Team for Research in
Ubiquitous Secure Technology

SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes
Arvind Seshadri, Mark Luk, Ning Qu, Adrian Perrig

Citation
Arvind Seshadri, Mark Luk, Ning Qu, Adrian Perrig. "SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes". ACM Symposium on Operating Systems Principles (SOSP), ACM, October, 2007.

Abstract
We propose SecVisor, a tiny hypervisor that ensures code integrity for commodity OS kernels. In particular, SecVisor ensures that only user-approved code can execute in kernel mode over the entire system lifetime. This protects the kernel against code injection attacks, such as kernel rootkits. SecVisor can achieve this property even against an attacker who controls everything but the CPU, the memory controller, and system memory chips. Further, SecVisor can even defend against attackers with knowledge of zero-day kernel exploits. Our goal is to make SecVisor amenable to formal verification and manual audit, thereby making it possible to rule out known classes of vulnerabilities. To this end, SecVisor offers small code size and small external interface. We rely on memory virtualization to build SecVisor and implement two versions, one using software memory virtualization and the other using CPU-supported memory virtualization. The code sizes of the runtime portions of these versions are 1739 and 1112 lines, respectively. The size of the external interface for both versions of SecVisor is 2 hypercalls. It is easy to port OS kernels to SecVisor. We port the Linux kernel version 2.6.20 by adding 12 lines and deleting 81 lines, out of a total of approximately 4.3 million lines of code in the kernel.

Electronic downloads

Citation formats  
  • HTML
    Arvind Seshadri, Mark Luk, Ning Qu, Adrian Perrig. <a
    href="http://www.truststc.org/pubs/384.html"
    >SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel
    Code Integrity for Commodity OSes</a>, ACM Symposium
    on Operating Systems Principles (SOSP), ACM, October, 2007.
  • Plain text
    Arvind Seshadri, Mark Luk, Ning Qu, Adrian Perrig.
    "SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel
    Code Integrity for Commodity OSes". ACM Symposium on
    Operating Systems Principles (SOSP), ACM, October, 2007.
  • BibTeX
    @inproceedings{SeshadriLukQuPerrig07_SecVisorTinyHypervisorToProvideLifetimeKernelCodeIntegrity,
        author = {Arvind Seshadri and Mark Luk and Ning Qu and
                  Adrian Perrig},
        title = {SecVisor: A Tiny Hypervisor to Provide Lifetime
                  Kernel Code Integrity for Commodity OSes},
        booktitle = {ACM Symposium on Operating Systems Principles
                  (SOSP)},
        organization = {ACM},
        month = {October},
        year = {2007},
        abstract = {We propose SecVisor, a tiny hypervisor that
                  ensures code integrity for commodity OS kernels.
                  In particular, SecVisor ensures that only
                  user-approved code can execute in kernel mode over
                  the entire system lifetime. This protects the
                  kernel against code injection attacks, such as
                  kernel rootkits. SecVisor can achieve this
                  property even against an attacker who controls
                  everything but the CPU, the memory controller, and
                  system memory chips. Further, SecVisor can even
                  defend against attackers with knowledge of
                  zero-day kernel exploits. Our goal is to make
                  SecVisor amenable to formal verification and
                  manual audit, thereby making it possible to rule
                  out known classes of vulnerabilities. To this end,
                  SecVisor offers small code size and small external
                  interface. We rely on memory virtualization to
                  build SecVisor and implement two versions, one
                  using software memory virtualization and the other
                  using CPU-supported memory virtualization. The
                  code sizes of the runtime portions of these
                  versions are 1739 and 1112 lines, respectively.
                  The size of the external interface for both
                  versions of SecVisor is 2 hypercalls. It is easy
                  to port OS kernels to SecVisor. We port the Linux
                  kernel version 2.6.20 by adding 12 lines and
                  deleting 81 lines, out of a total of approximately
                  4.3 million lines of code in the kernel.},
        URL = {http://www.truststc.org/pubs/384.html}
    }
    

Posted by Adrian Perrig on 2 May 2008.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.