1 / 14

Analysis of Intel Pentium's support for a secure virtual machine monitor

This paper analyzes the ability of Intel Pentium processors to support a secure virtual machine monitor (VMM) and explores different virtualization requirements and solutions. It also discusses security concerns and the potential risks associated with different types of virtual machine monitors.

kritchey
Download Presentation

Analysis of Intel Pentium's support for a secure virtual machine monitor

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Virtual Machines and their ApplicationsCSE 598C Paper Title: Analysis of the Intel Pentium’s Ability to Support a Secure Virtual Machine Monitor Presented By: Angshuman Parashar

  2. VM model World of Warcraft OMG LOLOLOL!!1!1 n00b DB2 Simplescalar Photoshop AIX Linux MacOS VMM VMM Windows x86 x86 Classic System VMM (Type I) Hosted System VMM (Type II)

  3. Sensitive and Privileged Instructions • Sensitive: Interfere with state of underlying VMM or host OS • Privileged: Trap if executed in non-privileged mode • If Sensitive⊆Privileged, processor is virtualizable

  4. x86 Privilege Levels Ring 3 Ring 3 User Level Tasks User Level Tasks Ring 2 Ring 2 Ring Compression Ring 1 Ring 1 Operating System Ring 0 Ring 0 Operating System VMM

  5. Virtualization Requirements • Instruction execution equivalent across privilege levels ✓ • Memory Protection (e.g. Address Translation) ✓ • Trap and Emulate Sensitive Instructions: Instructions that… • … access VM state ✓ • … access Sensitive Registers (clock, interrupt) X • … access Protection/Translation system X • … perform I/O ✓

  6. 17 Sensitive Unprivileged Instructions LAR LSL VERR VERW PUSH POP CALL JMP INT n RET STR MOVE SGDT SIDT SLDT SMSW PUSHF POPF

  7. Some interesting cases • SMSW: stores CR0 into a GPR or memory • CR0 bit 0 = Protection Enable • Consider VMOS running in real mode, checks PE bit, panics • POPF: pops flags from stack into EFLAGS register • Different bits have different privileges • No exceptions are generated on privilege violation!

  8. Some interesting cases (contd.) • Some instructions check if CPL > DPL • VM runs in CPL > 0 • VMOS assumes it is running at CPL 0 • PUSH: pushes a register onto stack • CS and SS contain CPL of currently running task • Process thinks it is running at CPL 0, pushes CS, then checks • CALL across privilege levels • Again, CPL vs. DPL checks

  9. Solutions • Recompile the OS • Paravirtualization • Xen, Plex86 • Dynamically Monitor and Alter the OS • Runtime Binary Translation • Inserts breakpoints at certain critical locations • Dynamic branches and Self-Modifying Code are a headache • VMWare, FreeMWare (evolved into Plex86) • Update the Hardware • Hardware Assist • Intel VT, AMD Pacifica

  10. Security Concerns • Current VMMs’ claims of “isolation” and “confinement” are bogus • Potential Loopholes: • Sharing • Floppy drives • Network and Files • Virtual file systems, Ports maintained as files on host system (Type II) • Tools and Utilities (mouse pointer in VMWare) • Host OS insecure • Conclusion: Type II risky, Type I feasible with a microkernel • Hardware Assist would be helpful

  11. Overview of Intel VT Ring 3 User Level Tasks Ring 2 Non-Root Mode Ring 1 Ring 0 VM Exit VM Entry Operating System Root Mode Virtual Machine Monitor

  12. Overview of Intel VT (contd.) • VM data is stored in a VM Control Structure (similar to task_struct) • Certain events cause unconditional VM-exits (CPUID, RDMSR etc.) • Some faults always cause OS traps (invalid opcodes, privilege level faults etc.) • Several events can be configured by VMM to either cause guest OS trap or VM-exit (external pin interrupts, privileged instructions, etc.)

  13. Backup Slides

  14. Type II Issues • Host OS cannot invalidate Requirement 1 (huh?) • Host OS should be protected from all VMs • Security: Secure VMM will require secure host OS

More Related