Abstract
This chapter presents the uber eXtensible Micro-Hypervisor Framework (uberXMHF), a micro-hypervisor architecture and framework that focuses on three goals which are keys to achieving practical security on commodity platforms: (a) commodity compatibility (e.g., runs unmodified Linux and Windows) and unfettered access to platform hardware; (b) efficient implementation; and (c) low trusted computing base and complexity. uberXMHF strives to be a comprehensible, practical, and flexible platform for performing micro-hypervisor research and development. uberXMHF encapsulates common hypervisor core functionality in a framework that allows developers and users to build custom micro-hypervisor-based solutions (called “uberapps”) while freeing them from a considerable amount of wheel-reinventing that is often associated with such efforts. We are encouraged by the end result—a clean, bare-bones, open-source micro-hypervisor framework with desirable performance characteristics and an architecture amenable to formal analysis. Open-source development continues at: https://uberxmhf.org.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
The term hardware virtual machine is used for such CPU execution containers in current hardware virtualization parlance. However, technically a virtual machine presents to the guest a virtualized view of the system devices in addition to enforcing memory isolation, and is a misnomer in our case.
- 2.
A closed system where only known firmware is executed at boot-time, can be subjected to analysis and consequently trusted. However, most (if not all) x86 systems do not fall under this category.
- 3.
Called Nested Page Tables on AMD and Extended Page-Table (EPT) on Intel Platforms, respectively.
- 4.
In practice 3 4K pages should suffice. These are PAE-formatted page-tables.
- 5.
In practice, we have observed that SS still points inside the SINIT code region. Still, it is prudent not to depend upon this behavior.
- 6.
If GETSEC[CAPABILITIES] indicates that ECX will contain the MLE base address pointer upon entry into the MLE, we can use ECX as the base address on Intel systems.
- 7.
Linux kernels adhere to this requirement. However, Windows IoT core uses an open-source UEFI bootloader which does not adhere to this requirement and uses values specified during build time. The UEFI bootloader source has to be modified to use the ATAGS/DTB instead.
- 8.
A malicious OS can still try to access the uberXMHF memory regions, but will cause a fault in the second-stage page-tables; currently this causes uberXMHF to ignore the access and resume the OS.
- 9.
- 10.
While adding a physical TPM on the Raspberry PI is also an option, a software TPM has more advantages both in terms of cost, flexibility as well as performance (McCune et al., 2010).
References
Advanced Micro Devices (2005) AMD64 architecture programmer’s manual: volume 2: system programming. AMD, Publication no. 24594 rev. 3.11
ARM Limited (2010) Virtualization extensions architecture specification. http://infocenter.arm.com
Ben-Yehuda M, Day MD, Dubitzky Z, Factor M, Har’El N, Gordon A, Liguori A, Wasserman O, Yassour BA (2010) The turtles project: design and implementation of nested virtualization. In: Proceedings of OSDI 2010
Boileau A (2006) Hit by a bus: physical access attacks with firewire. Ruxcon
Chen X, Garfinkel T, Lewis EC, Subrahmanyam P, Waldspurger CA, Boneh D, Dwoskin J, Ports DRK (2008) Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. In: Proceedings of ASPLOS
Dall C, Li SW, Lim JT, Nieh J, Koloventzos G (2016) Arm virtualization: performance and architectural implications. SIGARCH Comput Archit News 44(3):304–316. http://doi.acm.org/10.1145/3007787.3001169
Dinaburg A, Royal P, Sharif M, Lee W (2008) Ether: malware analysis via hardware virtualization extensions. In: Proceedings of ACM CCS 2008
Elhage N (2011) Virtunoid: breaking out of KVM. Defcon
Fattori A, Paleari R, Martignoni L, Monga M (2010) Dynamic and transparent analysis of commodity production systems. In: Proceedings of IEEE/ACM ASE 2010
Garfinkel T, Pfaff B, Chow J, Rosenblum M, Boneh D (2003) Terra: a virtual machine-based platform for trusted computing. In: ACM SOSP
Gordon A, Ben-Yehuda M, Amit N, HarÉl N, Landau A, Schuster A (2012) ELI: bare-metal performance for I/O virtualization. In: Architectural support for programming languages and operating systems (ASPLOS)
