Ahmed M Azab Peng Ning Zhi Wang Xuxian Jiang North Carolina State University Xiaolan Zhang Nathan C Skalsky IBM TJ Watson Research Center IBM Systems amp Technology Group ID: 411433
Download Presentation The PPT/PDF document "HyperSentry: Enabling Stealthy In-contex..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity
Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian JiangNorth Carolina State University Xiaolan Zhang Nathan C. Skalsky IBM T.J. Watson Research Center IBM Systems & Technology Group
1Slide2
Background
Hypervisors are critical to virtualized platformsCan hypervisors be blindly trusted?Two backdoors in Xen [BlackHat 2008]Xen
3.x: 10
Secunia
advisories; 17 vulnerabilities.VM Ware ESX 3.x: 49 Secunia advisories; 362 vulnerabilities. Existing hypervisor's code base is growingNeed mechanisms to ensure hypervisor integrity HyperSentry: Measure the hypervisor integrity at runtime
2Slide3
Challenges
A fundamental problemHow to measure the integrity of the highest privileged software?Hypervisor has full control of the software systemScrubbing attacks
Tampering with the measurement agent
Tampering with the measurement results
Relying on a higher privileged software goes back to the same problem
3Slide4
The HyperSentry Approach
HyperSentryA generic framework to stealthily measure the integrity of a hypervisor in its contextKey ideasAllow the measurement software to gain the highest privilege temporarilyMeasurement is triggered stealthily Scrubbing attacksIsolate measurement results from the hypervisor
4Slide5
Foundation of HyperSentry
System Management Mode (SMM)x86 operating mode for system management functionsSMRAM can be locked to prevent all access to it except from within the SMMHypervisor cannot access the SMRAM once locked
System Management Interrupt (SMI) only handled by SMI handler in SMRAM
SMI bypasses hypervisor’s control
Provides the isolation required for HyperSentryMain challengesHow to retrieve the needed context for hypervisor?How to attest to the measurement output?
5Slide6
Foundation of HyperSentry
(Cont’d)Out-of-band communication channelTriggers a System Management Interrupt (SMI)Out of the control of the hypervisorExample: IPMIUses a microcontroller on the motherboard
Hard-wired to GPI chip to trigger SMI
Not under the control of the Hypervisor
Main challengeHow to prevent or detect hypervisor’s intervention (e.g., reprogram APIC)?
6Slide7
Host (root) Mode
Guest (non-root) Mode
HyperSentry Architecture
7
VM
VM
VM
Hardware
Hypervisor
Virtualized Platform
System Management Mode
Remote
Verifier
BMC/IMM
SMI
Handler
Measurement Agent
Trusted Components are Shaded in GreenSlide8
In-context Integrity Measurement
ChallengesHow to detect the intercepted CPU operation mode?Hypervisor or guest VM?How to retrieve the context needed for measurement?E.g., CR3 and page tableSolutionInject a privileged instruction to force the CPU to fall back to the hypervisor mode
Run the measurement agent in the same context as the hypervisor
Agent runs in a protected execution environment
8Slide9
Host (root) Mode
Guest (non-root) Mode
System Management Mode
In-context Integrity Measurement
Hardware
Prepare SMM fallback
Hypervisor
Guest VM
SMI
RSM
Execution Path
Privileged instruction
PC (cache misses = 1)
APIC (SMI on PC overflow)
Inject privileged instruction and flush cache
VM exit handler
PC (cache misses = 0)
Verify the measurement agent
SMI
The measurement agent
RSM
Store measurement output
SMI
9Slide10
Stealthy Invocation
Is out-of-band invocation sufficient to achieve stealthy invocation?Unfortunately …
10Slide11
Host (root) Mode
Guest (non-root) Mode
A Variation of Scrubbing Attack
11
VM
VM
VM
Hardware
Hypervisor
System Management Mode
Remote
Verifier
SMI
Handler
Typical
Scenario
BMC/IMMSlide12
Host (root) Mode
Guest (non-root) Mode
A Variation of Scrubbing Attack
12
VM
VM
VM
Hardware
Hypervisor
System Management Mode
Remote
Verifier
SMI
Handler
Attack
Scenario
BMC/IMM
Compromised hypervisor cannot intercept
SMIs
. But what if it tries to block real
SMIs
and generate fake ones?Slide13
Thwarting this Scrubbing Attack
13Can we prevent the hypervisor from blocking SMIs?
Not possible with existing hardware
Solution
Detecting fake SMIs generated by the (compromised) hypervisorVerifying status registers to ensure that the measurement is invoked by the out-of-band channelKey reason: HW SMI and SW SMI are distinguishableSlide14
BMC
AMM
Stealthy Invocation
IPMI
14
CPU Core
0
Target Platform (IBM HS21XM Blade Server)
Remote
Verifier
IO Control Hub (South Bridge)
Memory Control Hub (North Bridge)
GPI 0
SSH
SMI_EN
GPI_ROUT
0 …..0 0…….0
SMI_STS
0 ……………….0
ALT_GPI_SMI_STS
ALT_GPI_SMI_EN
1
1
0
1
CPU Core
1
CPU Core
n
1
1
- All status register are non writable
- Measurement is invoked only if all
other bits are 0
- A fake SMI is easily detectable
0
9
10
SMISlide15
Attesting to the Measurement Output
ChallengeAbsence of a dedicated hardware for attestationThe hypervisor controls the hardware most of timeSolutionProviding the SMRAM with a private keyUsing this key to attest to the measurement results
15Slide16
Host Mode
Guest Mode
System Management Mode
Attesting to the Measurement Output
Hardware
Guest VM
TPM
SMI handler
Initialization code
SMM private key
SMM public key
K
smm
K
smm
-1
Hypervisor
Bootstrapping
Remote
Verifier
Integrity measurement output
Attestation
request
K
smm
-1
{
Output|Nonce
}
K
AIK
-1
{
K
smm
|
Handler|Nonce
}
16Slide17
Security Analysis
Stealthy InvocationIf configurations are not changed guaranteed by hardwareIf configurations change fake SMIs are detectableVerifiable Behavior
The measurement agent is measured every time before it executes
Deterministic Execution
The measurement agent possesses full control over the systemIn-context privileged measurementGuarantee falling back to the hypervisor modeThe measurement agent runs in the same context as the hypervisorAttestable outputThe measurement output is signed by a verifiable and protected key
17Slide18
HyperSentry Evaluation
IBM HS21XM blade serverMeasuring the Xen hypervisorEnd-to-end execution time: 35 msPeriodical measurement:Every 8 seconds: 2.4% overhead; every 16 seconds: 1.3% overhead
18Slide19
Conclusion
HyperSentryA novel framework for measuring the integrity of the most privileged system softwareA measurement agent for the Xen hypervisorLow overheadNext step
Measurement agent for Linux/KVM
Verifying the hypervisor’s dynamic integrity
19Slide20
Questions?
amazab@ncsu.edu
20