research-article

Delusional boot: securing hypervisors without massive re-engineering

Authors:

Shravan Rayanchu,

Alec WolmanAuthors Info & Claims

EuroSys '12: Proceedings of the 7th ACM european conference on Computer Systems

Pages 141 - 154

https://doi.org/10.1145/2168836.2168851

Published: 10 April 2012 Publication History

Abstract

The set of virtual devices offered by a hypervisor to its guest VMs is a virtualization component ripe with security exploits -- more than half of all vulnerabilities of today's hypervisors are found in this codebase. This paper presents Min-V, a hypervisor that disables all virtual devices not critical to running VMs in the cloud. Of the remaining devices, Min-V takes a step further and eliminates all remaining functionality not needed for the cloud.

To implement Min-V, we had to overcome an obstacle: the boot process of many commodity OSes depends on legacy virtual devices absent from our hypervisor. Min-V introduces delusional boot, a mechanism that allows guest VMs running commodity OSes to boot successfully without developers having to re-engineer the initialization code of these commodity OSes, as well as the BIOS and pre-OS (e.g., bootloader) code. We evaluate Min-V and demonstrate that our security improvements incur no performance overhead except for a small delay during reboot of a guest VM. Our reliability tests show that Min-V is able to run unmodified Linux and Windows OSes on top of this minimal virtualization interface.

References

[1]

G. Ateniese, S. Kamara, and J. Katz. Proofs of Storage from Homomorphic Identification Protocols. In Proc. of the 15th International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT), 2009.

Digital Library

[2]

M. Ben-Yehuda, M. D. Day, Z. Dubitzky, M. Factor, N. Har'El, A. Gordon, A. Liguori, O. Wasserman, and B.-A. Yassour. The turtles project: Design and implementation of nested virtualization. In Proc. of the 9th Symposium on Operating Systems Design and Implementation (OSDI), 2010.

Digital Library

[3]

BitBucket. On our extended downtime, Amazon and whats coming, 2009. http://blog.bitbucket.org/2009/10/04/on-our-extended-downtime-amazon\discretionary{-}{}{}and-whats-coming/.

[4]

Boston Globe. Google subpoena roils the web, January, 2006. http://boston.com/news/nation/articles/2006/01/21/google_subpoen\a_roils_the_web/.

[5]

K. D. Bowers, A. Juels, and A. Oprea. HAIL: a high-availability and integrity layer for cloud storage. In Proc. of the 16th ACM Conference on Computer and Communications Security (CCS), 2009.

Digital Library

[6]

S. Boyd-Wickizer and N. Zeldovich. Tolerating malicious device drivers in linux. In Proc. of the 2010 USENIX conference (ATC), 2010.

Digital Library

[7]

A. Chou, J. Yang, B. Chelf, S. Hallem, and D. Engler. An empirical study of operating systems errors. In Proc. of the 18th ACM Symposium on Operating Systems Principles (SOSP), 2001.

Digital Library

[8]

P. Colp, M. Nanavati, J. Zhu, W. Aiello, G. Cooker, T. Deegan, P. Loscocco, and A. Warfield. Breaking Up is Hard to Do: Security and Funtionality in a Commodity Hypervisor. In Proceedings of the 23rd ACM Symposium on Operating Systems Principles (SOSP), Cascais, Portugal, 2011.

Digital Library

[9]

K. Fraser, S. Hand, R. Neugebauer, I. Pratt, A. Warfield, and M. Williamson. Reconstructing I/O. Technical Report UCAM-CL-TR-596, University of Cambridge, Computer Laboratory, 2004.

[10]

K. Fraser, S. Hand, R. Neugebauer, I. Pratt, A. Warfield, and M. Williamson. Safe Hardware Access with the Xen Virtual Machine Monitor. In Proc. of the 1st Workshop On Operating System and Architectural Support for the on demand IT Infrastructure (OASIS), Boston, MA, October 2004.

[11]

T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: a virtual machine-based platform for trusted computing. In Proc. of the 19th ACM Symposium on Operating Systems Principles (SOSP), Bolton Landing, NY, October 2003.

