Xing Gao,Zhongshu Gu,Zhengfa Li,Hani Jamjoom,Cong Wang

DOI: https://doi.org/10.1145/3319535.3354227

2019-01-01

Abstract:Linux Control Groups, i.e., cgroups, are the key building blocks to enable operating-system-level containerization. The cgroups mechanism partitions processes into hierarchical groups and applies different controllers to manage system resources, including CPU, memory, block I/O, etc. Newly spawned child processes automatically copy cgroups attributes from their parents to enforce resource control. Unfortunately, inherited cgroups confinement via process creation does not always guarantee consistent and fair resource accounting. In this paper, we devise a set of exploiting strategies to generate out-of-band>workloads via de-associating processes from their original process groups. The system resources consumed by such workloads will not be charged to the appropriate cgroups. To further demonstrate the feasibility, we present five case studies within Docker containers to demonstrate how to break the resource rein of cgroups in realistic scenarios. Even worse, by exploiting those cgroups' insufficiencies in a multi-tenant container environment, an adversarial container is able to greatly amplify the amount of consumed resources, significantly slow-down other containers on the same host, and gain extra unfair advantages on the system resources. We conduct extensive experiments on both a local testbed and an Amazon EC2 cloud dedicated server. The experimental results demonstrate that a container can consume system resources (e.g., CPU) as much as $200\times$ of its limit, and reduce both computing and I/O performance of particular workloads in other co-resident containers by 95%.

Zhiyong Shan,Tzi-cker Chiueh,Xin Wang

DOI: https://doi.org/10.48550/arXiv.1609.04785

2016-09-15

Operating Systems

Abstract:OS-level virtualization incurs smaller start-up and run-time overhead than HAL-based virtualization and thus forms an important building block for developing fault-tolerant and intrusion-tolerant applications. A complete implementation of OS-level virtualization on the Windows platform requires virtualization of Windows services, such as system services like the Remote Procedure Call Server Service (RPCSS), because they are essentially extensions of the kernel. As Windows system services work very differently from their counterparts on UNIX-style OS, i.e., daemons, and many of their implementation details are proprietary, virtualizing Windows system services turned out to be the most challenging technical barrier for OS-level virtualization for the Windows platform. In this paper, we describe a general technique to virtualize Windows services, and demonstrate its effectiveness by applying it to successfully virtualize a set of important Windows system services and ordinary services on different versions of Windows OS, including RPCSS, DcomLaunch, IIS service group, Tlntsvr, MySQL, Apache2.2, CiSvc, ImapiService, etc.

Xiaoguang Wang,Yong Qi,Zhi Wang,Yue Chen,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2017.2675991

2019-01-01

Abstract:The OS kernel is critical to the security of a computer system. Many systems have been proposed to improve its security. A fundamental weakness of those systems is that page tables, the data structures that control the memory protection, are not isolated from the vulnerable kernel, and thus subject to tampering. To address that, researchers have relied on virtualization for reliable kernel memory protection. Unfortunately, such memory protection requires to monitor every update to the guest's page tables. This fundamentally conflicts with the recent advances in the hardware virtualization support. In this paper, we propose SecPod, an extensible framework for virtualization-based security systems that can provide both strong isolation and the compatibility with modern hardware. SecPod has two key techniques: paging delegation delegates and audits the kernel's paging operations to a secure space; execution trapping intercepts the (compromised) kernel's attempts to subvert SecPod by misusing privileged instructions. We have implemented a prototype of SecPod based on KVM. Our experiments show that SecPod is both effective and efficient.

Yajin Zhou,Xiaoguang Wang,Yue Chen,Zhi Wang

DOI: https://doi.org/10.1145/2660267.2660344

2014-01-01

Abstract:Software fault isolation (SFI) is an effective mechanism to confine untrusted modules inside isolated domains to protect their host applications. Since its debut, researchers have proposed different SFI systems for many purposes such as safe execution of untrusted native browser plugins. However, most of these systems focus on the x86 architecture. In recent years, ARM has become the dominant architecture for mobile devices and gains in popularity in data centers. Hence there is a compelling need for an efficient SFI system for the ARM architecture. Unfortunately, existing systems either have prohibitively high performance overhead or place various limitations on the memory layout and instructions of untrusted modules.In this paper, we propose ARMlock, a hardware-based fault isolation for ARM. It uniquely leverages the memory domain support in ARM processors to create multiple sandboxes. Memory accesses by the untrusted module (including read, write, and execution) are strictly confined by the hardware, and instructions running inside the sandbox execute at the same speed as those outside it. ARMlock imposes virtually no structural constraints on untrusted modules. For example, they can use self-modifying code, receive exceptions, and make system calls. Moreover, system calls can be interposed by ARMlock to enforce the policies set by the host. We have implemented a prototype of ARMlock for Linux that supports the popular ARMv6 and ARMv7 sub-architecture. Our security assessment and performance measurement show that ARMlock is practical, effective, and efficient.

