Visible to the public Undertow: An Intra-Kernel Isolation Mechanism for Hardware-Assisted Virtual Machines

TitleUndertow: An Intra-Kernel Isolation Mechanism for Hardware-Assisted Virtual Machines
Publication TypeConference Paper
Year of Publication2019
AuthorsYang, Zihan, Mi, Zeyu, Xia, Yubin
Conference Name2019 IEEE International Conference on Service-Oriented System Engineering (SOSE)
Keywordsauthorisation, bare-metal machines, boot time, bug-prone, cloud computing, commodity operating system, composability, critical data, data privacy, EPT violations, flexible cloud servers, guest kernel, guest virtual machine, Hardware virtualization, hardware-assisted isolation mechanism, hardware-assisted virtual machines, Human Behavior, human factors, Intel processors, intra-kernel isolation mechanism, invasive software, isolated environment, isolation, Kernel, Kernel Protection, Linux, Metrics, multiple restricted Extended Page Table, nested kernel, operating system kernels, popular paths, pre-defined EPT, privacy, pubcrawl, read-only protection, resilience, Resiliency, security, security policies, security threats, sensitive data, storage management, Switches, system calls, Trusted Computing, unpopular paths, untrusted code, untrusted outter kernel, Virtual machine monitors, virtual machines, Virtual machining, virtualisation, virtualization, virtualization exception, virtualization privacy, VMFUNC
AbstractThe prevalence of Cloud Computing has appealed many users to put their business into low-cost and flexible cloud servers instead of bare-metal machines. Most virtual machines in the cloud run commodity operating system(e.g., linux), and the complexity of such operating systems makes them more bug-prone and easier to be compromised. To mitigate the security threats, previous works attempt to mediate and filter system calls, transform all unpopular paths into popular paths, or implement a nested kernel along with the untrusted outter kernel to enforce certain security policies. However, such solutions only enforce read-only protection or assume that popular paths in the kernel to contain almost no bug, which is not always the case in the real world. To overcome their shortcomings and combine their advantages as much as possible, we propose a hardware-assisted isolation mechanism that isolates untrusted part of the kernel. To achieve isolation, we prepare multiple restricted Extended Page Table (EPT) during boot time, each of which has certain critical data unmapped from it so that the code executing in the isolated environment could not access sensitive data. We leverage the VMFUNC instruction already available in recent Intel processors to directly switch to another pre-defined EPT inside guest virtual machine without trapping into the underlying hypervisor, which is faster than the traditional trap-and-emulate procedure. The semantic gap is minimized and real-time check is achieved by allowing EPT violations to be converted to Virtualization Exception (VE), which could be handled inside guest kernel in non-root mode. Our preliminary evaluation shows that with hardware virtualization feature, we are able to run the untrusted code in an isolated environment with negligible overhead.
Citation Keyyang_undertow_2019