Abstract:Exploiting memory disclosure vulnerabilities like the Heart Bleed bug may cause arbitrary reading of a victim's memory, leading to leakage of critical secrets such as crypto keys, personal identity and financial information. While isolating code that manipulates critical secrets into an isolated execution environment is a promising countermeasure, existing approaches are either too coarse-grained to prevent intra-domain attacks, or require excessive intervention from low-level software (e.g., hypervisor or OS), or both. Further, few of them are applicable to large-scale software with millions of lines of code.This paper describes a new approach, namely SeCage, which retrofits commodity hardware virtualization extensions to support efficient isolation of sensitive code manipulating critical secrets from the remaining code. SeCage is designed to work under a strong adversary model where a victim application or even the OS may be controlled by the adversary, while supporting large-scale software with small deployment cost. SeCage combines static and dynamic analysis to decompose monolithic software into several compartments, each of which may contain different secrets and their corresponding code. Following the idea of separating control and data plane, SeCage retrofits the VMFUNC mechanism and nested paging in Intel processors to transparently provide different memory views for different compartments, while allowing low-cost and transparent invocation across domains without hypervisor intervention.We have implemented SeCage in KVM on a commodity Intel machine. To demonstrate the effectiveness of SeCage, we deploy it to the Nginx and OpenSSH server with the OpenSSL library as well as CryptoLoop with small efforts. Security evaluation shows that SeCage can prevent the disclosure of private keys from HeartBleed attacks and memory scanning from rootkits. The evaluation shows that SeCage only incurs small performance and space overhead.

Thwarting Memory Disclosure With Efficient Hypervisor-Enforced Intra-Domain Isolation

SecretSafe: A Lightweight Approach against Heap Buffer Over-Read Attack

Design and Implementation of SecPod, A Framework for Virtualization-Based Security Systems.

Enhancing Data Secrecy with Segmentation Based Isolation.

Cerberus: A Novel Hypervisor to Provide Trusted and Isolated Code Execution

Armlock: Hardware-Based Fault Isolation For Arm

Comprehensive VM Protection Against Untrusted Hypervisor Through Retrofitted AMD Memory Encryption

Architecture support for guest-transparent VM protection from untrusted hypervisor and physical attacks

Protecting In-memory Data Cache with Secure Enclaves in Untrusted Cloud.

EqualVisor: Providing Memory Protection in an Untrusted Commodity Hypervisor

Extracting Secrets from Encrypted Virtual Machines

The Design and Optimization of Memory Ballooning in SEV Confidential Virtual Machines

Exploiting Interfaces of Secure Encrypted Virtual Machines

Cabin: Confining Untrusted Programs within Confidential VMs

MemCloak

SEMMA: Secure Efficient Memory Management Approach in Virtual Environment.

Preventing Your Faults From Telling Your Secrets: Defenses Against Pigeonhole Attacks

undeSErVed trust: Exploiting Permutation-Agnostic Remote Attestation

Dancing with Wolves: an Intra-Process Isolation Technique with Privileged Hardware.

Undertow: an Intra-Kernel Isolation Mechanism for Hardware-Assisted Virtual Machines.

The Road to Trust: Building Enclaves within Confidential VMs