Article

SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes

Authors:

Arvind Seshadri,

Adrian PerrigAuthors Info & Claims

SOSP '07: Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles

Pages 335 - 350

https://doi.org/10.1145/1294261.1294294

Published: 14 October 2007 Publication History

Abstract

We propose SecVisor, a tiny hypervisor that ensures code integrity for commodity OS kernels. In particular, SecVisor ensures that only user-approved code can execute in kernel mode over the entire system lifetime. This protects the kernel against code injection attacks, such as kernel rootkits. SecVisor can achieve this propertyeven against an attacker who controls everything but the CPU, the memory controller, and system memory chips. Further, SecVisor can even defend against attackers with knowledge of zero-day kernel exploits.

Our goal is to make SecVisor amenable to formal verificationand manual audit, thereby making it possible to rule out known classes of vulnerabilities. To this end, SecVisor offers small code size and small external interface. We rely on memory virtualization to build SecVisor and implement two versions, one using software memory virtualization and the other using CPU-supported memory virtualization. The code sizes of the runtime portions of these versions are 1739 and 1112 lines, respectively. The size of the external interface for both versions of SecVisor is 2 hypercalls. It is easy to port OS kernels to SecVisor. We port the Linux kernel version 2.6.20 by adding 12 lines and deleting 81 lines, out of a total of approximately 4.3 million lines of code in the kernel.

Supplementary Material

JPG File (1294294.jpg)

Download
15.47 KB

index.html (index.html)

Slides from the presentation

Download
.93 KB

ZIP File (p335-slides.zip)

Supplemental material for SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes

Download
25.84 MB

Audio only (1294294.mp3)

Download
10.77 MB

Video (1294294.mp4)

Download
148.78 MB

References

[1]

Advanced Micro Devices. AMD64 Architecture Programmer's Manual Volume 2: System Programming, 3.12 edition, September 2006.

[2]

Advanced Micro Devices. AMD64 Architecture Programmer's Manual Volume 3: General-Purpose and System Instructions, 3.12 edition, September 2006.

[3]

M. Becher, M. Dornseif, and C.N. Klein. FireWire all your memory are belong to us. In Proceedings of CanSecWest, 2005.

[4]

S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data attacks are realistic threats. In Proceedings of the 14th USENIX Security Symposium, pages 177--192, August 2005.

Digital Library

[5]

A. Chuvakin. Ups and downs of UNIX/Linux host-based security solutions. ;login: The Magazine of USENIX and SAGE, 28(2), April 2003.

[6]

J. Criswell, A. Lenharth, D. Dhurjati, and V. Adve. Secure virtual architecture: A safe execution environment for commodity operating systems. In Proceedings of ACM Symposium on Operating Systems Principles, Oct 2007.

Digital Library

[7]

J. Dyer, M. Lindemann, R. Perez, R. Sailer, L. van Doorn, S.W. Smith, and S. Weingart. Building the IBM 4758 Secure Coprocessor. IEEE Computer, 34(10):57--66, 2001.

Digital Library

[8]

T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A virtual machine--based platform for trusted computing. In In Proceedings of ACM Symposium on Operating Systems Principles (SOSP), 2003.

Digital Library

[9]

T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proc. Network and Distributed Systems Security Symposium, February 2003.

[10]

Intel Corporation. Trusted eXecution Technology -- preliminary architecture specification and enabling considerations. Document number 31516803, November 2006.

[11]

K. J. Jones. Loadable Kernel Modules. ;login: The Magazine of USENIX and SAGE, 26(7), November 2001.

[12]

P. Jones. RFC3174: US Secure Hash Algorithm 1 (SHA-1). http://www.faqs.org/rfcs/rfc3174.html, September 2001.

[13]

K. Kaneda. Tiny virtual machine monitor. http://www.yl.is.s.u--tokyo.ac.jp/~kaneda/tvmm/.

[14]

V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In Proceedings of the 11th USENIX Security Symposium, August 2002.

Digital Library

[15]

L. McVoy and C. Staelin. lmbench: Portable tools for performance analysis. In Proceedings of the USENIX 1996 Annual Technical Conference, Jan 1996.

