Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Department of Computer Science – Institute for Systems Architecture – Operating Systems Group
NOVA:A Microhypervisor-Based Secure Virtualization Architecture
Udo Steinberg, Bernhard Kauer
Motivation
Udo Steinberg NOVA 2
• Virtualization widely used for consolidation of workloads
• Attackers have begun targeting the virtualization layer• Xen VM escape1
• VMware VM escape2
• Alarming prediction• „60% of virtual servers will be less secure than the physical
servers they replace through 2012“3
1 Rutkowska/Wojtczuk: Xen 0wning Trilogy, Blackhat 20082 Kortchinsky: Cloudburst - Hacking 3D and Breaking out of VMware, Blackhat 20093 Gartner Inc., Press Release March 15 2010
Security Risks in Virtual Environments
Udo Steinberg NOVA 3
• New layer of software underneath hosted workloads• can contain exploitable vulnerabilities• must be configured and maintained
• Breaking into the hypervisor• compromises all hosted workloads at once• facilitates attacks from below the guest OS kernel
• Consolidation of workloads with different trust levels• requires strong separation
State of the Art: Monolithic Hypervisors
Udo Steinberg NOVA 4
Monolithic hypervisor is single point of failure
guest mode
host mode
Monolithic Hypervisor
x86 Virtualization
VM VM VM
Device Drivers
ManagementStorage
Network> 100,000 lines of code
Size of the Virtualization Layer
Udo Steinberg NOVA 5
Hypervisor
Linux
Dom0Paravirt.
QEMUVMM
Hypervisor
Hypervisor
NOVAXen KVM ESXi Hyper-V
100,000
200,000
300,000
400,000
500,000
0
Windows 2008
Server
QEMUVMM
Line
s of
Sou
rce
Cod
e
Improving the Status Quo
Udo Steinberg NOVA 6
Virtualization layer is critical. Make it as small as possible.
Design Principles:1)Fine-grained functional decomposition
Microhypervisor (privileged) Multiple user-level VMMs (unprivileged) User-level drivers, applications (unprivileged)
2)Principle of least privilege among all components Capability-based authorization model
Ideas adopted from the microkernel world
NOVA OS Virtualization Architecture
Udo Steinberg NOVA 7
guest mode
host modeMicrohypervisor
Partition Manager
VMM
Applications Device DriversUser
Kernel
VM
VMM VMM
VM VM
9,000 LOC
20,000 LOC
7,000 LOC
CapabilitySelector
Microhypervisor implements 5 types of objects:
• Protection Domain• Execution Context• Scheduling Context• Portal• Semaphore
Hypercall interface uses capabilities for all operations.
Hypervisor Objects Per-PD Capability Space
Microhypervisor Abstractions
Udo Steinberg NOVA 8
3
Capability
SCECPD
Capability
Capability
Handling of Virtualization Events
Udo Steinberg NOVA 9
• User-level VMM implements complex x86 interface
• Transfer of guest state between VM and VMM via synchronous message passing
guest mode
host mode
User
Kernel
Microhypervisor
VM
VMM Disk Driver
x86 Block
I/O Instr.VM Exit
Call
VM Resume
Reply
Interrupt Delivery
Udo Steinberg NOVA 10
• Interrupt fan-out to multiple components via semaphores
• Recall of virtual CPUs to inject interrupt vectors
guest mode
host mode
User
Kernel
Microhypervisor
VM
VMM Disk DriverVM ExitVM Resume
Inject Vector SHMEM
Recall
Impact of Attacks in NOVA
Udo Steinberg NOVA 11
Attack from Guest OS• Hypervisor attack surface is
message-passing interface• VM can compromise or crash its
associated VMM
guest mode
host mode
User
Kernel
Microhypervisor
VM
VMM Device Driver
x86
Msg Hypercall
Virtualization Interface: Lessons Learned
Udo Steinberg NOVA 12
• One simple communication mechanism• Fast synchronous IPC with hand-off scheduling• Selective transfer of execution state • HV need not care about x86 virtualization details
• One synchronization mechanism• Counting semaphores• Also used for interrupt delivery
• Unified abstractions• Protection Domain = Virtual machine or User Task• Execution Context = Virtual CPU or Thread
Virtualization Overhead
Udo Steinberg NOVA 13
0.55%
1.91%
2.82% 2.76%
4.26% Kernel-Compile Benchmark:CPU: Intel Core i7 2.67 GHz
VM Configuration:Single virtual CPU, virtual disk512 MB Guest Memory, EPT+VPID
Direct Assignment:0.55% performance overhead caused by nested paging
NOVA:Additional 0.3% overhead~3900 cycles/exit
0.83%
tvirtual / tnative - 100%
I/O Virtualization Overhead (AHCI controller)
Udo Steinberg NOVA 14
1
2
4
8
16
32
64
CPU
Util
izat
ion
(%)
[log
]
Block Size (Bytes) [log]
NativeDirectVirtual
Stream of sequential disk reads with increasing block sizes
I/O Virtualization Overhead (e1000 NIC)
Udo Steinberg NOVA 15
1
2
4
8
16
32
64
1 2 4 8 16 31 62 124 251 513 952
CPU
Util
izat
ion
(%)
[log
]
Bandwidth (Mbit/s) [log]
DirectNative
Receive UDP packet stream with increasing bandwidth
Current Status
Udo Steinberg NOVA 16
• Hypervisor• Runs on Intel VT-x and AMD-V• Supports SMP, Nested Paging, VT-d IOMMU
• User-Level Virtual-Machine Monitor• Implements virtual PCI, SATA, NIC, BIOS, ...• Supports PCI Pass-Through (direct assignment)
• Ongoing work• Windows as Guest OS• SR-IOV Devices
Conclusion
Udo Steinberg NOVA 17
• Decomposed virtualization layer provides additional isolation boundaries at the cost of more context switches
• Lower context-switch overhead resulting from simple code paths and selective state transfer
NOVA achievements:• TCB reduction by an order of magnitude• Performance improvement over monolithic hypervisors
Code available under GPLv2: http://www.hypervisor.org