SLIDE 1
Enhance protection from security bugs in the Xen hypervisor
Anthony PERARD
Xen architecture
HW Xen Scheduler MMU vPIC Memory CPUs I/O Dom0 QEMU VMs
Enhance protection from security bugs in the Xen hypervisor Anthony - - PowerPoint PPT Presentation
Enhance protection from security bugs in the Xen hypervisor Anthony - - PowerPoint PPT Presentation
Enhance protection from security bugs in the Xen hypervisor Anthony PERARD Xen architecture Dom0 VMs QEMU Xen Scheduler MMU vPIC Memory CPUs I/O HW Emulation in hypervisor For performance Examples: Interrupt controller
SLIDE 2
SLIDE 3
Emulation in hypervisor
- For performance
- Examples:
– Interrupt controller – Real mode emulation – Timers
SLIDE 4
Emulation in hypervisor
- For performance
- Examples:
– Interrupt controller – Real mode emulation – Timers
- Have same privilege as the hypervisor
SLIDE 5
Reduce severity of bugs
- Deprivilege emulator execution
- Different memory space
- User mode
SLIDE 6
Deprivileged mode
- Prepare page tables for user access
SLIDE 7
Deprivileged mode
- Prepare page tables for user access
- Emulator code into different section
– .hvm_deprivileged_enhancement.text
SLIDE 8
Deprivileged mode
- Prepare page tables for user access
- Emulator code into different section
- Have context switch:
– vmx_ctxt_switch_from() – Save EFER, then allow sysret/syscall – Save registers – Setup new stack for depriv mode – Sysret – Now in user mode, call the function
SLIDE 9
Deprivileged mode
- Prepare page tables for user access
- Emulator code into different section
- Have context switch
- Jump table for switch statement issue
– .rodata
SLIDE 10
Bad behavior
- What if there is a bug in the emulator?
– Access other memory? – Infinite loop? – Other exception?
SLIDE 11
Bad behavior
- Trap handlers for exception:
– Page fault – General exception – ...
SLIDE 12
Bad behavior
- Trap handlers for exception:
– Page fault – General exception – ...
→ crash domain!
SLIDE 13
Bad behavior
- Trap handlers for exception:
– Page fault – General exception – ...
→ crash domain!
- Infinit loop?
– Watchdog
SLIDE 14
Bad behavior
- Trap handlers for exception:
– Page fault – General exception – ...
→ crash domain!
- Infinit loop?
– Watchdog → crash domain
SLIDE 15
Syscall from depriv mode
- Do privileged command while in depriv mode
SLIDE 16
Syscall from depriv mode
- Do privileged command while in depriv mode
– Set a number in a register, then syscall
SLIDE 17
Syscall from depriv mode
- Do privileged command while in depriv mode
– Set a number in a register, then syscall
- Problem, syscall use same return path
– Have a syscall number for actual return
SLIDE 18
Conclusion
- Optimisation
- Benchmark
- Do not trust depriv mode
- Work in progress
SLIDE 19
Conclusion
- Optimisation
- Benchmark
- Do not trust depriv mode
- Work in progress
- Proof-of-concept by Ben Catterall
- Look for “deprivileged mode” in xen-devel
archive
– http://lists.xen.org/archives/html/xen-devel/
SLIDE 20
Question?
- Look for “deprivileged mode” in xen-devel
archive
– http://lists.xen.org/archives/html/xen-devel/