Hardening hypervisors against vulnerabilities in instruction emulators

Kenta Ishiguro, Kenji Kono

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)

Abstract

Vulnerabilities in hypervisors are crucial in multi-tenant clouds and attractive for attackers because a vulnerability in the hypervisor can undermine all the virtual machine (VM) security. This paper focuses on vulnerabilities in instruction emulators inside hypervisors. Vulnerabilities in instruction emulators are not rare; CVE-2017-2583, CVE-2016-9756, CVE-2015-0239, CVE-2014-3647, to name a few. For backward compatibility with legacy x86 CPUs, conventional hypervisors emulate arbitrary instructions at any time if requested. This design leads to a large attack surface, making it hard to get rid of vulnerabilities in the emulator. This paper proposes FWinst that narrows the attack surface against vulnerabilities in the emulator. The key insight behind FWinst is that the emulator should emulate only a small subset of instructions, depending on the underlying CPU micro-architecture and the hypervisor configuration. FWinst recognizes emulation contexts in which the instruction emulator is invoked, and identifies a legitimate subset of instructions that are allowed to be emulated in the current context. By filtering out illegitimate instructions, FWinst narrows the attack surface. In particular, FWinst is effective on recent x86 micro-architectures because the legitimate subset becomes very small. Our experimental results demonstrate FWinst prevents existing vulnerabilities in the emulator from being exploited on Westmere micro-architecture, and the runtime overhead is negligible.

Original languageEnglish
Title of host publicationProceedings of the 11th European Workshop on Systems Security, EuroSec 2018
PublisherAssociation for Computing Machinery, Inc
ISBN (Electronic)9781450356527
DOIs
Publication statusPublished - 2018 Apr 23
Event11th European Workshop on Systems Security, EuroSec 2018 - Porto, Portugal
Duration: 2018 Apr 23 → …

Other

Other11th European Workshop on Systems Security, EuroSec 2018
CountryPortugal
CityPorto
Period18/4/23 → …

Fingerprint

Hardening
Program processors
Virtual machine

Keywords

  • Hypervisor
  • Instruction emulator
  • Security
  • Virtualization

ASJC Scopus subject areas

  • Hardware and Architecture
  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality

Cite this

Ishiguro, K., & Kono, K. (2018). Hardening hypervisors against vulnerabilities in instruction emulators. In Proceedings of the 11th European Workshop on Systems Security, EuroSec 2018 [3193118] Association for Computing Machinery, Inc. https://doi.org/10.1145/3193111.3193118

Hardening hypervisors against vulnerabilities in instruction emulators. / Ishiguro, Kenta; Kono, Kenji.

Proceedings of the 11th European Workshop on Systems Security, EuroSec 2018. Association for Computing Machinery, Inc, 2018. 3193118.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Ishiguro, K & Kono, K 2018, Hardening hypervisors against vulnerabilities in instruction emulators. in Proceedings of the 11th European Workshop on Systems Security, EuroSec 2018., 3193118, Association for Computing Machinery, Inc, 11th European Workshop on Systems Security, EuroSec 2018, Porto, Portugal, 18/4/23. https://doi.org/10.1145/3193111.3193118
Ishiguro K, Kono K. Hardening hypervisors against vulnerabilities in instruction emulators. In Proceedings of the 11th European Workshop on Systems Security, EuroSec 2018. Association for Computing Machinery, Inc. 2018. 3193118 https://doi.org/10.1145/3193111.3193118
Ishiguro, Kenta ; Kono, Kenji. / Hardening hypervisors against vulnerabilities in instruction emulators. Proceedings of the 11th European Workshop on Systems Security, EuroSec 2018. Association for Computing Machinery, Inc, 2018.
@inproceedings{90516b6c9a2a422284377194d4a8f4a4,
title = "Hardening hypervisors against vulnerabilities in instruction emulators",
abstract = "Vulnerabilities in hypervisors are crucial in multi-tenant clouds and attractive for attackers because a vulnerability in the hypervisor can undermine all the virtual machine (VM) security. This paper focuses on vulnerabilities in instruction emulators inside hypervisors. Vulnerabilities in instruction emulators are not rare; CVE-2017-2583, CVE-2016-9756, CVE-2015-0239, CVE-2014-3647, to name a few. For backward compatibility with legacy x86 CPUs, conventional hypervisors emulate arbitrary instructions at any time if requested. This design leads to a large attack surface, making it hard to get rid of vulnerabilities in the emulator. This paper proposes FWinst that narrows the attack surface against vulnerabilities in the emulator. The key insight behind FWinst is that the emulator should emulate only a small subset of instructions, depending on the underlying CPU micro-architecture and the hypervisor configuration. FWinst recognizes emulation contexts in which the instruction emulator is invoked, and identifies a legitimate subset of instructions that are allowed to be emulated in the current context. By filtering out illegitimate instructions, FWinst narrows the attack surface. In particular, FWinst is effective on recent x86 micro-architectures because the legitimate subset becomes very small. Our experimental results demonstrate FWinst prevents existing vulnerabilities in the emulator from being exploited on Westmere micro-architecture, and the runtime overhead is negligible.",
keywords = "Hypervisor, Instruction emulator, Security, Virtualization",
author = "Kenta Ishiguro and Kenji Kono",
year = "2018",
month = "4",
day = "23",
doi = "10.1145/3193111.3193118",
language = "English",
booktitle = "Proceedings of the 11th European Workshop on Systems Security, EuroSec 2018",
publisher = "Association for Computing Machinery, Inc",