Digital Library

[12]

R. Gellman. Privacy in the Clouds: Risks ot Privacy and Confidentiality from Cloud Computing, 2009. http://www.worldprivacyforum.org/pdf/WPF_Cloud_Privacy_Report.pdf.

[13]

M. Hohmuth, M. Peter, H. Hartig, and J. S. Shapiro. Reducing TCB size by using untrusted components -- small kernels versus virtual-machine monitors. In Proc. of 11th ACM SIGOPS European Workshop, Leuven, Belgium, September 2004.

Digital Library

[14]

G. J. Holzmann. The logic of bugs. In Proc. of Foundations of Software Engineering (FSE), Charleston, SC, 2002.

Digital Library

[15]

Intel. Intel Active Management Technology. http://www.intel.com/technology/platform-technology/intel-amt/.

[16]

M. Jensen, J. Schwenk, N. Gruschka, and L. L. Iacono. On technical security issues in cloud computing. In Proc. of the IEEE International Conference on Cloud Computing (CLOUD-II), Bangalore, India, 2009.

Digital Library

[17]

A. Kadav, M. J. Renzelmann, and M. M. Swift. Tolerating hardware device failures in software. In Proc. of the 22nd Symposium on Operating Systems Principles (SOSP), Big Sky, MT, October 2009.

Digital Library

[18]

B. Kauer, P. Verissimo, and A. Bessani. Recursive virtual machines for advanced security mechanisms. In Proc. of the 1st International Workshop on Dependability of Clouds, Data Centers and Virtual Computing Environments (DCDV), 2011.

Digital Library

[19]

E. Keller, J. Szefer, J. Rexford, and R. B. Lee. NoHype: Virtualized Cloud Infrastructure without the Virtualization. In Proc. of 37th International Symposium on Computer Architecture (ISCA), Saint-Malo, France, 2010.

Digital Library

[20]

G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, M. Norrish, R. Kolanski, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal Verification of an OS Kernel. In Proc. of the 22nd Symposium on Operating Systems Principles (SOSP), Big Sky, MT, October 2009.

Digital Library

[21]

B. Krebs. Amazon: Hey Spammers, Get Off My Cloud. Washington Post, July 1 2008.

[22]

J. M. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and A. Perrig. TrustVisor: Efficient TCB Reduction and Attestation. In Proc. of IEEE Symposium on Security and Privacy, Oakland, CA, May 2010.

Digital Library

[23]

A. G. Miklas, S. Saroiu, A. Wolman, and A. D. Brown. Bunker: A Privacy-Oriented Platform for Network Tracing. In Proc. of the 6th USENIX Symposium on Networked Systems Design and Implementation (NSDI), Boston, MA, April 2009.

Digital Library

[24]

D. Murray, G. Miob, and S. Hand. Improving Xen Security Through Disaggregation. In Proc. of the 4th ACM International Conference on Virtual Execution Environments (VEE), Seattle, WA, March 2008.

Digital Library

[25]

National Institute of Standards and Techonology. National Vulnerability Database. http://nvd.nist.gov/home.cfm.

[26]

A. M. Nguyen, N. Schear, H. Jung, A. Godiyal, S. T. King, and H. D. Nguyen. MAVMM: Lightweight and Purpose Built VMM for Malware Analysis. In Proc. of the 2009 Annual Computer Security Applications Conference (ACSAC), Honolulu, HI, 2009.

Digital Library

[27]

S. Özkan. CVE Details: The ultimate security vulnerability datasource. http://www.cvedetails.com/index.php.

[28]

T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. In Proc. of 16th ACM Conference on Computer and Communications Security (CCS), Chicago, IL, November 2009.

Digital Library

[29]

I. Roy, H. E. Ramadan, S. T. V. Setty, A. Kilzer, V. Shmatikov, and E. Witchel. Airavat: Security and Privacy for MapReduce. In Proc. of the 7th USENIX Symposium on Networked Systems Design and Implementation (NSDI), San Jose, CA, 2010.

Digital Library

[30]

L. Ryzhyk, P. Chubb, I. Kuz, and G. Heiser. Dingo: Taming device drivers. In Proc. of the 4th ACM European Conference on Computer Systems (Eurosys), Nuremberg, Germany, 2009.

