/
HyperSentry: Enabling Stealthy In-context Measurement of Hy HyperSentry: Enabling Stealthy In-context Measurement of Hy

HyperSentry: Enabling Stealthy In-context Measurement of Hy - PowerPoint Presentation

mitsue-stanley
mitsue-stanley . @mitsue-stanley
Follow
402 views
Uploaded On 2016-07-19

HyperSentry: Enabling Stealthy In-context Measurement of Hy - PPT Presentation

Ahmed M Azab Peng Ning Zhi Wang Xuxian Jiang North Carolina State University Xiaolan Zhang Nathan C Skalsky IBM TJ Watson Research Center IBM Systems amp Technology Group ID: 411433

hypervisor measurement smi mode measurement hypervisor mode smi integrity system management agent guest context root smm handler output hardware

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "HyperSentry: Enabling Stealthy In-contex..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity

Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian JiangNorth Carolina State University Xiaolan Zhang Nathan C. Skalsky IBM T.J. Watson Research Center IBM Systems & Technology Group

1Slide2

Background

Hypervisors are critical to virtualized platformsCan hypervisors be blindly trusted?Two backdoors in Xen [BlackHat 2008]Xen

3.x: 10

Secunia

advisories; 17 vulnerabilities.VM Ware ESX 3.x: 49 Secunia advisories; 362 vulnerabilities. Existing hypervisor's code base is growingNeed mechanisms to ensure hypervisor integrity HyperSentry: Measure the hypervisor integrity at runtime

2Slide3

Challenges

A fundamental problemHow to measure the integrity of the highest privileged software?Hypervisor has full control of the software systemScrubbing attacks

Tampering with the measurement agent

Tampering with the measurement results

Relying on a higher privileged software goes back to the same problem

3Slide4

The HyperSentry Approach

HyperSentryA generic framework to stealthily measure the integrity of a hypervisor in its contextKey ideasAllow the measurement software to gain the highest privilege temporarilyMeasurement is triggered stealthily Scrubbing attacksIsolate measurement results from the hypervisor

4Slide5

Foundation of HyperSentry

System Management Mode (SMM)x86 operating mode for system management functionsSMRAM can be locked to prevent all access to it except from within the SMMHypervisor cannot access the SMRAM once locked

System Management Interrupt (SMI) only handled by SMI handler in SMRAM

SMI bypasses hypervisor’s control

Provides the isolation required for HyperSentryMain challengesHow to retrieve the needed context for hypervisor?How to attest to the measurement output?

5Slide6

Foundation of HyperSentry

(Cont’d)Out-of-band communication channelTriggers a System Management Interrupt (SMI)Out of the control of the hypervisorExample: IPMIUses a microcontroller on the motherboard

Hard-wired to GPI chip to trigger SMI

Not under the control of the Hypervisor

Main challengeHow to prevent or detect hypervisor’s intervention (e.g., reprogram APIC)?

6Slide7

Host (root) Mode

Guest (non-root) Mode

HyperSentry Architecture

7

VM

VM

VM

Hardware

Hypervisor

Virtualized Platform

System Management Mode

Remote

Verifier

BMC/IMM

SMI

Handler

Measurement Agent

Trusted Components are Shaded in GreenSlide8

In-context Integrity Measurement

ChallengesHow to detect the intercepted CPU operation mode?Hypervisor or guest VM?How to retrieve the context needed for measurement?E.g., CR3 and page tableSolutionInject a privileged instruction to force the CPU to fall back to the hypervisor mode

Run the measurement agent in the same context as the hypervisor

Agent runs in a protected execution environment

8Slide9

Host (root) Mode

Guest (non-root) Mode

System Management Mode

In-context Integrity Measurement

Hardware

Prepare SMM fallback

Hypervisor

Guest VM

SMI

RSM

Execution Path

Privileged instruction

PC (cache misses = 1)

APIC (SMI on PC overflow)

Inject privileged instruction and flush cache

VM exit handler

PC (cache misses = 0)

Verify the measurement agent

SMI

The measurement agent

RSM

Store measurement output

SMI

9Slide10

Stealthy Invocation

Is out-of-band invocation sufficient to achieve stealthy invocation?Unfortunately …

10Slide11

Host (root) Mode

Guest (non-root) Mode

A Variation of Scrubbing Attack

11

VM

VM

VM

Hardware

Hypervisor

System Management Mode

Remote

Verifier

SMI

Handler

Typical

Scenario

BMC/IMMSlide12

Host (root) Mode

Guest (non-root) Mode

A Variation of Scrubbing Attack

12

VM

VM

VM

Hardware

Hypervisor

System Management Mode

Remote

Verifier

SMI

Handler

Attack

Scenario

BMC/IMM

Compromised hypervisor cannot intercept

SMIs

. But what if it tries to block real

SMIs

and generate fake ones?Slide13

Thwarting this Scrubbing Attack

13Can we prevent the hypervisor from blocking SMIs?

Not possible with existing hardware

Solution

Detecting fake SMIs generated by the (compromised) hypervisorVerifying status registers to ensure that the measurement is invoked by the out-of-band channelKey reason: HW SMI and SW SMI are distinguishableSlide14

BMC

AMM

Stealthy Invocation

IPMI

14

CPU Core

0

Target Platform (IBM HS21XM Blade Server)

Remote

Verifier

IO Control Hub (South Bridge)

Memory Control Hub (North Bridge)

GPI 0

SSH

SMI_EN

GPI_ROUT

0 …..0 0…….0

SMI_STS

0 ……………….0

ALT_GPI_SMI_STS

ALT_GPI_SMI_EN

1

1

0

1

CPU Core

1

CPU Core

n

1

1

- All status register are non writable

- Measurement is invoked only if all

other bits are 0

- A fake SMI is easily detectable

0

9

10

SMISlide15

Attesting to the Measurement Output

ChallengeAbsence of a dedicated hardware for attestationThe hypervisor controls the hardware most of timeSolutionProviding the SMRAM with a private keyUsing this key to attest to the measurement results

15Slide16

Host Mode

Guest Mode

System Management Mode

Attesting to the Measurement Output

Hardware

Guest VM

TPM

SMI handler

Initialization code

SMM private key

SMM public key

K

smm

K

smm

-1

Hypervisor

Bootstrapping

Remote

Verifier

Integrity measurement output

Attestation

request

K

smm

-1

{

Output|Nonce

}

K

AIK

-1

{

K

smm

|

Handler|Nonce

}

16Slide17

Security Analysis

Stealthy InvocationIf configurations are not changed  guaranteed by hardwareIf configurations change  fake SMIs are detectableVerifiable Behavior

The measurement agent is measured every time before it executes

Deterministic Execution

The measurement agent possesses full control over the systemIn-context privileged measurementGuarantee falling back to the hypervisor modeThe measurement agent runs in the same context as the hypervisorAttestable outputThe measurement output is signed by a verifiable and protected key

17Slide18

HyperSentry Evaluation

IBM HS21XM blade serverMeasuring the Xen hypervisorEnd-to-end execution time: 35 msPeriodical measurement:Every 8 seconds: 2.4% overhead; every 16 seconds: 1.3% overhead

18Slide19

Conclusion

HyperSentryA novel framework for measuring the integrity of the most privileged system softwareA measurement agent for the Xen hypervisorLow overheadNext step

Measurement agent for Linux/KVM

Verifying the hypervisor’s dynamic integrity

19Slide20

Questions?

amazab@ncsu.edu

20