Guarded Modules: Adap/vely Extending the VMM s Privileges Into the Guest

Transcription

1 Guarded Modules: Adap/vely Extending the VMM s Privileges Into the Guest Kyle C. Hale Peter Dinda Department of Electrical Engineering and Computer Science Northwestern University hip://halek.co hip://presciencelab.org hip://v3vee.org hip://xstack.sandia.gov/hobbes

2 Redefining the boundaries between VMM and guest OS Guest OS VMM 2

3 Redefining the boundaries between VMM and guest OS VMM VMM Guest OS VMM 3

4 We want to evolve the VMM- guest rela/onship where the interface between the two is more flexible and where parts of the VMM may actually live inside the guest The laier is the focus of this work 4

5 GEARS* Guest-context virtual service Guest VMM Virtual service * K. Hale, P. Dinda. Shi$ing Gears to Enable Guest- context Virtual Services, ICAC

6 Guest VMM Virtual service privileged operations 6

7 Guarded Module can still interact with guest Guest VMM Virtual service 7

8 How can we isolate and protect pieces of code in a guest OS that run at higher privilege than the rest of the guest? How can we allow legacy code con/nue to use guest func/onality? We show how with two examples 8

9 Palacios VMM OS- independent, embeddable VMM Support for mul/ple host OSes (Linux, KiIen LWK) Open source, available at hip://v3vee.org/palacios 9

10 Outline Mo/va/on Christoiza/on Threat Model and Run/me Invariants Run/me System and Border Crossings Examples Selec/vely Privileged PCI Passthrough Selec/vely Privileged MONITOR/MWAIT Conclusions 10

11 Guarded Module Transforma/on Christoization Linux Kernel Module Guarded Module guarded module compiler 11

12 Christoiza/on Compile- /me and link- /me wrapping we use gcc toolchain to instrument (wrap) all calls out of and into the module Christo and Jeanne- Claude wrap the Reichstag, Berlin,

13 The guest is not to be trusted We assume a threat model in which a malicious kernel wants to hijack a service s privilege Execu/on paths entering and leaving the guarded module must be checked 13

14 We maintain control flow integrity Christoiza/on allows VMM to trap all entries into and exits from module = privileged operation Guarded printk() Module Guest record environment VMM VMM validates the environment for unauthorized changes to execu/on path (e.g. return oriented aiacks) 14

15 We maintain control flow integrity Guarded Module return Guest Environment ok? Entry point valid? VMM = privileged operation 15

16 and code integrity Guarded Module write to module code Guest VMM = privileged operation 16

17 and data integrity private module data Guarded Module write to module data Guest VMM = privileged operation 17

18 What we don t provide Parameter checking Module cloaking Currently no support for interac/ons between guarded modules 18

19 Programmer s perspec/ve 1. Write a Linux kernel module (or use an exis/ng one) 2. Run it through our guarded module compiler (christoiza/on) 3. Op/onal: verify iden/fied module entry points 4. Pass to administrator, who registers guarded module with VMM at run/me 19

20 RECAP: Guarded Modules are guest context virtual services that can have elevated privilege, are protected from the untrusted guest that they run in, yet can s/ll use its func/onality The implementa/on is small: ~220 lines of Perl, ~260 lines of Ruby, and ~1000 lines of C (includes both the GM compila/on toolchain and run/me system) available online at hip://v3vee.org/palacios 20

21 Run/me: module entries/exits trap to the VMM We call these trapped events border crossings Privileged Border- out call Illegal ac/vity Border- out ret Border- in ret Unprivileged Border- in call 21

22 Wrapper stubs exit_wrapped: popq %r11 pushq %rax movq $border_out_call, %rax vmmcall popq %rax callq exit pushq %rax movq $border_in_ret, %rax vmmcall popq %rax pushq %r11 ret (to into guarded module) Trap to VMM, record environment Trap to VMM, Check integrity of environment 22

23 Guest Kernel Border der Crossin ngs Bor Border out Border in Guarded Module VMM Border Control State Machine Privileged VMM Access Privileged Hardware Access Hardware 23

24 Typical Border Crossing guarded module printk() return module_init() guest = privileged operation 24

25 Nested Border Crossings guarded module foo() bar() return callback() return return guest = privileged operation 25

26 Border Crossing from External Event guarded module guest iret interrupt = privileged operation 26

27 Experimental Setup Dell PowerEdge R415 2 sockets, 4 cores each => 8 total cores 2.2 GHz AMD Opteron GB memory Host kernel: Fedora 15 with Linux Guest: single vcore with Busybox environment, Linux

28 System- independent overhead is low Cycles Cost of any VM exit misc_exit_handle entry lookup misc_hcall lower/raise Border- out Call Border- in Ret Border- in Call Border- out Ret 28

29 but ensuring control- flow integrity is expensive Cycles Stack checking entry_lookup misc_exit_handle misc_hcall check priv lower/raise Border- out Call Border- in Ret Border- in Call Border- out Ret 29

30 Outline Mo/va/on Christoiza/on Threat Model and Run/me Invariants Run/me System and Border Crossings Examples Selec/vely Privileged PCI Passthrough Selec/vely Privileged MONITOR/MWAIT Related Work and Conclusions 30

31 We transformed a NIC driver into a guarded module guest VMM guarded module Broadcom BCM5716 1Gb/s no manual modifica/ons to NIC driver! 31

32 SelecFvely expose the PCI BARs to the guest guarded module 1 privileged mode guarded module 2 unprivileged mode r val w r w PCI I/O and memory BARs Hardware NIC 32

33 Bandwidth drops, but border crossing count is very high! Each border crossing is ~16,000 cycles (7.3 μs) Packet Sends Border- in 1.06 Border- out 1.06 Border Crossings / Packet Send 2.12 Packet Receives Border- in 4.64 Border- out 4.64 Border Crossings / Packet Receive 9.28 Many of these are leaf functions! 33

34 We implemented an adap/ve idle loop with selec/ve privilege MONITOR/MWAIT instruc/ons allow a CPU to go into a low- power state un/l a write occurs to a region of memory MONITOR [addr] MWAIT 34

35 VMs can t typically use these instruc/ons Puts physical core to sleep. Other VMs/processes on that core will starve But if the guest knows how many guests are on the machine (VMM state), we can let it run these instruc/ons when idling Can t let untrusted parts of guest hijack this capability! 35

36 Adap/ve mwait_idle() as a guarded module guest idle() mwait_idle() Other vcores present? no guarded module 36

37 zzz zzz vcore 0 mwait_idle() vcore 0 default_idle() idle loop redirec/on stub (guarded module) vcore 1 pcore 0 pcore 1 Scenario 1: a single vcore Scenario 2: vcores sharing a physical core 37

38 Guarded Modules as adapfve, guest- context virtual services We re leveraging VMM global informa/on about the environment That informa/on is only exposed to the guarded module this presents a new way to adapt VMs at run/me 38

39 Related Work Nooks isolate faulty code in kernel modules with wrappers. Kernel requires modifica/on, protec/ng guest from modules [Swit, SOSP 03] LXFI, SecVisor protect kernel against aiack with VMM- authorized code [Mao, SOSP 11], [Seshadri, SOSP 07] SIM guest- resident VMM code, but special- purpose, uses completely separate address space [Sharif, CCS 09] 39

40 Conclusions We ve shown the feasibility of adapfvely extending the VMM into the guest with guarded modules General technique to automa/cally transform kernel modules into guarded modules Two proof- of- concept examples: - Selec/ve Privilege for Commodity NIC driver - Selec/ve Privilege for MONITOR/MWAIT 40

41 Future Work Feasibility of automa/cally inlining leaf func/ons into modules (making them more self- contained) Further mo/va/ng examples for guarded modules Generaliza/on of guarded modules modules with VMM- controlled, specialized execu/on modes 41

42 We are rethinking system sotware interfaces This talk focused on virtualiza/on, but we re thinking bigger (HW/VMM/OS/app) It s /me to reconsider the structure of our system sotware stacks We can adapt sotware services, but can we adapt their organiza/on/structure? 42

43 For more info: Kyle C. Hale hip://halek.co hip://presciencelab.org hip://v3vee.org hip://xstack.sandia.gov/hobbes