Digital Library

[31]

R. Sailer, E. Valdez, T. Jaeger, R. Perez, L. van Doorn, J. L. Griffin, and S. Berger. sHype: Secure Hypervisor Approach to Trusted Virtualized Systems. Technical Report RC 23511, IBM Research, 2005.

[32]

R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn. Design and Implementation of a TCG-based Integrity Measurement Architecture. In Proc. of the 13th USENIX Security Symposium, San Diego, CA, 2004.

Digital Library

[33]

N. Santos, K. P. Gummadi, and R. Rodrigues. Towards Trusted Cloud Computing. In Proc. of the Workshop on Hot Topics in Cloud Computing (HotCloud), San Diego, CA, June 2009.

Digital Library

[34]

Secunia. Secunia Advisories. http://secunia.com/advisories/.

[35]

A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. In Proc. of the ACM Symposium on Operating Systems Principles (SOSP), Stevenson, WA, October 2007.

Digital Library

[36]

T. Shanley. Protected mode software architecture. Taylor & Francis, 1996.

Digital Library

[37]

U. Steinberg and B. Kauer. NOVA: A Microhypervisor-Based Secure Virtualization Architecture. In Proc. of the ACM European Conference on Computer Systems (EuroSys), Paris, France, April 2010.

Digital Library

[38]

M. M. Swift, M. Annamalai, B. N. Bershad, and H. M. Levy. Recovering Device Drivers. In Proc. of the 6th Symposium on Operating Systems Design and Implementation (OSDI), San Francisco, CA, 2004.

Digital Library

[39]

M. M. Swift, B. N. Bershad, and H. M. Levy. Improving the Reliability of Commodity Operating Systems. In Proc. of the 19th Symposium on Operating Systems Principles (SOSP), Bolton Landing, NY, 2003.

Digital Library

[40]

VMware. Security Advisories & Certifications. http://www.vmware.com/security/advisories/.

[41]

D. Williams, P. Reynolds, K. Walsh, E. G. Sirer, and F. B. Schneider. Device Driver Safety Through a Reference Validation Mechanism. In Proc. of the 8th Symposium on Operating Systems Design and Implementation (OSDI), San Diego, CA, 2008.

Digital Library

[42]

Xen. Xen User Manual v3.3. http://bits.xensource.com/Xen/docs/user.pdf.

[43]

F. Zhang, J. Chen, H. Chen, and B. Zang. CloudVisor: Retrofitting Protection of Virtual Machines in Multi-tenant Cloud with Nested Virtualization. In Proceedings of the 23rd ACM Symposium on Operating Systems Principles (SOSP), Cascais, Portugal, 2011.

Digital Library

Cited By

Chen YZhang SJia XZhou QHuang HXu SDu H(2024)SEDSpec: Securing Emulated Devices by Enforcing Execution Specification2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00056(522-534)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN58291.2024.00056
Hu ZLee SPeinado MMeng WJensen CCremers CKirda E(2023)Hacksaw: Hardware-Centric Kernel Debloating via Device Inventory and Dependency AnalysisProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623208(1994-2008)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623208
Senuki MIshiguro KKono KHong JLanperne MPark JCerny TShahriar H(2023)Nioh-PT: Virtual I/O Filtering for Agile Protection against Vulnerability WindowsProceedings of the 38th ACM/SIGAPP Symposium on Applied Computing10.1145/3555776.3577687(1293-1300)Online publication date: 27-Mar-2023
https://dl.acm.org/doi/10.1145/3555776.3577687
Show More Cited By

Index Terms

Delusional boot: securing hypervisors without massive re-engineering
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Directvisor: virtualization for bare-metal cloud
VEE '20: Proceedings of the 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments

Bare-metal cloud platforms allow customers to rent remote physical servers and install their preferred operating systems and software to make the best of servers' raw hardware capabilities. However, this quest for bare-metal performance compromises ...
Virtual Machine Migration Method between Different Hypervisor Implementations and Its Evaluation
WAINA '12: Proceedings of the 2012 26th International Conference on Advanced Information Networking and Applications Workshops

Virtualization technologies are an important building block for cloud services. Each service will run on virtual machines (VMs) deployed over different hyper visors in the future. Therefore, a VM migration method between different hyper visor ...
My VM is Lighter (and Safer) than your Container
SOSP '17: Proceedings of the 26th Symposium on Operating Systems Principles

Containers are in great demand because they are lightweight when compared to virtual machines. On the downside, containers offer weaker isolation than VMs, to the point where people run containers in virtual machines to achieve proper isolation. In this ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

EuroSys '12: Proceedings of the 7th ACM european conference on Computer Systems

April 2012

394 pages

ISBN:9781450312233

DOI:10.1145/2168836

General Chair:
Pascal Felber
University of Neuchâtel, Switzerland
,
Program Chairs:
Frank Bellosa
KIT, Germany
,
Herbert Bos
Vrije Universiteit Amsterdam, The Netherlands

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 April 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

EuroSys '12

Sponsor:

SIGOPS

EuroSys '12: Seventh EuroSys Conference 2012

April 10 - 13, 2012

Bern, Switzerland

Acceptance Rates

Overall Acceptance Rate 241 of 1,308 submissions, 18%

Upcoming Conference

EuroSys '25

Sponsor:
sigops

Twentieth European Conference on Computer Systems

March 30 - April 3, 2025

Rotterdam , Netherlands

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

23
Total Citations
View Citations
571
Total Downloads

Downloads (Last 12 months)21
Downloads (Last 6 weeks)2

Reflects downloads up to 18 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Chen YZhang SJia XZhou QHuang HXu SDu H(2024)SEDSpec: Securing Emulated Devices by Enforcing Execution Specification2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00056(522-534)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN58291.2024.00056
Hu ZLee SPeinado MMeng WJensen CCremers CKirda E(2023)Hacksaw: Hardware-Centric Kernel Debloating via Device Inventory and Dependency AnalysisProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623208(1994-2008)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623208
Senuki MIshiguro KKono KHong JLanperne MPark JCerny TShahriar H(2023)Nioh-PT: Virtual I/O Filtering for Agile Protection against Vulnerability WindowsProceedings of the 38th ACM/SIGAPP Symposium on Applied Computing10.1145/3555776.3577687(1293-1300)Online publication date: 27-Mar-2023
https://dl.acm.org/doi/10.1145/3555776.3577687
Gu JHua ZLi MChen H(2022)Innovations and applications of operating system security with a hardware-software co-designChinese Science Bulletin10.1360/TB-2022-055767:32(3862-3871)Online publication date: 30-Jun-2022
https://doi.org/10.1360/TB-2022-0557
Anzai SMisono MNakamura RKuga YShinagawa TSerafini MXu H(2022)Towards isolated execution at the machine levelProceedings of the 13th ACM SIGOPS Asia-Pacific Workshop on Systems10.1145/3546591.3547530(68-77)Online publication date: 23-Aug-2022
https://dl.acm.org/doi/10.1145/3546591.3547530
Li BLin JWang QWang ZJing J(2021)Locally-Centralized Certificate Validation and its Application in Desktop Virtualization SystemsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2020.303526516(1380-1395)Online publication date: 2021
https://doi.org/10.1109/TIFS.2020.3035265
Connelly JRoberts TGao XXiao JWang HStavrou A(2021)CloudSkulk: A Nested Virtual Machine Based Rootkit and Its Detection2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN48987.2021.00047(350-362)Online publication date: Jun-2021
https://doi.org/10.1109/DSN48987.2021.00047
ISHIGURO KKONO K(2020)Instruction Filters for Mitigating Attacks on Instruction Emulation in HypervisorsIEICE Transactions on Information and Systems10.1587/transinf.2019EDP7186E103.D:7(1660-1671)Online publication date: 1-Jul-2020
https://doi.org/10.1587/transinf.2019EDP7186
He JOta KDong MYang LFan MWang GYau S(2020)Customized Network Security for Cloud ServiceIEEE Transactions on Services Computing10.1109/TSC.2017.272582813:5(801-814)Online publication date: 1-Sep-2020
https://doi.org/10.1109/TSC.2017.2725828
Li SKoh JNieh JHeninger NTraynor P(2019)Protecting cloud virtual machines from commodity hypervisor and host operating system exploitsProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361433(1357-1374)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361433
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents