Graduate School and Research Center in Digital Sciences

On the feasibility of software attacks on commodity virtual machine monitors via direct device assignment

Pek, Gabor; Lanzi, Andrea; Srivastava, Abhinav; Balzarotti, Davide; Francillon, Aurélien; Neumann, Christoph

ASIACCS 2014, 9th ACM Symposium on Information, Computer and Communications Security, June 4-6, 2014, Kyoto, Japan

The security of virtual machine monitors (VMMs) is a challenging and active field of research. In particular, due to the increasing significance of hardware virtualization in cloud solutions, it is important to clearly understand existing and arising VMM-related threats. Unfortunately, there is still a lot of confusion around this topic as many attacks presented in the past have never been implemented in practice or tested in a realistic scenario. In this paper, we shed light on VM related threats and defences by implementing, testing, and categorizing a wide range of known and unknown attacks based on directly assigned devices. We executed these attacks on an exhaustive set of VMM configurations to determine their potential impact. Our experiments suggest that most of the previously known attacks are ineffective in current VMM setups. We also developed an automatic tool, called PTFuzz, to discover hardware-level problems that affects current VMMs. By using PTFuzz, we found several cases of unexpected hardware behaviour, and a major vulnerability on Intel platforms that potentially impacts a large set of machines used in the wild. These vulnerabilities affect unprivileged virtual machines that use a directly assigned device (e.g., network card) and have all the existing hardware protection mechanisms enabled. Such vulnerabilities either allow an attacker to generate a host-side interrupt or hardware faults, violating expected isolation properties. These can cause host software (e.g., VMM) halt as well as they might open the door for practical VMM exploitations. We believe that our study can help cloud providers and researchers to better understand the limitations of their current architectures to provide secure hardware virtualization and prepare for future attacks.

Document Doi Bibtex

Title:On the feasibility of software attacks on commodity virtual machine monitors via direct device assignment
Keywords:I/O virtualization; Virtual Machine Monitor; Passthrough; Interrupt attack; DMA attack; MMIO; PIO
Type:Conference
Language:English
City:Kyoto
Country:JAPAN
Date:
Department:Digital Security
Eurecom ref:4234
Copyright: © ACM, 2014. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ASIACCS 2014, 9th ACM Symposium on Information, Computer and Communications Security, June 4-6, 2014, Kyoto, Japan http://dx.doi.org/10.1145/2590296.2590299
Bibtex: @inproceedings{EURECOM+4234, doi = {http://dx.doi.org/10.1145/2590296.2590299}, year = {2014}, title = {{O}n the feasibility of software attacks on commodity virtual machine monitors via direct device assignment}, author = {{P}ek, {G}abor and {L}anzi, {A}ndrea and {S}rivastava, {A}bhinav and {B}alzarotti, {D}avide and {F}rancillon, {A}ur{\'e}lien and {N}eumann, {C}hristoph }, booktitle = {{ASIACCS} 2014, 9th {ACM} {S}ymposium on {I}nformation, {C}omputer and {C}ommunications {S}ecurity, {J}une 4-6, 2014, {K}yoto, {J}apan}, address = {{K}yoto, {JAPAN}}, month = {06}, url = {http://www.eurecom.fr/publication/4234} }
See also: