Visible to the public Hypervisor Introspection: Exploiting Timing Side-Channels against VM MonitoringConflict Detection Enabled

TitleHypervisor Introspection: Exploiting Timing Side-Channels against VM Monitoring
Publication TypeConference Paper
Year of Publication2014
AuthorsGary Wang, University of Illinois at Urbana-Champaign, Zachary J. Estrada, University of Illinois at Urbana-Champaign, Cuong Pham, University of Illinois at Urbana-Champaign, Zbigniew Kalbarczyk, University of Illinois at Urbana-Champaign, Ravishankar K. Iyer, University of Illinois at Urbana-Champaign
Conference Name44th International Conference on Dependable Systems and Networks
PublisherIEEE Computer Society
Conference LocationAtlanta, GA
KeywordsData Driven Security Models and Analysis, hypervisor introspection, NSA SoS Lablets Materials, science of security, UIUC, virtual machine monitoring
Abstract

Hypervisor activity is designed to be hidden from guest Virtual Machines (VM) as well as external observers. In this paper, we demonstrate that this does not always occur. We present a method by which an external observer can learn sensitive information about hypervisor internals, such as VM scheduling or hypervisor-level monitoring schemes, by observing a VM. We refer to this capability as Hypervisor Introspection (HI).

HI can be viewed as the inverse process of the well-known Virtual Machine Introspection (VMI) technique. VMI is a technique to extract VMs' internal state from the hypervi- sor, facilitating the implementation of reliability and security monitors[1]. Conversely, HI is a technique that allows VMs to autonomously extract hypervisor information. This capability enables a wide range of attacks, for example, learning a hypervisor's properties (version, configuration, etc.), defeating hypervisor-level monitoring systems, and compromising the confidentiality of co-resident VMs. This paper focuses on the discovery of a channel to implement HI, and then leveraging that channel for a novel attack against traditional VMI.

In order to perform HI, there must be a method of extracting information from the hypervisor. Since this information is intentionally hidden from a VM, we make use of a side channel. When the hypervisor checks a VM using VMI, VM execution (e.g. network communication between a VM and a remote system) must pause. Therefore, information regarding the hypervisor's activity can be leaked through this suspension of execution. We call this side channel the VM suspend side channel, illustrated in Fig. 1. As a proof of concept, this paper presents how correlating the results of in-VM micro- benchmarking and out-of-VM reference monitoring can be used to determine when hypervisor-level monitoring tools are vulnerable to attacks.

URLhttps://publish.illinois.edu/science-of-security-lablet/files/2014/05/Hypervisor-Introspection-Explo...
Citation Keynode-23293

Other available formats:

Hypervisor Introspection Exploiting Timing Side channels against VM Monitoring