Nioh: Hardening the hypervisor by filtering illegal I/O requests to virtual devices

Junya Ogasawara, Kenji Kono

研究成果: Conference contribution

4 被引用数 (Scopus)

抄録

Vulnerabilities in hypervisors are crucial in multi-Tenant clouds since they can undermine the security of all virtual machines (VMs) consolidated on a vulnerable hypervisor. Unfortunately, 107 vulnerabilities in KVM+QEMUand 38 vulnerabilities in Xen have been reported in 2016. The device-emulation layer in hypervisors is a hotbed of vulnerabilities because the code for virtualizing devices is complicated and requires knowledge on the device internals.We propose a "device request filter", called Nioh, that raises the bar for attackers to exploit the vulnerabilities in hypervisors. The key insight behind Nioh is that malicious I/O requests attempt to exploit vulnerabilities and violate device specifications in many cases. Nioh inspects I/O requests from VMs and rejects those that do not conform to a device specification.Adevice specification is modeled as a device automaton in Nioh, an extended automaton to facilitate the description of device specifications. The software framework is also provided to encapsulate the interactions between the device request filter and the underlying hypervisors. The results of our attack evaluation suggests that Nioh can defend against attacks that exploit vulnerabilities in device emulation, i.e., CVE-2015-5158, CVE-2016-1568, CVE-2016-4439, and CVE-2016-7909. This paper shows that the notorious VENOM attack can be detected and rejected by using Nioh.

本文言語English
ホスト出版物のタイトルProceedings - 33rd Annual Computer Security Applications Conference, ACSAC 2017
出版社Association for Computing Machinery
ページ542-552
ページ数11
ISBN(電子版)9781450353458
DOI
出版ステータスPublished - 2017 12 4
イベント33rd Annual Computer Security Applications Conference, ACSAC 2017 - Orlando, United States
継続期間: 2017 12 42017 12 8

出版物シリーズ

名前ACM International Conference Proceeding Series
Part F132521

Other

Other33rd Annual Computer Security Applications Conference, ACSAC 2017
CountryUnited States
CityOrlando
Period17/12/417/12/8

ASJC Scopus subject areas

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

フィンガープリント 「Nioh: Hardening the hypervisor by filtering illegal I/O requests to virtual devices」の研究トピックを掘り下げます。これらがまとまってユニークなフィンガープリントを構成します。

引用スタイル