Eliminating the Hypervisor Attack Surface for a More Secure Cloud

ACM Sigarch Computer Architecture News, 2010

Cloud computing is a disruptive trend that is changing the way we use computers. The key underlying technology in cloud infrastructures is virtualization -so much so that many consider virtualization to be one of the key features rather than simply an implementation detail. Unfortunately, the use of virtualization is the source of a significant security concern. Because multiple virtual machines run on the same server and since the virtualization layer plays a considerable role in the operation of a virtual machine, a malicious party has the opportunity to attack the virtualization layer. A successful attack would give the malicious party control over the all-powerful virtualization layer, potentially compromising the confidentiality and integrity of the software and data of any virtual machine. In this paper we propose removing the virtualization layer, while retaining the key features enabled by virtualization. Our NoHype architecture, named to indicate the removal of the hypervisor, addresses each of the key roles of the virtualization layer: arbitrating access to CPU, memory, and I/O devices, acting as a network device (e.g., Ethernet switch), and managing the starting and stopping of guest virtual machines. Additionally, we show that our NoHype architecture may indeed be "no hype" since nearly all of the needed features to realize the NoHype architecture are currently available as hardware extensions to processors and I/O devices.

2020

Serverless containers and functions are widely used for deploying and managing software in the cloud. Their popularity is due to reduced cost of operations, improved utilization of hardware, and faster scaling than traditional deployment methods. The economics and scale of serverless applications demand that workloads from multiple customers run on the same hardware with minimal overhead, while preserving strong security and performance isolation. The traditional view is that there is a choice between virtualization with strong security and high overhead, and container technologies with weaker security and minimal overhead. This tradeoff is unacceptable to public infrastructure providers, who need both strong security and minimal overhead. To meet this need, we developed Firecracker, a new open source Virtual Machine Monitor (VMM) specialized for serverless workloads, but generally useful for containers, functions and other compute workloads within a reasonable set of constraints. W...

2003

Numerous systems have been designed which use virtualization to subdivide the ample resources of a modern computer. Some require specialized hardware, or cannot support commodity operating systems. Some target 100% binary compatibility at the expense of performance. Others sacrifice security or functionality for speed. Few offer resource isolation or performance guarantees; most provide only best-effort provisioning, risking denial of service. This paper presents Xen, an x86 virtual machine monitor which allows multiple commodity operating systems to share conventional hardware in a safe and resource managed fashion, but without sacrificing either performance or functionality. This is achieved by providing an idealized virtual machine abstraction to which operating systems such as Linux, BSD and Windows XP, can be ported with minimal effort.

Proceedings of the 2009 ACM workshop on Cloud computing security - CCSW '09, 2009

Cloud infrastructure commonly relies on virtualization. Customers provide their own VMs, and the cloud provider runs them often without knowledge of the guest OSes or their configurations. However, cloud customers also want effective and efficient security for their VMs. Cloud providers offering security-as-a-service based on VM introspection promise the best of both worlds: efficient centralization and effective protection. Since customers can move images from one cloud to another, an effective solution requires learning what guest OS runs in each VM and securing the guest OS without relying on the guest OS functionality or an initially secure guest VM state.

2012

The set of virtual devices offered by a hypervisor to its guest VMs is a virtualization component ripe with security exploits-more than half of all vulnerabilities of today's hypervisors are found in this codebase. This paper presents Min-V, a hypervisor that disables all virtual devices not critical to running VMs in the cloud. Of the remaining devices, Min-V takes a step further and eliminates all remaining functionality not needed for the cloud. To implement Min-V, we had to overcome an obstacle: the boot process of many commodity OSes depends on legacy virtual devices absent from our hypervisor. Min-V introduces delusional boot, a mechanism that allows guest VMs running commodity OSes to boot successfully without developers having to re-engineer the initialization code of these commodity OSes, as well as the BIOS and pre-OS (e.g., bootloader) code. We evaluate Min-V and demonstrate that our security improvements incur no performance overhead except for a small delay during reboot of a guest VM. Our reliability tests show that Min-V is able to run unmodified Linux and Windows OSes on top of this minimal virtualization interface.

ACM SIGARCH Computer Architecture News, 2010

Cloud computing is a disruptive trend that is changing the way we use computers. The key underlying technology in cloud infrastructures is virtualization-so much so that many consider virtualization to be one of the key features rather than simply an implementation detail. Unfortunately, the use of virtualization is the source of a significant security concern. Because multiple virtual machines run on the same server and since the virtualization layer plays a considerable role in the operation of a virtual machine, a malicious party has the opportunity to attack the virtualization layer. A successful attack would give the malicious party control over the all-powerful virtualization layer, potentially compromising the confidentiality and integrity of the software and data of any virtual machine. In this paper we propose removing the virtualization layer, while retaining the key features enabled by virtualization. Our NoHype architecture, named to indicate the removal of the hypervisor, addresses each of the key roles of the virtualization layer: arbitrating access to CPU, memory, and I/O devices, acting as a network device (e.g., Ethernet switch), and managing the starting and stopping of guest virtual machines. Additionally, we show that our NoHype architecture may indeed be "no hype" since nearly all of the needed features to realize the NoHype architecture are currently available as hardware extensions to processors and I/O devices.

2009

During the past few years virtualization has strongly reemerged from the shadow of the mainframe generation as a promising technology for the new generation of computers. Both the research and industry communities have recently looked at virtualization as a solution for security and reliability. With the increased usage and dependence on this technology, security is sues of virtualization are becoming more and more relevant. This thesis looks at the challenge of securing Xen, a popular open source virtualiza tion technology. We analyze security properties of the Xen architecture, propose and implement different security schemes including authenticated hypercalls, hypercall access table and hypercall stack trace verification to secure Xen hypercalls (which are analogous to system calls in the OS world). The security analysis shows that hypercall attacks could be a real threat to the Xen virtualization architecture (i.e., hypercalls could be exploited to inject malicious code into the...

Paper presented at a workshop of the HTLS in Bologna, summer 2016, to be published in a future volume of lexical studies on the LXX