multinyx a multi level abstraction framework for
play

MultiNyx: A Multi-Level Abstraction Framework for Systematic - PowerPoint PPT Presentation

Dec 15, 2022 •193 likes •388 views

MultiNyx: A Multi-Level Abstraction Framework for Systematic Analysis of Hypervisors Pedro Fonseca, Xi Wang, Arvind Krishnamurthy Hypervisor correctness is critical Hypervisors need to virtualize correctly all the architecture details

  1. MultiNyx: A Multi-Level Abstraction Framework for Systematic Analysis of Hypervisors Pedro Fonseca, Xi Wang, Arvind Krishnamurthy

  2. Hypervisor correctness is critical • Hypervisors need to virtualize correctly all the architecture details • Hypervisor bugs cause applications to crash, information leakage, etc. App App Guest OS Guest OS VM - VM isolation Hypervisor App - guest OS isolation VM - host isolation CPU Modern hypervisors rely on CPU virtualization extensions

  3. KVM bug (CVE-2017-2583) VM crash Incorrect virtualization 
 of the MOV instruction Privilege escalation • Several conditions are required to trigger the bug: • MOV has to be emulated by the VMM Hard for fuzzing • MOV has to load a NULL stack segment techniques to find • Had to be executed in long mode and with CPL=3 such corner cases • Other privilege related fields had to have specific values (SS.RPL=3, SS.DPL=3) How to effectively test hypervisors?

  4. MultiNyx: Systematic testing of modern hypervisors 1. How to systematically generate test cases? 2. How to analyze the test case results?

  5. Background: symbolic execution Goal: find inputs that explore different paths function start ( input ){ x = input + 200; if (x == 1000){ assert (0); // Crash } return; } Phase 1: Phase 2: Encode constraints Solve constraints input + 200 == 1000 input: 800 Code

  6. Symbolic execution of hypervisors Hypervisors use complex, system-level instructions function hypervisor ( input ){ Virtualization instruction x = VMENTER(input) ; if (x == 1000){ assert (0); // Crash } return; How to encode complex } instructions? Phase 1: Encode constraints ??? == 1000 Hypervisor

  7. • Limit fields for CS, SS, DS, ES, FS, GS. If the guest will be virtual-8086, the field must be 0000FFFFH. • Access-rights fields. — CS, SS, DS, ES, FS, GS. If the guest will be virtual-8086, the field must be 000000F3H. This implies the following: • — Bits 3:0 (Type) must be 3, indicating an expand-up read/write accessed data segment. — Bit 4 (S) must be 1. — Bits 6:5 (DPL) must be 3. — Bit 7 (P) must be 1. — Bits 11:8 (reserved), bit 12 (software available), bit 13 (reserved/L), bit 14 (D/B), bit 15 (G), bit 16 (unusable), and bits 31:17 (reserved) must all be 0. • If the guest will not be virtual-8086, the different sub-fields are considered separately: — Bits 3:0 (Type). • CS. The values allowed depend on the setting of the “unrestricted guest” VM-execution control: — If the control is 0, the Type must be 9, 11, 13, or 15 (accessed code segment). 1 page 
 — If the control is 1, the Type must be either 3 (read/write accessed expand-up data segment) or one of 9, 11, 13, and 15 (accessed code segment). • SS. If SS is usable, the Type must be 3 or 7 (read/write, accessed data segment). of the Intel manual • DS, ES, FS, GS. The following checks apply if the register is usable: — Bit 0 of the Type must be 1 (accessed). — If bit 3 of the Type is 1 (code segment), then bit 1 of the Type must be 1 (readable). — Bit 4 (S). If the register is CS or if the register is usable, S must be 1. — Bits 6:5 (DPL). tiny subset of the 
 • CS. — If the Type is 3 (read/write accessed expand-up data segment), the DPL must be 0. The Type can be 3 only if the “unrestricted guest” VM-execution control is 1. checks for the 
 — If the Type is 9 or 11 (non-conforming code segment), the DPL must equal the DPL in the access-rights field for SS. VMENTER instruction — If the Type is 13 or 15 (conforming code segment), the DPL cannot be greater than the DPL in the access-rights field for SS. • SS. — If the “unrestricted guest” VM-execution control is 0, the DPL must equal the RPL from the selector field. — The DPL must be 0 either if the Type in the access-rights field for CS is 3 (read/write accessed expand-up data segment) or if bit 0 in the CR0 field (corresponding to CR0.PE) is 0. 1 • DS, ES, FS, GS. The DPL cannot be less than the RPL in the selector field if (1) the “unrestricted guest” VM-execution control is 0; (2) the register is usable; and (3) the Type in the access-rights field is in the range 0 – 11 (data segment or non-conforming code segment). — Bit 7 (P). If the register is CS or if the register is usable, P must be 1.

