Boffins propose 'guaranteed' hypervisor security

Powered by SC Magazine
 

New security technique requires physical push.

U.S. researchers are looking to improve virtualisation by tightening the restrictions around how code is run on a hypervisor.

Using new software, dubbed HyperSafe, the researchers hope to prevent malware from infecting hypervisors, on which virtual machines are run.

HyperSafe involves two security techniques. The first isolates the hypervisor memory range used to run executable code from the rest of the system.

This memory range is marked read-only using the Write Protect bit on the hardware. To introduce new code, the hypervisor administrator would have to sign into the software and physically reboot the entire system.

North Carolina State University computer scientist Xuxian Jiang called the technique "non-bypassable memory lockdown".

"This memory range cannot be changed to include new additional code for execution in hypervisor," Jiang told iTnews. "This prevents attempts to modify existing hypervisor code by external users."

HyperSafe's second technique, called restricted pointer indexing, protects commands, preventing existing hypervisor code from being misused.

The technique involves routing commands in a way that prevents any deviation from a hypervisor's normal behaviour, Jiang explained.

In research (pdf) that will be presented at the IEEE Symposium On Security And Privacy next Monday, Jiang and his PhD student Zhi Wang tested HyperSafe on two open source Type-I hypervisors.

They implemented a proof-of-concept prototype of HyperSafe on BitVisor and Xen, concluding that it is a "lightweight hypervisor protection mechanism that incurs less than five percent performance overhead".

The researchers said the software could be adapted for other Type-I hypervisors, such as VMware ESX and Microsoft Hyper-V, and hoped it would increase public confidence in the cloud.

"Currently, we just blindly trust the security of the hypervisor," Jiang told iTnews. "The HyperSafe software aims to change that with a guaranteed integrity of the hypervisor software."

The researchers currently have no plans for commercialising the technique; however, Jiang said they are "open for any possibilities, including a close collaboration with key players in the virtualisation market to better secure the hypervisor software."


Boffins propose 'guaranteed' hypervisor security
 
 
 
Top Stories
The True Cost of BYOD - 2014 survey
Twelve months on from our first study, is BYOD a better proposition?
 
Photos: Unboxing the Magnus supercomputer
Pawsey's biggest beast slots into place.
 
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  29%
 
Application integration concerns
  3%
 
Security and compliance concerns
  28%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  21%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1074

Vote