SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes

SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes
Arvind Seshadri, Mark Luk, Ning Qu, Adrian Perrig

Citation
Arvind Seshadri, Mark Luk, Ning Qu, Adrian Perrig. "SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes". ACM Symposium on Operating Systems Principles (SOSP), ACM, October, 2007.

Abstract
We propose SecVisor, a tiny hypervisor that ensures code integrity for commodity OS kernels. In particular, SecVisor ensures that only user-approved code can execute in kernel mode over the entire system lifetime. This protects the kernel against code injection attacks, such as kernel rootkits. SecVisor can achieve this property even against an attacker who controls everything but the CPU, the memory controller, and system memory chips. Further, SecVisor can even defend against attackers with knowledge of zero-day kernel exploits. Our goal is to make SecVisor amenable to formal verification and manual audit, thereby making it possible to rule out known classes of vulnerabilities. To this end, SecVisor offers small code size and small external interface. We rely on memory virtualization to build SecVisor and implement two versions, one using software memory virtualization and the other using CPU-supported memory virtualization. The code sizes of the runtime portions of these versions are 1739 and 1112 lines, respectively. The size of the external interface for both versions of SecVisor is 2 hypercalls. It is easy to port OS kernels to SecVisor. We port the Linux kernel version 2.6.20 by adding 12 lines and deleting 81 lines, out of a total of approximately 4.3 million lines of code in the kernel.

Electronic downloads

http://sparrow.ece.cmu.edu/group/pub/seshadri_luk_qu_perrig_secvisor.pdf

Citation formats

HTML

Arvind Seshadri, Mark Luk, Ning Qu, Adrian Perrig. <a
href="http://www.truststc.org/pubs/384.html"
>SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel
Code Integrity for Commodity OSes</a>, ACM Symposium
on Operating Systems Principles (SOSP), ACM, October, 2007.

Plain text

Arvind Seshadri, Mark Luk, Ning Qu, Adrian Perrig.
"SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel
Code Integrity for Commodity OSes". ACM Symposium on
Operating Systems Principles (SOSP), ACM, October, 2007.

BibTeX

@inproceedings{SeshadriLukQuPerrig07_SecVisorTinyHypervisorToProvideLifetimeKernelCodeIntegrity,
    author = {Arvind Seshadri and Mark Luk and Ning Qu and
              Adrian Perrig},
    title = {SecVisor: A Tiny Hypervisor to Provide Lifetime
              Kernel Code Integrity for Commodity OSes},
    booktitle = {ACM Symposium on Operating Systems Principles
              (SOSP)},
    organization = {ACM},
    month = {October},
    year = {2007},
    abstract = {We propose SecVisor, a tiny hypervisor that
              ensures code integrity for commodity OS kernels.
              In particular, SecVisor ensures that only
              user-approved code can execute in kernel mode over
              the entire system lifetime. This protects the
              kernel against code injection attacks, such as
              kernel rootkits. SecVisor can achieve this
              property even against an attacker who controls
              everything but the CPU, the memory controller, and
              system memory chips. Further, SecVisor can even
              defend against attackers with knowledge of
              zero-day kernel exploits. Our goal is to make
              SecVisor amenable to formal verification and
              manual audit, thereby making it possible to rule
              out known classes of vulnerabilities. To this end,
              SecVisor offers small code size and small external
              interface. We rely on memory virtualization to
              build SecVisor and implement two versions, one
              using software memory virtualization and the other
              using CPU-supported memory virtualization. The
              code sizes of the runtime portions of these
              versions are 1739 and 1112 lines, respectively.
              The size of the external interface for both
              versions of SecVisor is 2 hypercalls. It is easy
              to port OS kernels to SecVisor. We port the Linux
              kernel version 2.6.20 by adding 12 lines and
              deleting 81 lines, out of a total of approximately
              4.3 million lines of code in the kernel.},
    URL = {http://www.truststc.org/pubs/384.html}
}

Posted by Adrian Perrig on 2 May 2008.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.