  8. Semantics of the virtualization instructions >200 pages

  9. MultiNyx approach: leverage a simulator CPU Simulator function hypervisor ( input ){ x = VMENTER(input) ; function VMENTER ( input ){ if (x == 1000){ x = input ; assert (0); // Crash x = x + 4 … } return x; return; } } Phase 1: Phase 2: Encode constraints Solve constraints Hypervisor CPU simulator Path constraints Test cases

  10. MultiNyx: multi-level symbolic execution Hypervisor 
 Simulator 
 trace trace MOV ADD MOV ADD VMENTER Complex MOV MOV instructions SUB CMP ADD JE VMRESUME MOV ADD ADD MOV MOV SUB SUB ADD

  11. MultiNyx: multi-level symbolic execution MOV Multi-level trace ADD MOV Only contains simple instructions ADD MOV SUB ADD MOV CMP JE ADD Challenge: Different abstractions have 
 MOV different state representations SUB ADD MultiNyx converts between MOV different state representations 
 ADD on each transition MOV SUB

  12. Scaling symbolic execution to hypervisors • Traditional tests execute millions of VM instructions • Key observation: Hypervisor interface allows externally setting the initial VM state MultiNyx: each test executes a single VM instruction 1. Set the initial VM state 2. Run a single VM instruction Initial VM Hypervisor 3. Get the final VM state

  13. MultiNyx: Systematic testing of modern hypervisors 1. How to systematically generate test cases? 2. How to analyze the test case results?

  14. How to analyze the test cases results? Hypervisor Output Input A Intel CPU Consistent? Hypervisor Output B AMD CPU Run the same test on different configurations

  15. How to analyze the test cases results? Hypervisor 1 Output Input A CPU Consistent? Hypervisor 2 Output B CPU Run the same test on different configurations

  16. MultiNyx implementation • Symbolic execution engine: Triton + Z3 • Executable specification: Bochs simulator Component Language LOCs KVM driver C 2,400 KVM annotations C 1,400 Low-level trace recording C++ 600 High-level trace recording C++ 1,300 Multi-level analysis C++ / Python 3,100 Diff. testing and diagnosis Bash / Python 4,400

  17. Testing with MultiNyx • +200,000 tests automatically generated for KVM • MultiNyx coverage is +8% higher than fuzzing • MultiNyx tests revealed 739 mismatching tests

  18. Example of KVM bug found by MultiNyx • Incorrect update of %SP register (2 bytes instead of 4 bytes) • And incorrect update of the VM memory • Instruction PUSH %ES • EPT option disabled • Segment registers initialized with specific values • Execution in real mode • Bug we reported has been fixed in the latest KVM

  19. MultiNyx: 
 Systematic testing of modern hypervisors Modern hypervisor rely on complex instructions MOV ADD MOV ADD MOV vs SUB ADD MOV Final MOV Initial Different VMMs Hypervisor Input ADD VM VM ADD MOV SUB ADD MOV ADD MOV SUB Multi-level 
 Scale down tests Differential testing symbolic execution

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Abstraction refinement and plan revision for control synthesis under high level specifications

Abstraction refinement and plan revision for control synthesis under high level specifications

Abstraction refinement and plan revision for control synthesis under high level specifications Pierre-Jean Meyer Dimos V. Dimarogonas KTH, Royal Institute of Technology July 12 th 2017 Outline Abstraction-based synthesis Global framework

603 views • 34 slides
HW-SW Interfaces HW-SW Interfaces Abstraction and Design Abstraction and Design for

HW-SW Interfaces HW-SW Interfaces Abstraction and Design Abstraction and Design for

HW-SW Interfaces HW-SW Interfaces Abstraction and Design Abstraction and Design for Multi-Processor SoC for Multi-Processor SoC Dr. Ahmed Amine JERRAYA TIMA Laboratory 46 Avenue Felix Viallet 38031 Grenoble Cedex France Tel: +33 476 57 47

634 views • 36 slides
The Problem of Temporal Abstraction How do we connect the high level to the low-level? "

The Problem of Temporal Abstraction How do we connect the high level to the low-level? "

The Problem of Temporal Abstraction How do we connect the high level to the low-level? " the human level to the physical level? " the decide level to the action level? MDPs are great, search is great,

