Abstract
Virtualization plays a key role in constructing cloud environments and providing services. Although the main jobs of the hypervisors are to guarantee proper isolation between domains and provide them services, the hypercall interface provided by the hypervisor for cross-layer interactions with domains gives attackers the possibility to breach the isolation or cause denial of service from inside the domains. In this paper, we propose a transparent approach that uses randomization technique to protect the hypercall interface. In our approach, even facing a total compromise of a domain, the security of the virtualization platforms can be guaranteed. We have built a prototype called RandHyp based on Xen. Our experimental results show that RandHyp can effectively prevent attacks via Xen hypercall interface with a small overhead.
Chapter PDF
Similar content being viewed by others
References
CVE, www.cve.org
Amazon EC2, www.amazon.com
Linode, www.linode.com
Xenaccess library, http://code.google.com/p/xenaccess/
Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the Art of Virtualization. In: 19th ACM Symposium on Operating Systems Principles, pp. 164–177. ACM Press, New York (2003)
Steinberg, U., Kauer, B.: NOVA: a Microhypervisor-Based Secure Virtualization Architecture. In: 5th EuroSys, pp. 209–222
Xen Interface Manual, www.xen.org
Zhang, F., Chen, J., Chen, H., Zang, B.: CloudVisor: Retrofitting Protection of Virtual Machines in Multi-tenant Cloud with Nested Virtualization. In: SOSP 2011 Proceedings of the 23th ACM Symposium on Operating Systems Principles, pp. 203–216 (2011)
Colp, P., Nanavati, M., Zhu, J., Aiello, W., Coker, G., Deegan, T., Loscocco, P., Warfield, A.: Breaking Up is Hard to Do: Security and Functionality in a Commodity Hypervisor. In: SOSP 2011 Proceedings of the 23th ACM Symposium on Operating Systems Principles, pp. 189–202 (2011)
Li, C., Raghunathan, A., Jha, N.K.: A Trusted Virtual Machine in an Untrusted Management Environment. In: 3rd IEEE International Conference on Cloud Computing, pp. 172–179 (2010)
Chen, X., Garfinkel, T., Christopher Lewis, E., Subrahmanyam, P., Waldspurger, C.A., Boneh, D., Dwoskin, J., Ports, D.R.K.: Overshadow: A Virtualization-Based Approach to Retrofitting Protection in Commodity Operating System. In: 13th International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 2–13. ACM Press, New York (2008)
Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering Kernel Rootkits with Lightweight Hook Protection. In: 16th ACM Conference on Computer and Communications Security, pp. 545–554. ACM Press, New York (2009)
Hoang, C.: Protecting Xen Hypercalls. Intrusion Detection/Prevention in a Virtualized Environment. MS Thesis, Univeristy of British Columbia (July 2009)
Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: CCS 2009 Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 199–212 (2009)
McCune, J.M., Jaeger, T., Berger, S., Caceres, R., Sailer, R.: Shamon: A System for Distributed Mandatory Access Control. In: ACSAC 2006: Proceedings of the 22nd Annual Computer Security Applications Conference, pp. 23–32 (2006)
Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: A Virtual Machine-Based Platform for Trusted Computing. In: 19th Symposium on Operating System Principles
Rivest, R.L.: The RC4 Encryption Algorithm. RSA Data Security, Inc. (March 1992)
Shacham, H., Page, M., Pfaff, B., Modadugu, N., Boneh, D.: On the Effectiveness of Address-Space Randomization. In: 11th ACM Conference on Computer and Commuications Security, pp. 298–307 (2004)
Wang, Z., Jiang, X.: HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity. In: Proceedings of the 31st IEEE Symposium on Security and Privacy, Oakland, CA (May 2010)
Gupta, D., Cherkasova, L., Gardner, R., Vahdat, A.: Enforcing Performance Isolation Across Virtual Machines in Xen. In: van Steen, M., Henning, M. (eds.) Middleware 2006. LNCS, vol. 4290, pp. 342–362. Springer, Heidelberg (2006)
Kamble, N.A., Nakajima, J., Mallick, A.K.: Evolution in kernel debugging using hardware virtualization with xen. In: Proceedings of the 2006 Ottawa Linux Symposium, Ottawa, Canada (July 2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
Wang, F., Chen, P., Mao, B., Xie, L. (2012). RandHyp: Preventing Attacks via Xen Hypercall Interface. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds) Information Security and Privacy Research. SEC 2012. IFIP Advances in Information and Communication Technology, vol 376. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30436-1_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-30436-1_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-30435-4
Online ISBN: 978-3-642-30436-1
eBook Packages: Computer ScienceComputer Science (R0)