{"title":"SecFortress:使用跨层隔离保护虚拟机监控程序","authors":"Qihang Zhou, Xiaoqi Jia, Shengzhi Zhang, Nan Jiang, Jiayun Chen, Weijuan Zhang","doi":"10.1109/ipdps53621.2022.00029","DOIUrl":null,"url":null,"abstract":"Virtualization is the corner stone of cloud computing, but the hypervisor, the crucial software component that enables virtualization, is known to suffer from various attacks. It is challenging to secure the hypervisor due to at least two reasons. On one hand, commercial hypervisors are usually integrated into a privileged Operating System (OS), which brings in a larger attack surface. On the other hand, multiple Virtual Machines (VM) share a single hypervisor, thus a malicious VM could leverage the hypervisor as a bridge to launch “cross-VM” attacks. In this work, we propose SecFortress, a dependable hypervisor design that decouples the virtualization layer into a mediator, an outerOS, and multiple HypBoxes through a cross-layer isolation approach. SecFortress extends the nested kernel approach to de-privilege the outerOS from accessing the mediator's memory and creates an isolated hypervisor instance, HypBox, to confine the impacts from the untrusted VMs. We implemented SecFortress based on KVM and evaluated its effectiveness and efficiency through case studies and performance evaluation. Experimental results show that SecFortress can significantly improve the security of the hypervisor with negligible runtime overhead.","PeriodicalId":321801,"journal":{"name":"2022 IEEE International Parallel and Distributed Processing Symposium (IPDPS)","volume":"67 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"SecFortress: Securing Hypervisor using Cross-layer Isolation\",\"authors\":\"Qihang Zhou, Xiaoqi Jia, Shengzhi Zhang, Nan Jiang, Jiayun Chen, Weijuan Zhang\",\"doi\":\"10.1109/ipdps53621.2022.00029\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Virtualization is the corner stone of cloud computing, but the hypervisor, the crucial software component that enables virtualization, is known to suffer from various attacks. It is challenging to secure the hypervisor due to at least two reasons. On one hand, commercial hypervisors are usually integrated into a privileged Operating System (OS), which brings in a larger attack surface. On the other hand, multiple Virtual Machines (VM) share a single hypervisor, thus a malicious VM could leverage the hypervisor as a bridge to launch “cross-VM” attacks. In this work, we propose SecFortress, a dependable hypervisor design that decouples the virtualization layer into a mediator, an outerOS, and multiple HypBoxes through a cross-layer isolation approach. SecFortress extends the nested kernel approach to de-privilege the outerOS from accessing the mediator's memory and creates an isolated hypervisor instance, HypBox, to confine the impacts from the untrusted VMs. We implemented SecFortress based on KVM and evaluated its effectiveness and efficiency through case studies and performance evaluation. Experimental results show that SecFortress can significantly improve the security of the hypervisor with negligible runtime overhead.\",\"PeriodicalId\":321801,\"journal\":{\"name\":\"2022 IEEE International Parallel and Distributed Processing Symposium (IPDPS)\",\"volume\":\"67 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2022-05-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2022 IEEE International Parallel and Distributed Processing Symposium (IPDPS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ipdps53621.2022.00029\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 IEEE International Parallel and Distributed Processing Symposium (IPDPS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ipdps53621.2022.00029","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
SecFortress: Securing Hypervisor using Cross-layer Isolation
Virtualization is the corner stone of cloud computing, but the hypervisor, the crucial software component that enables virtualization, is known to suffer from various attacks. It is challenging to secure the hypervisor due to at least two reasons. On one hand, commercial hypervisors are usually integrated into a privileged Operating System (OS), which brings in a larger attack surface. On the other hand, multiple Virtual Machines (VM) share a single hypervisor, thus a malicious VM could leverage the hypervisor as a bridge to launch “cross-VM” attacks. In this work, we propose SecFortress, a dependable hypervisor design that decouples the virtualization layer into a mediator, an outerOS, and multiple HypBoxes through a cross-layer isolation approach. SecFortress extends the nested kernel approach to de-privilege the outerOS from accessing the mediator's memory and creates an isolated hypervisor instance, HypBox, to confine the impacts from the untrusted VMs. We implemented SecFortress based on KVM and evaluated its effectiveness and efficiency through case studies and performance evaluation. Experimental results show that SecFortress can significantly improve the security of the hypervisor with negligible runtime overhead.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