Gu R, Koenig J, Ramananandro T, Shao Z, Wu XN, Weng SC, Zhang H, Guo Y (2015) Deep specifications and certified abstraction layers. In: Proceedings of POPL
Intel Corporation (2005) IA-32 Intel architecture software developer’s manual. Intel Publication nos. 253665–253668
Intel Corporation (2006) Trusted execution technology–preliminary architecture specification and enabling considerations. Document number 31516803
Karger P, Safford D (2008) I/O for virtual machine monitors: security and performance issues. IEEE Secur Priv 6(5). https://doi.org/10.1109/MSP.2008.119
Litty L, Lagar-Cavilla HA, Lie D (2008) Hypervisor support for identifying covertly executing binaries. In: Proceedings of USENIX security symposium
McCune JM, Li Y, Qu N, Zhou Z, Datta A, Gligor V, Perrig A (2010) TrustVisor: efficient TCB reduction and attestation. In: Proceedings of IEEE S&P
Patel A, Daftedar M, Shalan M, El-Kharashi MW (2015) Embedded hypervisor Xvisor: a comparative analysis. In: Proceedings of the 23rd Euromicro international conference on parallel, distributed, and network-based processing, pp 682–691. https://doi.org/10.1109/PDP.2015.108
Quist D, Liebrock L, Neil J (2011) Improving antivirus accuracy with hypervisor assisted analysis. J Comput Virol 7(2):121–131
Rushanan M, Checkoway S (2015) Run-DMA. In: Proceedings of USENIX workshop on offensive technology (WOOT)
Seshadri A, Luk M, Qu N, Perrig A (2007) SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of SOSP
Sharif MI, Lee W, Cui W, Lanzi A (2009) Secure in-VM monitoring using hardware virtualization. In: Proceedings of ACM CCS
Singaravelu L, Pu C, Haertig H, Helmuth C (2006) Reducing TCB complexity for security-sensitive applications: three case studies. In: Proceedings of EuroSys
Ta-Min R, Litty L, Lie D (2006) Splitting interfaces: making trust between applications and operating systems configurable. In: Proceedings of SOSP
Trusted Computing Group (2005) PC client specific TPM interface specification (TIS). Version 1.2, Revision 1.00
Trusted Computing Group (2007) Trusted platform module main specification. Version 1.2, Revision 103
Vasudevan A, Chaki S (2018) Have your PI and eat it too: practical security on a low-cost ubiquitous computing platform. In: 2018 IEEE European symposium on security and privacy, EuroS&P 2018, London, United Kingdom, April 24–26, 2018, pp 183–198. https://doi.org/10.1109/EuroSP.2018.00021
Vasudevan A, Qu N, Perrig A (2011) XTRec: secure real-time execution trace recording on commodity platforms. In: Proceedings of IEEE HICSS
Vasudevan A, Parno B, Qu N, Gligor VD, Perrig A (2012) Lockdown: towards a safe and practical architecture for security applications on commodity platforms. In: Proceedings of TRUST
Vasudevan A, Chaki S, Jia L, McCune J, Newsome J, Datta A (2013) Design, implementation and verification of an extensible and modular hypervisor framework. In: Proceedings of 2013 IEEE symposium on security and privacy
Vasudevan A, Chaki S, Maniatis P, Jia L, Datta A (2016) überSpark: enforcing verifiable object abstractions for automated compositional security analysis of a hypervisor. In: 25th USENIX security symposium (USENIX security 16), USENIX Association, Austin, TX, pp 87–104. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/vasudevan
Wang Z, Jiang X (2010) HyperSafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of IEEE S&P
Wang Z, Wu C, Grace M, Jiang X (2012) Isolating commodity hosted hypervisors with HyperLock. In: Proceedings of EuroSys 2012
Xen (2011a) Xen PCI passthrough. http://wiki.xensource.com/xenwiki/XenPCIpassthrough
Xen (2011b) Xen VGA passthrough. http://wiki.xensource.com/xenwiki/XenVGAPassthrough
Xen (2011c) Xen VTd HowTo. http://wiki.xensource.com/xenwiki/VTdHowTo
Xiong X, Tian D, Liu P (2011) Practical protection of kernel integrity for commodity OS from untrusted extensions. In: Proceedings of NDSS 2011
Zhang F, Chen J, Chen H, Zang B (2011) CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In: Proceedings of SOSP
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2019 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Vasudevan, A. (2019). The Uber eXtensible Micro-Hypervisor Framework (uberXMHF). In: Practical Security Properties on Commodity Computing Platforms. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-030-25049-2_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-25049-2_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-25048-5
Online ISBN: 978-3-030-25049-2
eBook Packages: Computer ScienceComputer Science (R0)