com/hypersafeintro-100622085115-phpapp02/85/Hypersafe-Introducing-in-japanese-by-third-party-16-320.jpg)
Uploaded byYosuke CHUBACHI
Hypersafe (Introducing in japanese by third party)
This paper proposes HyperSafe, which provides lifetime control flow integrity for the hypervisor through two techniques: 1) non-bypassable memory lockdown of hypervisor code and control data, and 2) restricted pointer indexing to allow only valid control transfers. It implements these techniques in a type-1 hypervisor using LLVM for pointer analysis and enforcement with restricted pointer indexing. This aims to prevent attacks against the hypervisor, such as VM escapes or installation of a hypervisor rootkit.
![[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...](https://cdn.slidesharecdn.com/ss_thumbnails/cb16shinaen-161108081131-thumbnail.jpg?width=640&height=640&fit=bounds)
![Sebastián Guerrero - Ke ase Android? [Rooted CON 2013]](https://cdn.slidesharecdn.com/ss_thumbnails/sebastianguerrero-130407061021-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
Hypersafe (Introducing in japanese by third party)
- 1. HyperSafe : ALight Apporoach to Provide Lifetime Hypervisor Control-Flow Integrity 31st IEEE Symposium on Security and Privacy (2010) 2010-06-21 id:yuzuhara 2010 6 22 1
- 2. Background • • VMM • • (VM escape attack) • hypervisor rootkit(blue pill etc..) 2010 6 22 2
- 3. Approach a securehypervisor • [seL4, SOSP’09] • • Microkernel • • TPM&TXT measured launch • • 2010 6 22 3
- 4. Objective • • Control flow integrity • 2010 6 22 4
- 5. cf).Control Flow Integrity[Abadi et.al. , CCS’05] • • SFI primitive • jmp call src/dst • programming return-oriented 2010 6 22 5
- 6. Goal and Assumptions • Goal • • • • Threat model • • inject, modify, return-to-libc • out-of-band attacks Malicious DMA • TPM,TXT 2010 6 22 6
- 7. HyperSafe • • Type1-VMM • •2 • Non-bypassable memory lockdown • Restricted pointer indexing 2010 6 22 7
- 8. lifetime hypervisor control-flow integrity load-time run-time integrity control-flow integrity e.g. tboot 1.non-bypassable memory lockdown hypervisor hypervisor code integrity control-data integrity 2.restricted pointer indexing (RPI) Fig.1 A break-down of hypervisor integrity guarantees and corresponding key techniques in HyperSage 2010 6 22 8
- 9. 1.Non-Bypassable Memory Lockdown • • code • control data • control data... RPI Target Table 2010 6 22 9
- 10. 1.Non-Bypassable Memory Lockdown(cont’d) • read-only • W^X HW • WPbit OFF • WPbit ON Writable page tables (Traditional) Read-only page tables WP WP Benign Benign OFF ON Malicious Malicious 2010 6 22 10
- 11. 2.Restricted Pointer Indexing(RPI) • Control flow integrity • call/ret jmp 2010 6 22 11
- 12. 2.Restricted Pointer Indexing(cont’d) • control data • call/ret, jmp src/dst • static analysis CFG(Call Flow Graph) • CFG Target Table Call Site i Call Site i Target Table i eax Callee j eax Callee j func_j func_j: func_j func_j: call *%eax | call *%eax | Ri: ... ... | Ri: ... ... Target Table j | [esp] | [esp] | Ri Ri ret ret (a) Traditional indirection call (b) New indirection call 2010 6 22 12
- 13. 2.Restricted Pointer Indexing(cont’d) • CFG(control flow graph) Pointer analysis • LLVM • • BitVisor gs • call/ret control flow RPI 2010 6 22 13
- 14. Implementation • Non-bypassable memory lockdown : VMM • Restrict Pointer Indexing : LLVM • LLVM = low level virtual machine • • BitVisor 2 • Xen memory lockdown 2010 6 22 14
- 15. • WP bit OFF • <-RPI • subvert page table • <-RPI • Guest <-memory lockdown • Return-oriented programming <- memory lockdown, RPI 2010 6 22 15
- 16. Related Work • • seL4[Klein et al, SOSP’09],WIT[Akritidis et al, IEEE S&P’08],KLEE[Cadar et al, OSDI’08] • OS or • SIM[Sharif et al, CCS’09] SecVisor[Seshadri,et al, ’07]SBCFI [Petroni et al,CCS’07] • Trusted Computing • TrustVisor[McCune et al, Oakland’10], Flicker[McCune et al,Eurosys’08],Pioneer[Seshadri et al, SOSP’05] 2010 6 22 16
- 17. Summary • HyperSafe integrity Type-1 Hypervisor control flow lifetime hypervisor control-flow integrity load-time run-time integrity control-flow integrity e.g. tboot 1.non-bypassable memory lockdown hypervisor hypervisor code integrity control-data integrity 2.restricted pointer indexing 2010 6 22 17