Digital Library

[16]

R. Minnich, J. Hendricks, and D. Webster. The Linux BIOS. In Proceedings of the 4th Annual Linux Showcase and Conference, Oct 2000.

Digital Library

[17]

N. Petroni, T. Fraser, J. Molina, and W. Arbaugh. Copilot -- a coprocessor-based kernel runtime integrity monitor. In Proceedings of USENIX Security Symposium, pages 179--194, 2004.

Digital Library

[18]

R. Russell. Lguest: The simple x86 hypervisor. http://lguest.ozlabs.org/.

[19]

J. Rutkowska. Beyond the CPU: Defeating hardware based RAM acquisition. In Proceedings of BlackHat DC 2007, Feb 2007.

[20]

A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doorn, and P. Khosla. Pioneer: Verifying integrity and guaranteeing execution of code on legacy platforms. In Proceedings of ACM Symposium on Operating Systems Principles (SOSP), pages 1--15, October 2005.

Digital Library

[21]

H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security, Oct 2007.

Digital Library

[22]

S.W. Smith and S.H. Weingart. Building a high-performance, programmable secure coprocessor. Computer Networks (Special Issue on Computer Network Security), 31:831--960, 1999.

Digital Library

[23]

J. von Neumann. First draft of a report on the EDVAC. In B. Randall, editor, The origins of digital computers: selected papers, pages 383--392. 1982.

[24]

Y. Wang, R. Roussev, C. Verbowski, A. Johnson, and D. Ladd. AskStrider: What has changed on my machine lately? Technical Report MSR--TR-2004--03, Microsoft Research, 2004.

[25]

Y. Wang, B. Vo, R. Roussev, C. Verbowski, and A. Johnson. Strider GhostBuster: Why it's a bad idea for stealth software to hide files. Technical Report MSR-TR-2004-71, Microsoft Research, 2004.

[26]

G. Wurster, P. van Oorschot, and A. Somayaji. A generic attack on checksumming-based software tamper resistance. In Proceedings of IEEE Symposium on Security and Privacy, May 2005.

Digital Library

Cited By

Zaidenberg NKiperberg M(2024)HyperWallet: cryptocurrency wallet as a secure hypervisor-based applicationEURASIP Journal on Information Security10.1186/s13635-024-00159-22024:1Online publication date: 8-Aug-2024
https://doi.org/10.1186/s13635-024-00159-2
Röckl JBernsdorf NMüller TQuek TGao DZhou JCardenas A(2024)TeeFilter: High-Assurance Network Filtering Engine for High-End IoT and Edge Devices based on TEEsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637643(1568-1583)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637643
Yuan YWang RRanganathan NRao NKumar SLantz PSanjeepan VCabrera JKwatra ASankaran RJeong IKim N(2024)Intel Accelerators Ecosystem: An SoC-Oriented Perspective : Industry Product2024 ACM/IEEE 51st Annual International Symposium on Computer Architecture (ISCA)10.1109/ISCA59077.2024.00066(848-862)Online publication date: 29-Jun-2024
https://doi.org/10.1109/ISCA59077.2024.00066
Show More Cited By

Index Terms

SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes
SOSP '07

We propose SecVisor, a tiny hypervisor that ensures code integrity for commodity OS kernels. In particular, SecVisor ensures that only user-approved code can execute in kernel mode over the entire system lifetime. This protects the kernel against code ...
Toward Virtual Machine Image Management for Persistent Memory
Persistent memory’s (PM) byte-addressability and high capacity will also make it emerging for virtualized environment. Modern virtual machine monitors virtualize PM using either I/O virtualization or memory virtualization. However, I/O virtualization will ...
Modeling and Verifying the Ballooning in Xen with CSP
HASE '15: Proceedings of the 2015 IEEE 16th International Symposium on High Assurance Systems Engineering

As a dynamic memory virtualization technique, ballooning is widely applied in many virtualization platforms, i.e. Xen and VMware ESX Server. Since ballooning technology enables the guest OS to surrender unused memory back to the host during runtime, and ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SOSP '07: Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles

October 2007

378 pages

ISBN:9781595935915

DOI:10.1145/1294261

General Chair:
Thomas C. Bressoud
Denison University, USA
,
Program Chair:
M. Frans Kaashoek
Massachusetts Institute of Technology, USA

ACM SIGOPS Operating Systems Review Volume 41, Issue 6
SOSP '07
December 2007
363 pages
ISSN:0163-5980
DOI:10.1145/1323293
Issue’s Table of Contents

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 October 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SOSP07

Sponsor:

SOSP07: ACM SIGOPS 21st Symposium on Operating Systems Principles 2007

October 14 - 17, 2007

Washington, Stevenson, USA

Acceptance Rates

Overall Acceptance Rate 174 of 961 submissions, 18%

Upcoming Conference

SOSP '25

Sponsor:
sigops

ACM SIGOPS 31st Symposium on Operating Systems Principles

October 13 - 16, 2025

Seoul , Republic of Korea

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

478
Total Citations
View Citations
15,807
Total Downloads

Downloads (Last 12 months)64
Downloads (Last 6 weeks)6

Reflects downloads up to 20 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zaidenberg NKiperberg M(2024)HyperWallet: cryptocurrency wallet as a secure hypervisor-based applicationEURASIP Journal on Information Security10.1186/s13635-024-00159-22024:1Online publication date: 8-Aug-2024
https://doi.org/10.1186/s13635-024-00159-2
Röckl JBernsdorf NMüller TQuek TGao DZhou JCardenas A(2024)TeeFilter: High-Assurance Network Filtering Engine for High-End IoT and Edge Devices based on TEEsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637643(1568-1583)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637643
Yuan YWang RRanganathan NRao NKumar SLantz PSanjeepan VCabrera JKwatra ASankaran RJeong IKim N(2024)Intel Accelerators Ecosystem: An SoC-Oriented Perspective : Industry Product2024 ACM/IEEE 51st Annual International Symposium on Computer Architecture (ISCA)10.1109/ISCA59077.2024.00066(848-862)Online publication date: 29-Jun-2024
https://doi.org/10.1109/ISCA59077.2024.00066
Eichler CRöckl JJung BSchlenk RMüller THönig T(2024)Profiling with trust: system monitoring from trusted execution environmentsDesign Automation for Embedded Systems10.1007/s10617-024-09283-128:1(23-44)Online publication date: 1-Mar-2024
https://dl.acm.org/doi/10.1007/s10617-024-09283-1
Chen ZQiu HDing X(2024)DScope: To Reliably and Securely Acquire Live Data from Kernel-Compromised ARM DevicesComputer Security – ESORICS 202310.1007/978-3-031-51482-1_14(271-289)Online publication date: 11-Jan-2024
https://doi.org/10.1007/978-3-031-51482-1_14
Filipiuk TWanninger NDhiantravan NSurmeier CBernat ADinda P(2023)CARAT KOP: Towards Protecting the Core HPC Kernel from Linux Kernel ModulesProceedings of the SC '23 Workshops of The International Conference on High Performance Computing, Network, Storage, and Analysis10.1145/3624062.3624237(1596-1605)Online publication date: 12-Nov-2023
https://dl.acm.org/doi/10.1145/3624062.3624237
Ahmad AOu BLiu CZhang XFonseca PAamodt TSwift MJerger N(2023)Veil: A Protected Services Framework for Confidential Virtual MachinesProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 410.1145/3623278.3624763(378-393)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3623278.3624763
Hong SXu LHuang JLi HHu HGu G(2023)SysFlow: Toward a Programmable Zero Trust Framework for System SecurityIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.326415218(2794-2809)Online publication date: 2023
https://doi.org/10.1109/TIFS.2023.3264152
Ha SYu MMoon HLee J(2023)Kernel Code Integrity Protection at the Physical Address Level on RISC-VIEEE Access10.1109/ACCESS.2023.328587611(62358-62367)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3285876
Ha SMoon H(2023)Protecting Kernel Code Integrity with PMP on RISC-VInformation Security Applications10.1007/978-981-99-8024-6_18(231-243)Online publication date: 23-Aug-2023
https://dl.acm.org/doi/10.1007/978-981-99-8024-6_18
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents