Author: Monirul Sharif, Wenke Lee, Weidong Cui, Andrea Lanzi

Reportor: Chun-Chih Wu

Advisor: Hsing-Kuo Pao

Select: CCS09’

Outline

Introduction Secure In-VM Monitoring Implementation Experimental Evaluation Conclusion

Introduction

Malicious programs compromise the kernel of an operating system.

Many security approaches require the ability to monitor frequently executing events.

Secure In-VM Monitoring (SIM), a general-purpose framework based on hardware virtualization features.

contributions:hardware virtualization and memory

protection features.implemented a prototype of the SIM

framework based on KVM and Windows guest OS.

systematic security analysis of SIM against a number of possible threats, and show that SIM provides no less security guarantees than what can be achieved by out-of-VM monitors.

In-VM monitoring

H HandlerCM Monitor codeDM Monitor dataR Response

A Adversary programDP Program data

CP Program codeK HookDK Hook data

Out-of-VM monitoring

H HandlerCM Monitor codeDM Monitor dataR Response

A Adversary programDP Program data

CP Program codeK HookDK Hook data

performance requirements(P1) Fast invocation:

○ not involve any privilege level changes.

(P2) Data read/write at native speed:○ without any hypervisor intervention

security requirements:(S1) Isolation of the monitor’s code (CM)

and data (DM)(S2) Designated point for switching into CM(S3) A handler (hi) is called if and only if the

corresponding hook (ki) executes(S4) The behavior of Monitor is not

maliciously alterable

Secure In-VM Monitoring

The SIM address space

SIM Data/Code The monitor itself Visible only within SIM address

space

Invocation checker Verifies call chain is legit Visible only in SIM space

Entry/exit gates Visible in both Writable only in SIM space Tiny, well crafted

Kernel code/data Not executable in SIM space

(can't accidentally run insecure code)10

Entry/exit gates Entry:

Disable interrupts (Untrusted VM)Save CPU state to the stackSwitch address spaceRe-disable interrupts (SIM VM)Switch stack to a SIM-restricted oneRun invocation checker

Exit:Restore stack, page table, CPU stateRe-enable interruptsJump to return point

security requirements1. Isolation of the monitor’s code and data

hypervisor to not allow the monitor code and data to be mappable to any untrusted address space in the guest VM.

2. Designated point for switching into CM : only method to enter the trusted address space from the

untrusted one is via the entry gates.3. A handler is called if and only if the corresponding hook

executes each hook invokes a corresponding entry gate, which eventually

calls a corresponding handler, and each invoker of the entry gate is checked by the invocation checking routine

The behavior of Monitor is not maliciously alterable: not allow any code from the untrusted domain to be executable

in the trusted address space, not allow the monitor to call into the untrusted kernel

Implementation Host: Linux distribution guest OS : Windows XP SP2

Initialization1. reserve virtual address ranges in the system

address space for use in entry and exit gate creation

2. creation of the SIM virtual address space by the hypervisor component

3. loading a security monitor application into the SIM address space

4. relevant routines to perform switching into the SIM address space

Experimental EvaluationMonitor type

Avg. time (μ sec)

Std. dev. (μ sec)

SIM approach 0.469 0.051

Out-of-VM approach

5.055 0.132

Monitor Invocation Overhead Comparison

Monitor typeAverage time

(μ sec)Relative

overhead (%)Traditional 3.487 ×Out-of-VM approach

28.039 690.50%

SIM approach 3.967 13.70%

Process creation monitor performance results

Benchmark BareOut-of-VM overhead

SIM overhead

Memory Latency 10.42 MAcc/s 84.58% 7.97%

HTML Render 1.12 pg/s 52.42% 5.83%

File Compress 3.4 MB/s 3.97% 0.59%

File Encrypt 20.56 MB/s 7.85% 0.89%

File Decrypt 78.21 MB/s 2.53% 0.45%

HDD 15.29 MB/s 41.68% 3.74%

Text Edit 82.73 pg/s 128.84% 9.64%

Average - 46.10% 4.15%

System call tracing macrobenchmarks

Conclusion a general-purpose SIM framework provides the same security guarantees of out-

of-VM monitoring low performance overhead of in-VM monitoring.

the SIM framework reduce monitoring overhead by 11 times if only monitor invocation time is considered.

SIM introduces an overhead of to 13.7% out-of-VM approach compared 690.5%.

SIM overall overhead below 10% out-of-VM approach overhead : 128%.