SecPod: A Framework for Virtualization-based Security Systems

SecPod: A Framework for Virtualization-based

Security Systems

Xiaoguang Wang:

6, Yue Chen:, Zhi Wang:, Yong Qi6, Yajin Zhou;

Florida State University: Xi’an Jiaotong University6 Qihoo 360;

SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 1/22

Outline

1. Motivation

2. SecPod Design

3. Implementation

4. Evaluation

5. Related Work


Motivation

Page Table Integrity

Kernel protection requires page table integrity

§ Page tables decide address translation (from VA to PA)

§ Page tables control memory protection

§ e.g. Data Execution Prevention (Write ‘ eXecute)

However, page tables are always writable in the kernel

§ Kernel needs to frequently change memory mapping

§ Kernel protection can be subverted by manipulating page tables


Motivation










Motivation










Motivation










Motivation

Virtualization-based Kernel Protection

§ Security tools are isolated “out-of-the-box”, but need tointercept key guest eventsŻ e.g., guest page table updates, control-register updates

§ Shadow paging enables reliable kernel memory protectionŻ Hypervisor uses shadow paging to virtualize memoryŻ SPTs are synchronized with GPTs by the hypervisor

Ñsecurity tools can intercept guest page table updatesŻ SPTs supersede GPTs for address translation

Shadow Page Table

Guest VirtualAddress

PhysicalAddress

Hypervisor

Guest


Motivation



§ Shadow paging enables reliable kernel memory protectionŻ Hypervisor uses shadow paging to virtualize memory

Ż SPTs are synchronized with GPTs by the hypervisorÑsecurity tools can intercept guest page table updates

Ż SPTs supersede GPTs for address translation

Shadow Page Table


PhysicalAddress

Hypervisor

Guest


Motivation




Ñsecurity tools can intercept guest page table updates

Ż SPTs supersede GPTs for address translation

Shadow Page Table


PhysicalAddress

Hypervisor

Guest


Motivation




Ñsecurity tools can intercept guest page table updatesŻ SPTs supersede GPTs for address translation

Shadow Page Table


PhysicalAddress

Hypervisor

Guest


Motivation

Virtualization Hardware Obsoletes Shadow Paging

§ Nested paging introduces two-level address translation for VMsŻ Both GPT and NPT are used by CPU for address translation

§ Nested paging has big performance advantage over SPTŻ An acceleration of up to 48% for MMU-intensive tasks 1

§ Security tools cannot intercept guest memory updates with NPTŻ Guest is free to change its GPTs, without notifying hypervisor

Shadow Page Table


PhysicalAddress

Hypervisor

Guest

Guest PhysicalAddress

GuestPage Table


PhysicalAddress

Nested Page Table

Hypervisor

Guest

1VMware: performance evaluation of Intel EPT hardware assist.SecPod: A Framework for Virtualization-based Security Systems 2015 USENIX ATC July 8-10 2015 Santa Clara, CA 5/22

Motivation





Shadow Page Table


PhysicalAddress

Hypervisor

Guest


GuestPage Table


PhysicalAddress

Nested Page Table

Hypervisor

Guest


Motivation





Shadow Page Table


PhysicalAddress

Hypervisor

Guest


GuestPage Table


PhysicalAddress

Nested Page Table

Hypervisor

Guest


Motivation

Why SecPod

Our Goal:

A framework for virtualization-based security tools on the modernvirtualization hardware with nested paging

Our Solution:

SecPod: A Framework for Virtualization-based Security Systems


Motivation

Why SecPod

Our Goal:

A framework for virtualization-based security tools on the modernvirtualization hardware with nested paging

Our Solution:

SecPod: A Framework for Virtualization-based Security Systems


Motivation

Threat Model and Assumption

§ Trustworthy hardware and trusted bootingŻ Load-time integrity is protected by trusted bootingŻ IOMMU is properly configured to prevent DMA attacks

§ Hypervisor is trustedŻ Formal verification [seL4, SOSP’09], integrity protection andmonitoring [HyperSafe, S&P’10]

§ Kernel is benign but contains vulnerabilitiesŻ Powerful attackers can change arbitrary memory of the kernel


Motivation






Motivation






SecPod Design

SecPod Architecture

SecPod & Security Tool Code/Data

SPT Pool

Entry Gate

pv_mmu_ops.alloc_pudpv_mmu_ops.set_pudpv_mmu_ops.write_cr3...

Normal Space Secure Space

Hypervisor

TrustedBoot

DMA Protection

Guest GPT

Exit Gate

User Mode

Kernel Mode

Key Technique I: Paging Delegation

VMExit Handler

Sensitive Instructions

Key Technique II: Execution Trapping

Up Call


SecPod Design


§ SecPod creates an isolated address space from the kernel

§ Secure space maintains SPTs for the guestŻ SPTs are the only effective page tables for the guestŻ SPTs mirror GPTs (if no memory protection violation)

§ SecPod forwards guest page table updates to secure space

GPT

SPT

Norm

al Space

GPT SPT

Secure space

Traditional Shadow Paging Shadow Paging in SecPod

NPT

Guest

HypervisorHypervisor

Guest


SecPod Design





GPT

SPT

Norm

al Space

GPT SPT

Secure space


NPT

Guest


Guest


SecPod Design





GPT

SPT

Norm

al Space

GPT SPT

Secure space


NPT

Guest


Guest


SecPod Design

SecPod Address Space Layout

§ Normal/secure spaces use page-table based isolationŻ Entry/exit gates are the only passage

§ Guest kernel is mapped in secure spaceŻ Security tools can access guest memory, but not execute it

Normal Space Secure SpaceK

ernel

User P

rocess

Kernel Data

RW

-

Kernel RO Data

R--

Kernel Code

R-X

Kernel Data

RW

-

Kernel RO Data

R--

Kernel Code

R--

SecPod Data

RW

-

SecPod Code

R-X

Security Tool Data

RW

-

Security Tool Code

R-X

Gate Data

RW

-Entry/Exit Gates

R-X

User Data

RW

-

User Code

R-X


SecPod Design

SecPod Address Space Layout

§ Normal/secure spaces use page-table based isolationŻ Entry/exit gates are the only passage

§ Guest kernel is mapped in secure spaceŻ Security tools can access guest memory, but not execute it

Normal Space Secure SpaceK

ernel

User P

rocess

Kernel Data

RW

-

Kernel RO Data

R--

Kernel Code

R-X

Kernel Data

RW

-

Kernel RO Data

R--

Kernel Code

R--

SecPod Data

RW

-

SecPod Code

R-X

Security Tool Data

RW

-

Security Tool Code

R-X

Gate Data

RW

-Entry/Exit Gates

R-X

User Data

RW

-

User Code

R-X


SecPod Design

Protecting Secure Space

Attacker might try to:

§ Enter secure space without security checks

§ Request malicious page table updatesŻ e.g., to map secure memory in guest

§ Misuse privileged instructionsŻ e.g., to load a malicious page table, to disable paging...

Our countermeasures:§ Secure and efficient context switch

§ Page table update validation

§ Execution trapping of privileged instructions


SecPod Design

Protecting Secure Space

Attacker might try to:

§ Enter secure space without security checks

§ Request malicious page table updatesŻ e.g., to map secure memory in guest

§ Misuse privileged instructionsŻ e.g., to load a malicious page table, to disable paging...

Our countermeasures:§ Secure and efficient context switch

§ Page table update validation

§ Execution trapping of privileged instructions


SecPod Design

Secure and Efficient Context Switch

§ Entry/exit gates are only passage between secure/normal spacesŻ Each gate switches the page table, the stack...Ż Entry gate runs atomically by disabling interrupts (SIM [CCS ’09])

§ Loading CR3 is a privileged instruction trapped by SecPodŻ Performance overhead is high if each context switch is trapped

§ Intel CR3 target list to the rescue:Ż Four page tables can be loaded without being trapped by CPUŻ There are many SPTs for the guest

Ñ use a fixed top-Level page table for all SPTs


SecPod Design







SecPod Design







SecPod Design

Page Table Update Validation

§ SecPod enforces basic kernel memory integrity for guestŻ No mapping is allowed to the secure space code/dataŻ Enforce kernel W‘X

Guest Page Table Shadow Page Table

SPT UpdateVerification

①

③

④②

Fast IndexTables

PT

PD SPD

SPT

Norm

al Space

Secure S

pace


SecPod Design

Key Technique II: Execute Trapping

§ SecPod traps malicious privileged instructions executed by guestŻ It can trap intended and unintended2 privileged instructions

§ Hypervisor notifies secure space trapped instructions via upcallsŻ Similar to signal delivery in the traditional OS

2X86 has variable-length instructions, unintended instructions can be “created” by jumping to the middle of an instruction.


