Deconstructing Xen

@inproceedings{Shi2017DeconstructingX,
  title={Deconstructing Xen},
  author={Le Shi and Yuming Wu and Yubin Xia and Nathan Dautenhahn and Haibo Chen and Binyu Zang and Jinming Li},
  booktitle={NDSS},
  year={2017}
}
Hypervisors have quickly become essential but are vulnerable to attack. Unfortunately, efficiently hardening hypervisors is challenging because they lack a privileged security monitor and decomposition strategies. In this work we systematically analyze the 191 Xen hypervisor vulnerabilities from Xen Security Advisories, revealing that the majority (144) are in the core hypervisor not Dom0. We then use the analysis to provide a novel deconstruction of Xen, called Nexen, into a security monitor… Expand
HypFDI: Fault Domain Isolation for Hosted Hypervisor in ARM
TLDR
A system that aims to isolate, ‘deprivilege’ and constrain the hosted hypervisor inside kernel, by enforcing function access control on hypervisor, disabling writes to virtual memory control registers from hypervisor and developing a trusted switch gate is presented. Expand
Hardening Hypervisors against Vulnerabilities in Instruction Emulators
Vulnerabilities in hypervisors are crucial in multi-tenant clouds and attractive for attackers because a vulnerability in the hypervisor can undermine all the virtual machine (VM) security. ThisExpand
Mitigating vulnerability windows with hypervisor transplant
TLDR
The evaluation results show that HyperTP delivers satisfactory performance, and the downtime imposed by InPlaceTP on VMs is in the same order of magnitude as in-place upgrade of homogeneous hypervisors based on server micro-reboot. Expand
(Mostly) Exitless VM Protection from Untrusted Hypervisor through Disaggregated Nested Virtualization
TLDR
Experimental evaluation shows that CloudVisor-D incurs negligible performance overhead even for I/O intensive benchmarks and in some cases outperforms a vanilla hypervisor due to the reduced number of VM exits. Expand
Comprehensive VM Protection Against Untrusted Hypervisor Through Retrofitted AMD Memory Encryption
TLDR
Fidelius is proposed as a software-based extension to the SEV feature to address a set of security issues of using SEV as a means to defend against an untrusted hypervisor, and shows its effectiveness in protecting tenant’s data from a variety of attack surfaces. Expand
Protecting Cloud Virtual Machines from Hypervisor and Host Operating System Exploits
TLDR
HypSec, a new hypervisor design for retrofitting an existing commodity hypervisor using microkernel principles to reduce its trusted computing base while protecting the confidentiality and integrity of virtual machines, is created. Expand
ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK)
TLDR
ERIM is presented, a novel technique that provides hardware-enforced isolation with low overhead on x86 CPUs, even at high switching rates (ERIM’s measured overhead is less than 1% for 100,000 switches per second). Expand
TEEv: virtualizing trusted execution environments on mobile platforms
TLDR
TEEv, a TEE virtualization architecture that supports multiple isolated, restricted TEE instances (i.e., vTEEs) running concurrently, is proposed and evaluation results show that TEEv can isolate vTees and defend all known attacks on TEE with only mild performance overhead. Expand
SkyBridge: Fast and Secure Inter-Process Communication for Microkernels
TLDR
SkyBridge is a new communication facility designed and optimized for synchronous IPC in microkernels that requires no involvement of kernels during communication and allows a process to directly switch to the virtual address space of the target process and invoke the target function. Expand
Transcending the Teetering Tower of Trust: Demonstrated with Virtual Memory Fuses for Software Enclaves
TLDR
The Teetering Tower of Trust model offers a new way to think about security across the computation stack, while the novel Virtual Memory Fuse creates the possibility of a new operating system feature: software enclaves. Expand
...
1
2
...

References

SHOWING 1-10 OF 33 REFERENCES
HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity
TLDR
This paper presents HyperSafe, a lightweight approach that endows existing Type-I bare-metal hypervisors with a unique self-protection capability to provide lifetime control flow integrity and shows HyperSafe can reliably enable the hypervisor self- protection and provide the integrity guarantee with a small performance overhead. Expand
Isolating commodity hosted hypervisors with HyperLock
TLDR
This paper provides a secure hypervisor isolation runtime with its own separated address space and a restricted instruction set for safe execution and proposes another technique, i.e., hypervisor shadowing, to efficiently create a separate shadow hypervisor and pair it with each guest so that a compromised hypervisor can affect only the paired guest, not others. Expand
Taming Hosted Hypervisors with (Mostly) Deprivileged Execution
TLDR
This paper presents a system that aims to dramatically reduce the exposed attack surface of a hosted hypervisor by deprivileging its execution to user mode by decoupling the hypervisor code from the host OS and depriviles its execution. Expand
Delusional boot: securing hypervisors without massive re-engineering
TLDR
Min-V is presented, a hypervisor that disables all virtual devices not critical to running VMs in the cloud and introduces delusional boot, a mechanism that allows guest VMs running commodity OSes to boot successfully without developers having to re-engineer the initialization code of these commodityOSes, as well as the BIOS and pre-OS code. Expand
TinyChecker: Transparent protection of VMs against hypervisor failures with nested virtualization
TLDR
A technique called TinyChecker is proposed, which uses a tiny nested hypervisor to transparently protect guest VMs against failures in the hypervisor layer, whose reliability can be guaranteed by its small size and possible further formal verification. Expand
Architecture support for guest-transparent VM protection from untrusted hypervisor and physical attacks
TLDR
This paper proposes HyperCoffer, a hardware-software framework that guards the privacy and integrity of tenant's VMs and extends existing processor virtualization with memory encryption and integrity checking to secure data communication with off-chip memory. Expand
Breaking up is hard to do: security and functionality in a commodity hypervisor
TLDR
Xoar is presented, a modified version of Xen that retrofits the modularity and isolation principles used in micro-kernels onto a mature virtualization platform and shows that this componentized abstraction brings a number of benefits: sharing of service components by guests is configurable and auditable, making exposure to risk explicit, and access to the hypervisor is restricted to the least privilege required for each component. Expand
HyperSentry: enabling stealthy in-context measurement of hypervisor integrity
TLDR
A key contribution of HyperSentry is the set of novel techniques that overcome SMM's limitation, providing an integrity measurement agent with the same contextual information available to the hypervisor, completely protected execution, and attestation to its output. Expand
Architectural support for hypervisor-secure virtualization
TLDR
This work presents hypervisor-secure virtualization - a new research direction with the goal of protecting the guest VMs from an untrusted hypervisor, and presents the HyperWall architecture which achievesHyperWall, which allows a hypervisor to freely manage the memory, processor cores and other resources of a platform. Expand
Eliminating the hypervisor attack surface for a more secure cloud
TLDR
NoHype eliminates the hypervisor attack surface by enabling the guest VMs to run natively on the underlying hardware while maintaining the ability to run multiple VMs concurrently, and is a significant advance in the security of cloud computing. Expand
...
1
2
3
4
...