Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

XPDDS17: Hypervisor-Based Security: Bringing Virtualized Exceptions Into the Game - Mihai Dontu, Bitdefender

234 views

Published on


Thursday, July 13 • 11:55 - 12:25
Edit Speaker Tools Hypervisor-Based Security: Bringing Virtualized Exceptions Into the Game - Mihai Dontu, Bitdefender
Click here to add to My Sched.

http://sched.co/AjH7
Tweet Share
Feedback form is now closed.
With this presentation, Mihai Donțu will cover the current status of #VE support in Xen, how Bitdefender plans to use it to improve the performance of its Hypervisor Introspection (HVI) solution, and the changes Bitdefender is working on mainlining in the hope that they will find their way into all major Xen deployments. The aim is to make VMI an even more appealing security option for customers running workloads on supporting Intel hardware.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

XPDDS17: Hypervisor-Based Security: Bringing Virtualized Exceptions Into the Game - Mihai Dontu, Bitdefender

  1. 1. HYPERVISOR-BASED SECURITY: BRINGING VIRTUALIZED EXCEPTIONS INTO THE GAME Mihai DONȚU Technical Project Manager, Bitdefender Linux Development Team Xen Project Developer & Design Summit, July 11-13, 2017
  2. 2. 07/13/2017 Outline • Quick recap of our VMI work • What are #VE • Performance improvement opportunities with #VE • Our use case • Current status in Xen
  3. 3. 07/13/2017 Quick recap of our VMI work • 2014 –published the first patches to extend existing VMI capabilities • 2015 – announced the first product using Xen VMI • 2016 – published the first beta • 2017 – published the first ‘production-ready’ version of HVI (HyperVisor-based Introspection) based on Citrix XenServer 7.0 (Dundee)
  4. 4. 07/13/2017 What are #VE • Presented by Intel at Xen Developer Summit, 2014 • Part of Intel Broadwell microarchitecture • Allow handling virtualization exceptions in guest mode • Have lower overhead due to not requiring a VMEXIT • Currently only EPT-violations can be converted to #VE • Delivered to the guest through IDT vector 20 (reserved on pre-Broadwell hardware) • Require enabling in VMCS and clearing bit #63 in EPT paging entries of interest • The guest must set the #VE information area (4K) and the handler for interrupt #20
  5. 5. 07/13/2017 Performance improvement opportunities with #VE • Our VMI-based product relies heavily on EPT to audit important changes in the guest • Valid changes can trigger a large number of EPT-violations (eg. updates to a process’ page tables – 1k/s) • Each EPT-violation is handled by a user space application running in a separate VM • The current code path is fast, adding up to a 20% performance penalty • It can be better; we aim for below 10% • #VE can be used to pre-validate EPT-violations, suppress ‘harmless’ page table updates (ie. A/D bit sets), convert to VMCALLS violations of interest
  6. 6. 07/13/2017 Our use case • Insert a tiny agent into the guest • Clone the IDT and hook vector #20 • Enable #VE and mark the EPT entries mapping OS page tables for #VE conversion • Handle all #VE in guest • Call the VMI application whenever an EPT-violation of interest occurs
  7. 7. 07/13/2017 Current status in Xen • 2015 – #VE code landed in Xen 4.6 • 2017 – we published a set of patches to extent altp2m and #VE configuration • 2018 – we aim to make it part of our commercial offering (HVI)
  8. 8. Q & A

×