Boffins propose 'guaranteed' hypervisor security

Powered by SC Magazine
 

New security technique requires physical push.

U.S. researchers are looking to improve virtualisation by tightening the restrictions around how code is run on a hypervisor.

Using new software, dubbed HyperSafe, the researchers hope to prevent malware from infecting hypervisors, on which virtual machines are run.

HyperSafe involves two security techniques. The first isolates the hypervisor memory range used to run executable code from the rest of the system.

This memory range is marked read-only using the Write Protect bit on the hardware. To introduce new code, the hypervisor administrator would have to sign into the software and physically reboot the entire system.

North Carolina State University computer scientist Xuxian Jiang called the technique "non-bypassable memory lockdown".

"This memory range cannot be changed to include new additional code for execution in hypervisor," Jiang told iTnews. "This prevents attempts to modify existing hypervisor code by external users."

HyperSafe's second technique, called restricted pointer indexing, protects commands, preventing existing hypervisor code from being misused.

The technique involves routing commands in a way that prevents any deviation from a hypervisor's normal behaviour, Jiang explained.

In research (pdf) that will be presented at the IEEE Symposium On Security And Privacy next Monday, Jiang and his PhD student Zhi Wang tested HyperSafe on two open source Type-I hypervisors.

They implemented a proof-of-concept prototype of HyperSafe on BitVisor and Xen, concluding that it is a "lightweight hypervisor protection mechanism that incurs less than five percent performance overhead".

The researchers said the software could be adapted for other Type-I hypervisors, such as VMware ESX and Microsoft Hyper-V, and hoped it would increase public confidence in the cloud.

"Currently, we just blindly trust the security of the hypervisor," Jiang told iTnews. "The HyperSafe software aims to change that with a guaranteed integrity of the hypervisor software."

The researchers currently have no plans for commercialising the technique; however, Jiang said they are "open for any possibilities, including a close collaboration with key players in the virtualisation market to better secure the hypervisor software."


Boffins propose 'guaranteed' hypervisor security
 
 
 
Top Stories
Inside the stalemate on Australia's piracy code
Still not registered almost five months on.
 
IT staff outline deep anger in Macquarie Uni survey
‘Morale at lowest point in a decade’.
 
Cost blowout to push NBN past $41bn budget
But government funding cap to remain.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
New Windows 10 users, are you upgrading from...




   |   View results
Windows 8
  46%
 
Windows 7
  44%
 
Windows XP
  5%
 
Another operating system
  3%
 
Windows Vista
  2%
TOTAL VOTES: 712

Vote