Wenzhi Chen,Zhipeng Zhang,Jianhua Yang,Qinming He

DOI: https://doi.org/10.1007/s11859-010-0301-y

2010-01-01

Wuhan University Journal of Natural Sciences

Abstract:This paper presents vCerberus, a novel hypervisor to provide trusted and isolated code execution within virtual domains. vCerberus is considerably tiny, while allowing secure sensitive codes to be executed in an isolated circumstance from the virtual domain, and can be attested by a remote party in an efficient way. These properties will be guaranteed even if the guest operating system is malicious. This protects the secure sensitive codes against the malicious codes in the Guest OS, e.g., the kernel rootkits. We present an approach to dynamically measure and isolate the launch environment on the virtual machines based on the para-virtualization technology and a novel virtualization of trusted platform module (TPM). Our performance experiment result shows that the overhead introduced by vCerberus is minimized; the performance of the launch environment in vCerberus is as competitive as the guest OS running on mainstream hypervisors.

陈文智,姚远,杨建华,何钦铭

DOI: https://doi.org/10.3724/sp.j.1016.2009.01311

2009-01-01

Chinese Journal of Computers

Abstract:With the rapidly development of personal computer hardware,to construct multiple isolated computing domains through virtualization technology has already become a future direction of PC. To avoid the difficulties caused by implementing VMM on traditional IA-32 architecture through software virtualization technology,the authors designed and implemented a VMM based on Intel VT-x technology — Pcanel/V2. Pcanel/V2 utilizes the latest hardware virtualization technology to configure a controllable virtual execution environment and run multiple operating systems directly without any modification of source code. While the accesses to hardware resources by the guest operating system are monitored,various sensitive situations which occur in the guest operating system can also be handled correspondingly by Pcanel/V2. Concurrent execution of Linux and VxWorks on Pcanel/V2 has been realized and corresponding evaluation results show that Pcanel/V2 architecture simplifies the complexity of the design process while increasing the overall performance by approximately 10% compared to software virtual technology.

Wen-Zhi Chen,Zhi-Peng Zhang,Jian-Hua Yang,Qin-Ming He

DOI: https://doi.org/10.1109/ISME.2010.172

2010-01-01

Abstract:Cerberus is a tiny x86 virtual machine monitor. It allows security sensitive codes to be executed in an isolated circumstance. The codes could attest their integrity to a remote party by a two-step attestation provided by Cerberus. Cerberus does not require the security sensitive applications to be modified or recompiled to run on it. These applications are packaged with the operating systems as virtual appliances (VA). The on-disk VA files are read-only to simplify the attestation process. Any storage file is sealed to the corresponding secure domain. Cerberus leveraged the nested paging technology to isolate the memory regions efficiently. And it also introduced a novel secure display sharing technology. It can guarantee the security property even when the attackers get control of everything but the core hardware infrastructures. Our performance experiment results show that the overhead introduced by Cerberus is less than 5%.

Yuebin Bai,Cheng Luo,Cong Xu,Liang Zhang,Huiyong Zhang

DOI: https://doi.org/10.1007/978-3-642-13119-6_32

2010-01-01

Abstract:In virtualization technology domain, researches mainly focus on strengthening the isolation barrier between virtual machines (VMs) that are co-resident within a single physical machine At the same time, there are many kinds of communication intensive distributed applications such as web services, transaction processing, graphics rendering and high performance grid applications, which need to communicate with each other on the co-resident VMs Current inter-VM communication mechanisms can't adequately satisfy the requirement of such applications In this paper, we present the design and implementation of a high performance inter-VM communication mechanism called IVCOM in Xen virtual machine environment We propose IVCOM in para-virtualization and also extend for full-virtualization As a result of our survey, in Para-virtualization, there are mainly three kinds of overheads that contribute to the poor performance: the TCP/IP processing cost in each domain, page flipping overhead and long communication path between both sides of the socket IVCOM achieves high performance by bypassing protocol stacks, shunning page flipping and providing a direct and high performance communication path between VMs residing with the same physical machine And in Full-virtualization, frequent mode tuning between root mode and non-root mode import too much overhead IVCOM applies a direct communication channel between domain 0 and hardware virtual VM (HVM) and can greatly reduce the VM entry/exit operations which can improve the HVM performance In our evaluation, we observe that IVOCM can reduce the inter-VM round trip latency by up to 3 times and increase throughput by up to 3 times which prove the efficiency of IVCOM in para-virtualized environment In full-virtualized environment, IVCOM can greatly reduce mode tuning times in the communication between domain 0 and HVM.

K. Suzaki,R. Ando,Kazushi Takahashi

DOI: https://doi.org/10.22667/JOWUA.2012.03.31.120

Abstract:Leveraging hypervisor for security purpose such as malware analysis has been well researched. There still remain two challenges for analyzing security incidents on virtual machine: real-time monitoring and semantic gap. First, current active monitoring methods need to be improved for real-time protection of virtual machine. Second, semantic gap between virtual machine and hypervisor poses a significant impediment on security analyst. In this paper, we propose an inter-domain communication protocol for real-time monitoring of virtual machine and bridging semantic gap. We have deployed the inter-domain communication module between a guest Windows OS and a hypervisor in two ways. While the one is a register based transfer using vCPU context, the other is a shared memory based communication. Our protocol is event driven, which makes the proposed system enable to monitor the file access of a guest Windows OS in real-time without suspending it. We have implemented our system on XEN virtual machine monitor and KVM (Kernel Virtual Machine). We have measured the resource utilization of these two systems in the case of decompressing files and receiving HTTP requests. On the guest OS, the KVM based system outperforms the processor idle time by about 30-50% in decompressing file and the memory usage by about 35% in receiving HTTP requests. We conclude that our system can monitor file access inside virtual machine without suspension and also with reasonable resource usage.

Computer Science

Kejiang Ye,Xiaohong Jiang,Deshi Ye,Dawei Huang

DOI: https://doi.org/10.1109/hpcc.2010.95

2010-01-01

Abstract:Virtualization brings many benefits such as improving system utilization and reducing cost through server consolidation. However, it also introduces isolation problem when running multiple virtual machine workloads in one physical platform. Additionally, with the advent of multi-core technology, more and more cores are built into one die in today's data center that will share and compete for the resource like cache. It's worthy to study the isolation of server consolidation in modern multi-core platform. However, to our knowledge there are few work done on the isolation property especially the fault isolation property when one of the virtual machine workloads is attacked in server consolidation. In this paper, we study the isolation property from performance perspective and provide two optimization methods to improve the isolation property. We first define the isolation property and quantify the performance isolation in consolidation and propose a VM-level optimization method. Then we study the fault isolation by introducing a misbehavior virtual machine in server consolidation scenario and propose a core-level cache-aware optimization method to improve the fault isolation. Experimental results show that our two optimization methods can effectively improve the performance isolation and fault isolation with 29.39% and 19.52% respectively. What's more, Oprofile/Xenoprof toolkits are used to find out the factors affecting isolation property from the hardware events level.

Benshan Mei,Saisai Xia,Wenhao Wang,Dongdai Lin

2024-07-18

Abstract:Confidential computing safeguards sensitive computations from untrusted clouds, with Confidential Virtual Machines (CVMs) providing a secure environment for guest OS. However, CVMs often come with large and vulnerable operating system kernels, making them susceptible to attacks exploiting kernel weaknesses. The imprecise control over the read/write access in the page table has allowed attackers to exploit vulnerabilities. The lack of security hierarchy leads to insufficient separation between untrusted applications and guest OS, making the kernel susceptible to direct threats from untrusted programs. This study proposes Cabin, an isolated execution framework within guest VM utilizing the latest AMD SEV-SNP technology. Cabin shields untrusted processes to the user space of a lower virtual machine privilege level (VMPL) by introducing a proxy-kernel between the confined processes and the guest OS. Furthermore, we propose execution protection mechanisms based on fine-gained control of VMPL privilege for vulnerable programs and the proxy-kernel to minimize the attack surface. We introduce asynchronous forwarding mechanism and anonymous memory management to reduce the performance impact. The evaluation results show that the Cabin framework incurs a modest overhead (5% on average) on Nbench and WolfSSL benchmarks.

