Skip to main content
SpringerLink
Log in
Book cover

Practical Security Properties on Commodity Computing Platforms pp 37–71Cite as

The Uber eXtensible Micro-Hypervisor Framework (uberXMHF)

  • Chapter
  • First Online:

Part of the book series: SpringerBriefs in Computer Science ((BRIEFSCOMPUTER))

Abstract

This chapter presents the uber eXtensible Micro-Hypervisor Framework (uberXMHF), a micro-hypervisor architecture and framework that focuses on three goals which are keys to achieving practical security on commodity platforms: (a) commodity compatibility (e.g., runs unmodified Linux and Windows) and unfettered access to platform hardware; (b) efficient implementation; and (c) low trusted computing base and complexity. uberXMHF strives to be a comprehensible, practical, and flexible platform for performing micro-hypervisor research and development. uberXMHF encapsulates common hypervisor core functionality in a framework that allows developers and users to build custom micro-hypervisor-based solutions (called “uberapps”) while freeing them from a considerable amount of wheel-reinventing that is often associated with such efforts. We are encouraged by the end result—a clean, bare-bones, open-source micro-hypervisor framework with desirable performance characteristics and an architecture amenable to formal analysis. Open-source development continues at: https://uberxmhf.org.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    The term hardware virtual machine is used for such CPU execution containers in current hardware virtualization parlance. However, technically a virtual machine presents to the guest a virtualized view of the system devices in addition to enforcing memory isolation, and is a misnomer in our case.

  2. 2.

    A closed system where only known firmware is executed at boot-time, can be subjected to analysis and consequently trusted. However, most (if not all) x86 systems do not fall under this category.

  3. 3.

    Called Nested Page Tables on AMD and Extended Page-Table (EPT) on Intel Platforms, respectively.

  4. 4.

    In practice 3 4K pages should suffice. These are PAE-formatted page-tables.

  5. 5.

    In practice, we have observed that SS still points inside the SINIT code region. Still, it is prudent not to depend upon this behavior.

  6. 6.

    If GETSEC[CAPABILITIES] indicates that ECX will contain the MLE base address pointer upon entry into the MLE, we can use ECX as the base address on Intel systems.

  7. 7.

    Linux kernels adhere to this requirement. However, Windows IoT core uses an open-source UEFI bootloader which does not adhere to this requirement and uses values specified during build time. The UEFI bootloader source has to be modified to use the ATAGS/DTB instead.

  8. 8.

    A malicious OS can still try to access the uberXMHF memory regions, but will cause a fault in the second-stage page-tables; currently this causes uberXMHF to ignore the access and resume the OS.

  9. 9.

    http://uberxmhf.org.

  10. 10.

    While adding a physical TPM on the Raspberry PI is also an option, a software TPM has more advantages both in terms of cost, flexibility as well as performance (McCune et al., 2010).

References

  • Advanced Micro Devices (2005) AMD64 architecture programmer’s manual: volume 2: system programming. AMD, Publication no. 24594 rev. 3.11

    Google Scholar 

  • ARM Limited (2010) Virtualization extensions architecture specification. http://infocenter.arm.com

  • Ben-Yehuda M, Day MD, Dubitzky Z, Factor M, Har’El N, Gordon A, Liguori A, Wasserman O, Yassour BA (2010) The turtles project: design and implementation of nested virtualization. In: Proceedings of OSDI 2010

    Google Scholar 

  • Boileau A (2006) Hit by a bus: physical access attacks with firewire. Ruxcon

    Google Scholar 

  • Chen X, Garfinkel T, Lewis EC, Subrahmanyam P, Waldspurger CA, Boneh D, Dwoskin J, Ports DRK (2008) Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. In: Proceedings of ASPLOS

    Google Scholar 

  • Dall C, Li SW, Lim JT, Nieh J, Koloventzos G (2016) Arm virtualization: performance and architectural implications. SIGARCH Comput Archit News 44(3):304–316. http://doi.acm.org/10.1145/3007787.3001169

    Article  Google Scholar 

  • Dinaburg A, Royal P, Sharif M, Lee W (2008) Ether: malware analysis via hardware virtualization extensions. In: Proceedings of ACM CCS 2008

    Google Scholar 

  • Elhage N (2011) Virtunoid: breaking out of KVM. Defcon

    Google Scholar 

  • Fattori A, Paleari R, Martignoni L, Monga M (2010) Dynamic and transparent analysis of commodity production systems. In: Proceedings of IEEE/ACM ASE 2010

    Google Scholar 

  • Garfinkel T, Pfaff B, Chow J, Rosenblum M, Boneh D (2003) Terra: a virtual machine-based platform for trusted computing. In: ACM SOSP

    Google Scholar 

  • Gordon A, Ben-Yehuda M, Amit N, HarÉl N, Landau A, Schuster A (2012) ELI: bare-metal performance for I/O virtualization. In: Architectural support for programming languages and operating systems (ASPLOS)

    Google Scholar 

  • Gu R, Koenig J, Ramananandro T, Shao Z, Wu XN, Weng SC, Zhang H, Guo Y (2015) Deep specifications and certified abstraction layers. In: Proceedings of POPL