676 views • 31 slides
Framework for Abstraction and Control of Transport Networks

Framework for Abstraction and Control of Transport Networks

Framework for Abstraction and Control of Transport Networks draft-ceccarelli-teas-actn-framework- 00 IETF 93 Prague Daniele Ceccarelli (Ericsson) Young Lee (Huawei) Daniel King (Lancaster-University) Sergio Belotti (Alcatel-Lucent)

621 views • 8 slides
Are objects the right level of abstraction to enable the convergence between HPC and Big Data at

Are objects the right level of abstraction to enable the convergence between HPC and Big Data at

Are objects the right level of abstraction to enable the convergence between HPC and Big Data at storage level? Pierre Matri*, Alexandru Costan , Gabriel Antoniu , Jess Montes*, Mara S. Prez *, Luc Boug * Universidad

822 views • 44 slides
Models as the Basis for Visual Representation Level of abstraction: 1. Low: realistic 3D

Models as the Basis for Visual Representation Level of abstraction: 1. Low: realistic 3D

Models as the Basis for Visual Representation Level of abstraction: 1. Low: realistic 3D visualisation 2. High: insight at high abstraction level Link visualisation to model: 1. entity relationships (structure) 2. entity attributes

1.1k views • 7 slides
NOW Handout Page 1 CS258 S99 1 Relationship between Perspectives Back to Basics Parallel

NOW Handout Page 1 CS258 S99 1 Relationship between Perspectives Back to Basics Parallel

Meta-message today powerful high-level abstraction boils down to specific, simple low-level mechanisms each detail has significant implications Shared Memory Multiprocessors Topic: THE MEMORY ABSTRACTION sequence of reads and

388 views • 10 slides
Multi Level Modeling in the Wild with AutomationML Invited Talk @ Multi Level Modeling

Multi Level Modeling in the Wild with AutomationML Invited Talk @ Multi Level Modeling

Multi Level Modeling in the Wild with AutomationML Invited Talk @ Multi Level Modeling Workshop, MODELS 2018 Copenhagen, October 2018 Manuel Wimmer CDL MINT Business Informatics Group Institute of Information Systems Engineering Vienna

993 views • 71 slides
Abstraction and OOP Tiziana Ligorio 1 Todays Plan Announcements Recap Abstraction OOP

Abstraction and OOP Tiziana Ligorio 1 Todays Plan Announcements Recap Abstraction OOP

Abstraction and OOP Tiziana Ligorio 1 Todays Plan Announcements Recap Abstraction OOP 2 Recap Minimize software size and interactions Simplify complex program to manageable level Break down into smaller problems Isolate

650 views • 54 slides
On the Soundness of Behavioural Abstraction in Hybrid Systems SIM@SYST.Level, 19 th of October,

On the Soundness of Behavioural Abstraction in Hybrid Systems SIM@SYST.Level, 19 th of October,

On the Soundness of Behavioural Abstraction in Hybrid Systems SIM@SYST.Level, 19 th of October, 2014, Cargse, France Simon Bliudze and Sbastien Furic Towards On the Soundness of Behavioural Abstraction in Hybrid Systems SIM@SYST.Level, 19

673 views • 40 slides
Point, Line, & Plane 1 Abstraction Abstraction is the act of considering something as a

Point, Line, & Plane 1 Abstraction Abstraction is the act of considering something as a

Point, Line, & Plane 1 Abstraction Abstraction is the act of considering something as a general quality or characteristic, apart from concrete realities, specific objects, or actual instances. 2 Abstraction Abstraction is

478 views • 21 slides
The Multi-Level Feedback Queue Operating System: Three Easy Pieces 1 Youjip Won Multi-Level

The Multi-Level Feedback Queue Operating System: Three Easy Pieces 1 Youjip Won Multi-Level

8: Scheduling: The Multi-Level Feedback Queue Operating System: Three Easy Pieces 1 Youjip Won Multi-Level Feedback Queue (MLFQ) A Scheduler that learns from the past to predict the future. Objective: Optimize turnaround time

180 views • 16 slides
Cyclone: Safe Programming at the C Level of Abstraction Dan Grossman Cornell University Joint

Cyclone: Safe Programming at the C Level of Abstraction Dan Grossman Cornell University Joint

Cyclone: Safe Programming at the C Level of Abstraction Dan Grossman Cornell University Joint work with: Trevor Jim (AT&T), Greg Morrisett, Michael Hicks (Maryland), James Cheney, Yanling Wang A safe C-level language Cyclone is a