Cryptography and Security

Kun Yang,Hanqing Zhao,Chao Zhang,Jianwei Zhuge,Haixin Duan

DOI: https://doi.org/10.1109/srds47363.2019.00012

2019-01-01

Abstract:Sandboxing provides a strong security guarantee for applications, by isolating untrusted code into separated compartments. Untrusted code could only use IPC (inter-process communication) to launch sensitive actions, which are implemented in trusted (and maybe privileged) code. IPC-related security bugs in trusted code could facilitate jailbreaks of sandboxing, and thus are becoming high-value targets. However, finding vulnerabilities that could be triggered by IPC is challenging, due to the fact that IPC communication is stateful and format-sensitive. In this paper, we propose a new fuzzing solution to discover IPC bugs in IPC services without source code, by combining static analysis and dynamic analysis. We use static analysis to recognize format checks and help construct IPC messages of valid formats. We then use dynamic analysis to infer the constraints between IPC messages, and model the stateful logic with a probability matrix. Therefore, we are able to generate high-quality IPC messages to test IPC services, and discover deep and complex IPC bugs. Without loss of generality, we implemented a prototype MachFuzzer, for a specific complicated and crucial IPC service, i.e., WindowServer in macOS. This prototype helps us find 12 previously unknown vulnerabilities in WindowServer in 48 hours. Among them, three vulnerabilities are confirmed exploitable, and could be exploited to escape the sandbox and gain root privilege.

Jingyu Hua,Kouichi Sakurai

DOI: https://doi.org/10.1145/2245276.2232011

2012-01-01

Abstract:In the present operating systems such as Linux, all the kernel modules, including unknown extensions, run in the same address space. They are granted the highest privilege and can access arbitrary memory without any limitation. This is at the root of kernel rootkits, which are malware seriously threatening the kernel integrity. In this paper, we present Barrier , a lightweight hypervisor designed for enhancing the kernel integrity of personal computers by isolating the kernel modules. Since this hypervisor is designed for the OS protection on PCs, it does not implement unnecessary virtualization features that are commonly found on the general-purpose hypervisors to support running multiple OS instances concurrently on the same server. As a result, it is much smaller and also much easier to use, especially for unprofessional users. Barrier leverages the hardware-supported memory virtualization to isolate the kernel modules into different address spaces. All the interactions across address spaces have to go through a strict mediation based on some predefined MAC rules. This greatly increases the attacker's hardness to compromise the kernel integrity. We have implemented a prototype of Barrier. The evaluation results show that Barrier can well protect the kernel integrity without bringing unaffordable performance overheads.

Yuezhi Zhou,Yaoxue Zhang,Hao Liu,Naixue Xiong,Athanasios V. Vasilakos

DOI: https://doi.org/10.1109/tsc.2012.32

IF: 11.019

2012-01-01

IEEE Transactions on Services Computing

Abstract:Advancements in cloud computing enable the easy deployment of numerous services. However, the analysis of cloud service access platforms from a client perspective shows that maintaining and managing clients remain a challenge for end users. In this paper, we present the design, implementation, and evaluation of an asymmetric virtual machine monitor (AVMM), which is an asymmetric partitioning-based bare-metal approach that achieves near-native performance while supporting a new out-of-operating system mechanism for value-added services. To achieve these goals, AVMM divides underlying platforms into two asymmetric partitions: a user partition and a service partition. The user partition runs a commodity user OS, which is assigned to most of the underlying resources, maintaining end-user experience. The service partition runs a specialized OS, which consumes only the needed resources for its tasks and provides enhanced features to the user OS. AVMM considerably reduces virtualization overhead through two approaches: 1) Peripheral devices, such as graphics equipment, are assigned to be monopolized by a single user OS. 2) Efficient resource management mechanisms are leveraged to alleviate complicated resource sharing in existing virtualization technologies. We implement a prototype that supports Windows and Linux systems. Experimental results show that AVMM is a feasible and efficient approach to client virtualization.

Yuezhi Zhou,Yaoxue Zhang,Hao Liu,Naixue Xiong

DOI: https://doi.org/10.1109/infcomw.2011.5928892

2011-01-01

Abstract:This paper presents the design, implementation, and evaluation of AVMM, a symmetric partition-based bare-metal client virtualization approach that tries to achieve maximum near-native performance for end-users while supporting new out-of-OS mechanism for value-added services for network system administration. To achieve these goals, AVMM divides the underlying network client platform into two asymmetric partitions: user and service partitions. The user partition runs a commodity OS, which is assigned to most portions of the CPU and memory resources and a set of peripheral devices to retain the end-user experience. The service partition runs a specialized OS, which consumes only the essential resources for its tasks. By letting user OS possess the most part of resources and access some peripheral devices directly, the AVMM overhead is reduced greatly, improving the whole network system performance. We have implemented a preliminary network prototype that can supportWindows and Linux. Our experimental evaluation results show that AVMM has achieved its designed goals and provides a feasible and efficient approach for client virtualization.