SecPod Design

Trapped Sensitive Instructions

Instruction SemanticsLGDT Load global descriptor tableLLDT load local descriptor tableLIDT load interrupt descriptor tableLMSW load machine status wordMOV to CR0 write to CR0

MOV to CR4 write to CR4

MOV to CR8 write to CR8

MOV to CR3 load a new page tableWRMSR write machine-specific registers


Implementation

Implementation

§ Paging delegationŻ Leverage Linux paravirtualization interface: pv mmu ops

§ Execution trapping implemented in the Hypervisor (KVM)

§ Security tools:Ż Compiled as ELF libraries and loaded into secure spaceŻ Implemented an example tool to prevent unauthorized kernelcode from execution (Patagonix [USENIX Sec ’08], NICKLE [RAID ’08])


Implementation

Implementation

§ Paging delegationŻ Leverage Linux paravirtualization interface: pv mmu ops

§ Execution trapping implemented in the Hypervisor (KVM)

§ Security tools:Ż Compiled as ELF libraries and loaded into secure spaceŻ Implemented an example tool to prevent unauthorized kernelcode from execution (Patagonix [USENIX Sec ’08], NICKLE [RAID ’08])


Evaluation

Security Analysis

§ Maliciously modify secure space memoryŻ Secure space memory is not mapped in the normal space

Ñ try to map the secure space memory in the guest

Ż Directly change the page mapping

Ð SPT is isolated

Ż Ask SecPod to map secure memory

Ð SPT update validation

§ Misuse privileged instructionsŻ Privileged instructions by guest are trapped and verified


Evaluation

Security Analysis


Ñ try to map the secure space memory in the guestŻ Directly change the page mapping

Ð SPT is isolated

Ż Ask SecPod to map secure memory

Ð SPT update validation



Evaluation

Security Analysis


Ñ try to map the secure space memory in the guestŻ Directly change the page mapping Ð SPT is isolatedŻ Ask SecPod to map secure memory Ð SPT update validation



Evaluation

Security Analysis


Ñ try to map the secure space memory in the guestŻ Directly change the page mapping Ð SPT is isolatedŻ Ask SecPod to map secure memory Ð SPT update validation



Evaluation

Performance Evaluation: LMBench

0%

20%

40%

60%

80%

100%

nullopen/close

forksignal_install

mm

ap

TCP_bandw

idth

file(create)

select(250fd)

statctxsw

(4p/16k)

Bcopy(libc)

main_m

em

Per

form

ance

Ov

erh

ead


Evaluation

Performance Evaluation: SysBench OLTP

0

100

200

300

400

500

600

700

2 4 8 16 32 64 128

Thro

ughput

(tra

ns/

sec)

Number of Threads

Linux

SecPod


Related Work

Related Work

§ Virtualization-based securityŻ Malware analysis: Ether[CCS’08]

Ż Rootkit detection and prevention: PoKeR[EuroSys’09]

Ż Virtual machine introspection: Virtuoso[S&P’11], SIM[CCS’09]

§ Kernel/user application securityŻ Exploit mitigation techniques: ASLR, DEP, CFI[CCS’07]

Ż Kernel/hypervisor memory integrity: TZ-RKP[CCS’14],

HyperSafe[S&P’10], Nested Kernel[ASPLOS’15]


Summary

Summary

SecPod & Security Tool Code/Data

SPT Pool

Entry Gate

pv_mmu_ops.alloc_pudpv_mmu_ops.set_pudpv_mmu_ops.write_cr3...

Normal Space Secure Space

Hypervisor

TrustedBoot

DMA Protection

Guest GPT

Exit Gate

User Mode

Kernel Mode


VMExit Handler

Sensitive Instructions

Key Technique II: Execution Trapping

Up Call

§ SecPod: A Framework for Virtualization-based Security Systems


Summary

Thank you & Questions?


Science

SecPod: A Framework for Virtualization-based Security Systems