Secure and Efficient In-Hypervisor Memory Introspection Using Nested Virtualization

In JointCloud computing, the hypervisor used by each cloud plays a key role in providing services and protection for guest virtual machines (VMs). Unfortunately, the commodity hypervisor usually has a considerable attack surface and its memory is especially prone to be tampered with by an attacker who resides in one VM and then threatens the security of other co-located VMs. To mitigate such threat, previous solutions proposed an out-of-the-box design which leverages the nested virtualization to introduce a higher privileged software layer (a nested hypervisor) below the hypervisor. It also installs a security monitor into a trusted VM which is protected by the nested hypervisor and isolated from the untrusted hypervisor. The monitor is responsible for dynamically validating the behaviors of the untrusted hypervisor. Although monitoring from outside of the hypervisor can help ensure security, the large number of context switches caused by the nested virtualization incurs unacceptable overheads and makes this approach unsuitable for the cloud environment. In this paper, we introduce In-Hypervisor Memory Introspection (IHMI), an in-the-box way to monitor the hypervisor based on the nested virtualization. Our system puts the monitor into the untrusted hypervisor for efficiency while guaranteeing the same level of memory security as monitoring the hypervisor from a separated secure VM. By leveraging hardware virtualization features of current processors, IHMI isolates the monitor from the hypervisor via the nested page table and implements an efficient switch between them. Further, IHMI configures a uni-directional mapping for the monitor which allows the monitor to access the hypervisor’s memory at native speed while forbidding the hypervisor from accessing the monitor’s memory. Our IHMI system is currently still in an early stage and we report our design as well as preliminary evaluation results in this paper.