WU Zhen,CHEN Yao-wu

DOI: https://doi.org/10.3969/j.issn.1005-9490.2006.04.059

2006-01-01

Abstract:In order to reduce the complexity brought by a great deal of data communication among multi-processes,we introduce a new kind of IPC based on message for Linux,propose the architecture and its work procedure.All kinds of IPC of Linux were listed and compared with the message-based IPC.At last,we illuminate how to apply the message-based IPC in DVR software architecture.

Youhui Wang,Xiaoling Hong,Liang Wang

2006-01-01

Abstract:As computing is becoming increasingly ubiquitous today, it would be very attractive for common computer users to access same personalized desktop environment, including personal documents, applications and customizations, on any compatible PC anytime and anywhere. This paper presents such a solution for Windows systems based on user-level virtualization technologies. Namely, the user’s data, applications and their configurations are stored on a portable USB device. At run-time, the portable desktop-applications on the device will run in a usermode virtualization environment where some resource (registry, files/directories, environment variables, etc.) accessing APIs are intercepted and redirected to the portable device as necessary. In user’s view, she can access her personalized applications and data conveniently on any compatible computer, although they do not exist on local disks of the host computer. This paper describes the whole design, technical details and performance evaluation, and presents a demo application. Compared with some existing solutions based on virtual machine technologies, this solution is more efficient in performance and storage capacity.

Guoxi Li,Wenhai Lin,Wenzhi Chen

DOI: https://doi.org/10.1007/978-3-030-38991-8_12

2020-01-01

Abstract:Many projects of virtualized processes are emerging for less overhead than traditional virtual machines and more isolation than containers. A virtualized process uses hardware virtualization to provide a process abstraction. The virtualized processes are deemed as inefficient compared against native processes using system calls since hypercalls they use cause high-overhead context switches. However, current performance of system calls is severely damaged by Kernel Page Table Isolation (KPTI) while hypercalls are unaffected. Unexpectedly, that gives hopes for virtualized processes to reach competitive performance against native processes. In this paper, we propose and implement Exit-Less Hypercall, a new style of execution framework in virtualized processes by introducing asynchronity, new thread models and adaptive migration. We evaluate the prototype and make a detailed analysis on the impacts of context switches from the native and virtualized processes with KPTI. Moreover, the experiments also show that Exit-Less Hypercall achieves a good performance improvement of up to 121% on virtualized processes using legacy hypercalls and even outperforms native processes using legacy system calls with KPTI by 81%.

LI Xiao-Qing,ZHAO Xiao-Dong,ZENG Qing-Kai

DOI: https://doi.org/10.3724/sp.j.1001.2012.04131

2012-01-01

Journal of Software

Abstract:A one-way isolation execution model based on hardware virtualization is proposed.In this model, the security application based on self-requirements can be divided into two parts: host process and security sensitive module (SSM).Isolated execution manager named SSMVisor, as the core component of isolation execution model, provides a one-way isolation execution environment for SSMs, not only to ensure security, but also to allow SSMs to call outside functions.As security application's trusted computing base (TCB) only includes SSMs and SSMVisor, without operating system and the security unrelated module of the applications, the size of security application's TCB is reduced effectively.A prototype system is not only compatible with the original operating system, but also light-weight.Experimental results show that the performance overhead of prototype system is very low, about 6.5%.

Francesco Gadaleta,Raoul Strackx,Nick Nikiforakis,Frank Piessens,Wouter Joosen

DOI: https://doi.org/10.48550/arXiv.1405.6058

2014-05-22

Abstract:Protecting commodity operating systems and applications against malware and targeted attacks has proven to be difficult. In recent years, virtualization has received attention from security researchers who utilize it to harden existing systems and provide strong security guarantees. This has lead to interesting use cases such as cloud computing where possibly sensitive data is processed on remote, third party systems. The migration and processing of data in remote servers, poses new technical and legal questions, such as which security measures should be taken to protect this data or how can it be proven that execution of code wasn't tampered with. In this paper we focus on technological aspects. We discuss the various possibilities of security within the virtualization layer and we use as a case study \HelloRootkitty{}, a lightweight invariance-enforcing framework which allows an operating system to recover from kernel-level attacks. In addition to \HelloRootkitty{}, we also explore the use of special hardware chips as a way of further protecting and guaranteeing the integrity of a virtualized system.

Cryptography and Security