TY - GEN
T1 - Hardening hypervisors against vulnerabilities in instruction emulators
AU - Ishiguro, Kenta
AU - Kono, Kenji
N1 - Publisher Copyright:
© 2018 Copyright held by the owner/author(s).
PY - 2018/4/23
Y1 - 2018/4/23
N2 - Vulnerabilities in hypervisors are crucial in multi-tenant clouds and attractive for attackers because a vulnerability in the hypervisor can undermine all the virtual machine (VM) security. This paper focuses on vulnerabilities in instruction emulators inside hypervisors. Vulnerabilities in instruction emulators are not rare; CVE-2017-2583, CVE-2016-9756, CVE-2015-0239, CVE-2014-3647, to name a few. For backward compatibility with legacy x86 CPUs, conventional hypervisors emulate arbitrary instructions at any time if requested. This design leads to a large attack surface, making it hard to get rid of vulnerabilities in the emulator. This paper proposes FWinst that narrows the attack surface against vulnerabilities in the emulator. The key insight behind FWinst is that the emulator should emulate only a small subset of instructions, depending on the underlying CPU micro-architecture and the hypervisor configuration. FWinst recognizes emulation contexts in which the instruction emulator is invoked, and identifies a legitimate subset of instructions that are allowed to be emulated in the current context. By filtering out illegitimate instructions, FWinst narrows the attack surface. In particular, FWinst is effective on recent x86 micro-architectures because the legitimate subset becomes very small. Our experimental results demonstrate FWinst prevents existing vulnerabilities in the emulator from being exploited on Westmere micro-architecture, and the runtime overhead is negligible.
AB - Vulnerabilities in hypervisors are crucial in multi-tenant clouds and attractive for attackers because a vulnerability in the hypervisor can undermine all the virtual machine (VM) security. This paper focuses on vulnerabilities in instruction emulators inside hypervisors. Vulnerabilities in instruction emulators are not rare; CVE-2017-2583, CVE-2016-9756, CVE-2015-0239, CVE-2014-3647, to name a few. For backward compatibility with legacy x86 CPUs, conventional hypervisors emulate arbitrary instructions at any time if requested. This design leads to a large attack surface, making it hard to get rid of vulnerabilities in the emulator. This paper proposes FWinst that narrows the attack surface against vulnerabilities in the emulator. The key insight behind FWinst is that the emulator should emulate only a small subset of instructions, depending on the underlying CPU micro-architecture and the hypervisor configuration. FWinst recognizes emulation contexts in which the instruction emulator is invoked, and identifies a legitimate subset of instructions that are allowed to be emulated in the current context. By filtering out illegitimate instructions, FWinst narrows the attack surface. In particular, FWinst is effective on recent x86 micro-architectures because the legitimate subset becomes very small. Our experimental results demonstrate FWinst prevents existing vulnerabilities in the emulator from being exploited on Westmere micro-architecture, and the runtime overhead is negligible.
KW - Hypervisor
KW - Instruction emulator
KW - Security
KW - Virtualization
UR - http://www.scopus.com/inward/record.url?scp=85049388332&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85049388332&partnerID=8YFLogxK
U2 - 10.1145/3193111.3193118
DO - 10.1145/3193111.3193118
M3 - Conference contribution
AN - SCOPUS:85049388332
T3 - Proceedings of the 11th European Workshop on Systems Security, EuroSec 2018
BT - Proceedings of the 11th European Workshop on Systems Security, EuroSec 2018
PB - Association for Computing Machinery, Inc
T2 - 11th European Workshop on Systems Security, EuroSec 2018
Y2 - 23 April 2018
ER -