}

TY - GEN

T1 - Hardening hypervisors against vulnerabilities in instruction emulators

AU - Ishiguro, Kenta

AU - Kono, Kenji

PY - 2018/4/23

Y1 - 2018/4/23

N2 - Vulnerabilities in hypervisors are crucial in multi-tenant clouds and attractive for attackers because a vulnerability in the hypervisor can undermine all the virtual machine (VM) security. This paper focuses on vulnerabilities in instruction emulators inside hypervisors. Vulnerabilities in instruction emulators are not rare; CVE-2017-2583, CVE-2016-9756, CVE-2015-0239, CVE-2014-3647, to name a few. For backward compatibility with legacy x86 CPUs, conventional hypervisors emulate arbitrary instructions at any time if requested. This design leads to a large attack surface, making it hard to get rid of vulnerabilities in the emulator. This paper proposes FWinst that narrows the attack surface against vulnerabilities in the emulator. The key insight behind FWinst is that the emulator should emulate only a small subset of instructions, depending on the underlying CPU micro-architecture and the hypervisor configuration. FWinst recognizes emulation contexts in which the instruction emulator is invoked, and identifies a legitimate subset of instructions that are allowed to be emulated in the current context. By filtering out illegitimate instructions, FWinst narrows the attack surface. In particular, FWinst is effective on recent x86 micro-architectures because the legitimate subset becomes very small. Our experimental results demonstrate FWinst prevents existing vulnerabilities in the emulator from being exploited on Westmere micro-architecture, and the runtime overhead is negligible.

AB - Vulnerabilities in hypervisors are crucial in multi-tenant clouds and attractive for attackers because a vulnerability in the hypervisor can undermine all the virtual machine (VM) security. This paper focuses on vulnerabilities in instruction emulators inside hypervisors. Vulnerabilities in instruction emulators are not rare; CVE-2017-2583, CVE-2016-9756, CVE-2015-0239, CVE-2014-3647, to name a few. For backward compatibility with legacy x86 CPUs, conventional hypervisors emulate arbitrary instructions at any time if requested. This design leads to a large attack surface, making it hard to get rid of vulnerabilities in the emulator. This paper proposes FWinst that narrows the attack surface against vulnerabilities in the emulator. The key insight behind FWinst is that the emulator should emulate only a small subset of instructions, depending on the underlying CPU micro-architecture and the hypervisor configuration. FWinst recognizes emulation contexts in which the instruction emulator is invoked, and identifies a legitimate subset of instructions that are allowed to be emulated in the current context. By filtering out illegitimate instructions, FWinst narrows the attack surface. In particular, FWinst is effective on recent x86 micro-architectures because the legitimate subset becomes very small. Our experimental results demonstrate FWinst prevents existing vulnerabilities in the emulator from being exploited on Westmere micro-architecture, and the runtime overhead is negligible.

KW - Hypervisor

KW - Instruction emulator

KW - Security

KW - Virtualization

UR - http://www.scopus.com/inward/record.url?scp=85049388332&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85049388332&partnerID=8YFLogxK

U2 - 10.1145/3193111.3193118

DO - 10.1145/3193111.3193118

M3 - Conference contribution

AN - SCOPUS:85049388332

BT - Proceedings of the 11th European Workshop on Systems Security, EuroSec 2018

PB - Association for Computing Machinery, Inc

ER -