NOVA: A Microhypervisor-Based Secure Virtualization

Department of Computer Science – Institute for Systems Architecture – Operating Systems Group

NOVA:A Microhypervisor-Based Secure Virtualization Architecture

Udo Steinberg, Bernhard Kauer

Motivation

Udo Steinberg NOVA 2

• Virtualization widely used for consolidation of workloads

• Attackers have begun targeting the virtualization layer• Xen VM escape1

• VMware VM escape2

• Alarming prediction• „60% of virtual servers will be less secure than the physical

servers they replace through 2012“3

1 Rutkowska/Wojtczuk: Xen 0wning Trilogy, Blackhat 20082 Kortchinsky: Cloudburst - Hacking 3D and Breaking out of VMware, Blackhat 20093 Gartner Inc., Press Release March 15 2010

Security Risks in Virtual Environments

• New layer of software underneath hosted workloads• can contain exploitable vulnerabilities• must be configured and maintained

• Breaking into the hypervisor• compromises all hosted workloads at once• facilitates attacks from below the guest OS kernel

• Consolidation of workloads with different trust levels• requires strong separation

State of the Art: Monolithic Hypervisors

Monolithic hypervisor is single point of failure

guest mode

host mode

Monolithic Hypervisor

x86 Virtualization

VM VM VM

Device Drivers

ManagementStorage

Network> 100,000 lines of code

Size of the Virtualization Layer

Hypervisor

Dom0Paravirt.

QEMUVMM

Hypervisor

NOVAXen KVM ESXi Hyper-V

100,000

200,000

300,000

400,000

500,000

Windows 2008

Server

QEMUVMM

Improving the Status Quo

Virtualization layer is critical. Make it as small as possible.

Design Principles:1)Fine-grained functional decomposition

Microhypervisor (privileged) Multiple user-level VMMs (unprivileged) User-level drivers, applications (unprivileged)

2)Principle of least privilege among all components Capability-based authorization model

Ideas adopted from the microkernel world

NOVA OS Virtualization Architecture

guest mode

host modeMicrohypervisor

Partition Manager

Applications Device DriversUser

Kernel

VMM VMM

9,000 LOC

20,000 LOC

7,000 LOC

CapabilitySelector

Microhypervisor implements 5 types of objects:

• Protection Domain• Execution Context• Scheduling Context• Portal• Semaphore

Hypercall interface uses capabilities for all operations.

Hypervisor Objects Per-PD Capability Space

Microhypervisor Abstractions

Capability

SCECPD

Capability

Handling of Virtualization Events

• User-level VMM implements complex x86 interface

• Transfer of guest state between VM and VMM via synchronous message passing

guest mode

host mode

Kernel

Microhypervisor

VMM Disk Driver

x86 Block

I/O Instr.VM Exit

VM Resume

Interrupt Delivery

• Interrupt fan-out to multiple components via semaphores

• Recall of virtual CPUs to inject interrupt vectors

guest mode

host mode

Kernel

Microhypervisor

VMM Disk DriverVM ExitVM Resume

Inject Vector SHMEM

Recall

Impact of Attacks in NOVA

Attack from Guest OS• Hypervisor attack surface is

message-passing interface• VM can compromise or crash its

associated VMM

guest mode

host mode

Kernel

Microhypervisor

VMM Device Driver

Msg Hypercall

Virtualization Interface: Lessons Learned

• One simple communication mechanism• Fast synchronous IPC with hand-off scheduling• Selective transfer of execution state • HV need not care about x86 virtualization details

• One synchronization mechanism• Counting semaphores• Also used for interrupt delivery

• Unified abstractions• Protection Domain = Virtual machine or User Task• Execution Context = Virtual CPU or Thread

Virtualization Overhead

2.82% 2.76%

4.26% Kernel-Compile Benchmark:CPU: Intel Core i7 2.67 GHz

VM Configuration:Single virtual CPU, virtual disk512 MB Guest Memory, EPT+VPID

Direct Assignment:0.55% performance overhead caused by nested paging

NOVA:Additional 0.3% overhead~3900 cycles/exit

tvirtual / tnative - 100%

I/O Virtualization Overhead (AHCI controller)

Block Size (Bytes) [log]

NativeDirectVirtual

Stream of sequential disk reads with increasing block sizes

I/O Virtualization Overhead (e1000 NIC)

1 2 4 8 16 31 62 124 251 513 952

Bandwidth (Mbit/s) [log]

DirectNative

Receive UDP packet stream with increasing bandwidth

Current Status

• Hypervisor• Runs on Intel VT-x and AMD-V• Supports SMP, Nested Paging, VT-d IOMMU

• User-Level Virtual-Machine Monitor• Implements virtual PCI, SATA, NIC, BIOS, ...• Supports PCI Pass-Through (direct assignment)

• Ongoing work• Windows as Guest OS• SR-IOV Devices

Conclusion

• Decomposed virtualization layer provides additional isolation boundaries at the cost of more context switches

• Lower context-switch overhead resulting from simple code paths and selective state transfer

NOVA achievements:• TCB reduction by an order of magnitude• Performance improvement over monolithic hypervisors

Code available under GPLv2: http://www.hypervisor.org

NOVA: A Microhypervisor-Based Secure Virtualization

Documents

Cover Directions on convergence and virtualization storyi.dell.com/sites/doccontent/corporate/secure/en/... · virtualization, they must find fresh ways to continue elevating agility,

Secure Virtualization Technology

Mini-NOVA: A Lightweight ARM-based Virtualization

Secure Virtualization (Heron)

Trusted Computing and Secure Virtualization in Cloud Computing

Smart Terminal Architecture with Secure HostsSmart Terminal Architecture with Secure Hosts ... Complex, expensive, and impossible to secure. ... Virtualization, although practical,

Network Virtualization - DABCC · PDF fileNetwork Virtualization Consolidation - Datacenter Resource Maximization Vyatta allows for IT managers to route traffic and secure applications

Open Virtualization Format Specificationxml.coverpages.org/DMTF-OVF-DSP0243v100.pdf · 2008-07-25 · The Open Virtualization Format (OVF) Specification describes an open, secure,

virtualization - 國立臺灣大學hsinmu/courses/_media/... · Bare-metal virtualization is the most secure type of virtualization because guest operating systems are isolated from

Secure Cloud-Scale Virtualization

Secure Linux Containers - kernsec.orgkernsec.org/files/securelinuxcontainers.pdf · Secure Linux Containers ... SELinux – MCS isolation Virtualization – OS separation Multiple

Physical Attack Protection with Human-Secure Virtualization in Data Centers

Secure Encrypted Virtualization API Specification

Taking the Secure Migration Path to IT Virtualization › devpages › SPERA › zJAugu08.pdf · 2019-01-11 · Taking the Secure Migration Path to IT Virtualization ... 12 taking

Secure Encrypted Virtualization API Version 0 - AMD API_Specification.… · Secure Encrypted Virtualization API Version 0.16 Technical Preview ... the receipt and sufficiency of

Fast Secure Virtualization for the ARM Platform - … · · 2011-11-22Fast Secure Virtualization for the ARM Platform by Daniel R. Ferstay ... 4.1 Di erences in architecture speci

Raising the Bar on Desktop Virtualization · As organizations look at desktop virtualization for secure access and compliance, IT executives should consider: • Centralized user

Nova for Physicalization and Virtualization compute models

Implement Android Tamper-Resistant Secure Storage and ... · Implement Android Tamper-Resistant Secure Storage and Secure it in Virtualization Bing Zhu (bing.zhu@intel.com) Contributors:

—BE MORE— SECURE - VMWare NSX · 2017-09-01 · NETWORK VIRTUALIZATION MAKES MICRO-SEGMENTATION POSSIBLE VMWARE NSX: THE NETWORK VIRTUALIZATION PLATFORM THAT BUILDS SECURITY INTO