    Google Scholar 

  • Intel Corporation (2005) IA-32 Intel architecture software developer’s manual. Intel Publication nos. 253665–253668

    Google Scholar 

  • Intel Corporation (2006) Trusted execution technology–preliminary architecture specification and enabling considerations. Document number 31516803

    Google Scholar 

  • Karger P, Safford D (2008) I/O for virtual machine monitors: security and performance issues. IEEE Secur Priv 6(5). https://doi.org/10.1109/MSP.2008.119

    Article  Google Scholar 

  • Litty L, Lagar-Cavilla HA, Lie D (2008) Hypervisor support for identifying covertly executing binaries. In: Proceedings of USENIX security symposium

    Google Scholar 

  • McCune JM, Li Y, Qu N, Zhou Z, Datta A, Gligor V, Perrig A (2010) TrustVisor: efficient TCB reduction and attestation. In: Proceedings of IEEE S&P

    Google Scholar 

  • Patel A, Daftedar M, Shalan M, El-Kharashi MW (2015) Embedded hypervisor Xvisor: a comparative analysis. In: Proceedings of the 23rd Euromicro international conference on parallel, distributed, and network-based processing, pp 682–691. https://doi.org/10.1109/PDP.2015.108

  • Quist D, Liebrock L, Neil J (2011) Improving antivirus accuracy with hypervisor assisted analysis. J Comput Virol 7(2):121–131

    Article  Google Scholar 

  • Rushanan M, Checkoway S (2015) Run-DMA. In: Proceedings of USENIX workshop on offensive technology (WOOT)

    Google Scholar 

  • Seshadri A, Luk M, Qu N, Perrig A (2007) SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of SOSP

    Google Scholar 

  • Sharif MI, Lee W, Cui W, Lanzi A (2009) Secure in-VM monitoring using hardware virtualization. In: Proceedings of ACM CCS

    Google Scholar 

  • Singaravelu L, Pu C, Haertig H, Helmuth C (2006) Reducing TCB complexity for security-sensitive applications: three case studies. In: Proceedings of EuroSys

    Google Scholar 

  • Ta-Min R, Litty L, Lie D (2006) Splitting interfaces: making trust between applications and operating systems configurable. In: Proceedings of SOSP

    Google Scholar 

  • Trusted Computing Group (2005) PC client specific TPM interface specification (TIS). Version 1.2, Revision 1.00

    Google Scholar 

  • Trusted Computing Group (2007) Trusted platform module main specification. Version 1.2, Revision 103

    Google Scholar 

  • Vasudevan A, Chaki S (2018) Have your PI and eat it too: practical security on a low-cost ubiquitous computing platform. In: 2018 IEEE European symposium on security and privacy, EuroS&P 2018, London, United Kingdom, April 24–26, 2018, pp 183–198. https://doi.org/10.1109/EuroSP.2018.00021

  • Vasudevan A, Qu N, Perrig A (2011) XTRec: secure real-time execution trace recording on commodity platforms. In: Proceedings of IEEE HICSS

    Google Scholar 

  • Vasudevan A, Parno B, Qu N, Gligor VD, Perrig A (2012) Lockdown: towards a safe and practical architecture for security applications on commodity platforms. In: Proceedings of TRUST

    Google Scholar 

  • Vasudevan A, Chaki S, Jia L, McCune J, Newsome J, Datta A (2013) Design, implementation and verification of an extensible and modular hypervisor framework. In: Proceedings of 2013 IEEE symposium on security and privacy

    Google Scholar 

  • Vasudevan A, Chaki S, Maniatis P, Jia L, Datta A (2016) überSpark: enforcing verifiable object abstractions for automated compositional security analysis of a hypervisor. In: 25th USENIX security symposium (USENIX security 16), USENIX Association, Austin, TX, pp 87–104. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/vasudevan

  • Wang Z, Jiang X (2010) HyperSafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of IEEE S&P

    Google Scholar 

  • Wang Z, Wu C, Grace M, Jiang X (2012) Isolating commodity hosted hypervisors with HyperLock. In: Proceedings of EuroSys 2012

    Google Scholar 

  • Xen (2011a) Xen PCI passthrough. http://wiki.xensource.com/xenwiki/XenPCIpassthrough

  • Xen (2011b) Xen VGA passthrough. http://wiki.xensource.com/xenwiki/XenVGAPassthrough

  • Xen (2011c) Xen VTd HowTo. http://wiki.xensource.com/xenwiki/VTdHowTo

  • Xiong X, Tian D, Liu P (2011) Practical protection of kernel integrity for commodity OS from untrusted extensions. In: Proceedings of NDSS 2011

    Google Scholar 

  • Zhang F, Chen J, Chen H, Zang B (2011) CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In: Proceedings of SOSP

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, USA

    Amit Vasudevan

Authors
  1. Amit Vasudevan
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2019 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Vasudevan, A. (2019). The Uber eXtensible Micro-Hypervisor Framework (uberXMHF). In: Practical Security Properties on Commodity Computing Platforms. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-030-25049-2_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-25049-2_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-25048-5

  • Online ISBN: 978-3-030-25049-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation