Boffins propose 'guaranteed' hypervisor security

Powered by SC Magazine
 

New security technique requires physical push.

U.S. researchers are looking to improve virtualisation by tightening the restrictions around how code is run on a hypervisor.

Using new software, dubbed HyperSafe, the researchers hope to prevent malware from infecting hypervisors, on which virtual machines are run.

HyperSafe involves two security techniques. The first isolates the hypervisor memory range used to run executable code from the rest of the system.

This memory range is marked read-only using the Write Protect bit on the hardware. To introduce new code, the hypervisor administrator would have to sign into the software and physically reboot the entire system.

North Carolina State University computer scientist Xuxian Jiang called the technique "non-bypassable memory lockdown".

"This memory range cannot be changed to include new additional code for execution in hypervisor," Jiang told iTnews. "This prevents attempts to modify existing hypervisor code by external users."

HyperSafe's second technique, called restricted pointer indexing, protects commands, preventing existing hypervisor code from being misused.

The technique involves routing commands in a way that prevents any deviation from a hypervisor's normal behaviour, Jiang explained.

In research (pdf) that will be presented at the IEEE Symposium On Security And Privacy next Monday, Jiang and his PhD student Zhi Wang tested HyperSafe on two open source Type-I hypervisors.

They implemented a proof-of-concept prototype of HyperSafe on BitVisor and Xen, concluding that it is a "lightweight hypervisor protection mechanism that incurs less than five percent performance overhead".

The researchers said the software could be adapted for other Type-I hypervisors, such as VMware ESX and Microsoft Hyper-V, and hoped it would increase public confidence in the cloud.

"Currently, we just blindly trust the security of the hypervisor," Jiang told iTnews. "The HyperSafe software aims to change that with a guaranteed integrity of the hypervisor software."

The researchers currently have no plans for commercialising the technique; however, Jiang said they are "open for any possibilities, including a close collaboration with key players in the virtualisation market to better secure the hypervisor software."


Boffins propose 'guaranteed' hypervisor security
 
 
 
Top Stories
Microsoft confirms Australian Azure launch
Available from next week.
 
NBN Co names first 140 FTTN sites
National trial extended.
 
Cloud, big data propel bank CISOs into the boardroom
And this time, they are welcome.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  22%
 
End user computing (desktops, mobiles, apps)
  14%
 
Software development
  27%
TOTAL VOTES: 260

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  62%
 
No
  38%
TOTAL VOTES: 82

Vote