860 views • 83 slides
Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software

Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software

Outline Introduction Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software Counterexample-Guided Abstraction Refinement Computing Existential Abstractions of Programs Version 1.0, 2010 Checking the

429 views • 12 slides
Software Defined Radio using the Linux Industrial IO framework - A Hardware Abstraction Layer -

Software Defined Radio using the Linux Industrial IO framework - A Hardware Abstraction Layer -

Software Defined Radio using the Linux Industrial IO framework - A Hardware Abstraction Layer - Lars-Peter Clausen, Analog Devices What is IIO? Industrial Input/Output framework Not really just for Industrial IO All non-HID IO

1.33k views • 41 slides
Flexible Hardware Design at Flexible Hardware Design at Low Levels of Abstraction Low Levels of

Flexible Hardware Design at Flexible Hardware Design at Low Levels of Abstraction Low Levels of

Flexible Hardware Design at Flexible Hardware Design at Low Levels of Abstraction Low Levels of Abstraction Emil Axelsson Hardware Description and Verification May 2009 Why low-level? Why low-level? Related question: Why is some software

908 views • 51 slides
Age nda Que s t i ons on pha s e 2 of t he pr oj e c t Today: DBM S i

Age nda Que s t i ons on pha s e 2 of t he pr oj e c t Today: DBM S i

Age nda Que s t i ons on pha s e 2 of t he pr oj e c t Today: DBM S i nt e r na l s pa r t 2 - - DBM S I nt e r na l s Que r y e xe c ut i on Exe c ut i on a nd Opt i m i z a

395 views • 13 slides
Simplifying Regions Greg Morrisett Harvard University Collaborators: Matthew Fluet & Amal

Simplifying Regions Greg Morrisett Harvard University Collaborators: Matthew Fluet & Amal

Simplifying Regions Greg Morrisett Harvard University Collaborators: Matthew Fluet & Amal Ahmed The Cyclone Safe-C Project Primary goal: type-safety Secondary goal: retain virtues of C C programmers should feel comfortable. It

785 views • 41 slides
Analysis of valuation formulae and Valuation Examples of applications to option pricing in L

Analysis of valuation formulae and Valuation Examples of applications to option pricing in L

The model Analysis of valuation formulae and Valuation Examples of applications to option pricing in L evy models payoff functions L evy processes Ernst Eberlein 1 , Kathrin Glau 1 , and Exotic options Antonis Papapantoleon 2

367 views • 36 slides
Virtual Machines Disclaimer: some slides are adopted from book authors slides with permission 1

Virtual Machines Disclaimer: some slides are adopted from book authors slides with permission 1

Virtual Machines Disclaimer: some slides are adopted from book authors slides with permission 1 Recap: Virtual Machines Enabling technology of cloud computing Basic idea: Provide machine abstractions 2 Recap: Virtual Machines

465 views • 23 slides
XLIFF 2.0 vs XLIFF 1.2 FEISGILTT Dublin June 2014 Yves Savourel ENLASO Corporation This

XLIFF 2.0 vs XLIFF 1.2 FEISGILTT Dublin June 2014 Yves Savourel ENLASO Corporation This

XLIFF 2.0 vs XLIFF 1.2 FEISGILTT Dublin June 2014 Yves Savourel ENLASO Corporation This presentation was made possible by Why a version 2 1.2 specification had ambiguities and lacked constraints and processing requirements Issues to

720 views • 42 slides
Lab 4 Tutorial Instructor: Youngjin Kwon What weve done so far Lab 1: Booting OS from BIOS

Lab 4 Tutorial Instructor: Youngjin Kwon What weve done so far Lab 1: Booting OS from BIOS

Lab 4 Tutorial Instructor: Youngjin Kwon What weve done so far Lab 1: Booting OS from BIOS and initializing kernel Lab 2: Physical memory management and memory mapping (kernel) Lab 3: Defining user environment, handling

651 views • 24 slides
s tt r

s tt r

s tt r ttr r rt rt r

633 views • 41 slides
An Overview of Deep Residual Learning Semih Yagcioglu 01.03.2016 Deep Residual Learning

An Overview of Deep Residual Learning Semih Yagcioglu 01.03.2016 Deep Residual Learning

An Overview of Deep Residual Learning Semih Yagcioglu 01.03.2016 Deep Residual Learning Microsoft Research Asia (MSRA) Kaiming He, Xiangyu Zhang, Shaoqing Ren, & Jian Sun. Deep Residual Learning for Image Recognition. arXiv

1.32k views • 54 slides

More recommend