Ecole d'ingénieur et centre de recherche en Sciences du numérique

On the feasibility of software attacks on commodity virtual machine monitors via direct device assignment

Pek, Gabor; Lanzi, Andrea; Srivastava, Abhinav; Balzarotti, Davide; Francillon, Aurélien; Neumann, Christoph

ASIACCS 2014, 9th ACM Symposium on Information, Computer and Communications Security, June 4-6, 2014, Kyoto, Japan

The security of virtual machine monitors (VMMs) is a challenging and active field of research. In particular, due to the increasing significance of hardware virtualization in cloud solutions, it is important to clearly understand existing and arising VMM-related threats. Unfortunately, there is still a lot of confusion around this topic as many attacks presented in the past have never been implemented in practice or tested in a realistic scenario. In this paper, we shed light on VM related threats and defences by implementing, testing, and categorizing a wide range of known and unknown attacks based on directly assigned devices. We executed these attacks on an exhaustive set of VMM configurations to determine their potential impact. Our experiments suggest that most of the previously known attacks are ineffective in current VMM setups. We also developed an automatic tool, called PTFuzz, to discover hardware-level problems that affects current VMMs. By using PTFuzz, we found several cases of unexpected hardware behaviour, and a major vulnerability on Intel platforms that potentially impacts a large set of machines used in the wild. These vulnerabilities affect unprivileged virtual machines that use a directly assigned device (e.g., network card) and have all the existing hardware protection mechanisms enabled. Such vulnerabilities either allow an attacker to generate a host-side interrupt or hardware faults, violating expected isolation properties. These can cause host software (e.g., VMM) halt as well as they might open the door for practical VMM exploitations. We believe that our study can help cloud providers and researchers to better understand the limitations of their current architectures to provide secure hardware virtualization and prepare for future attacks.

Document Doi Bibtex

Titre:On the feasibility of software attacks on commodity virtual machine monitors via direct device assignment
Mots Clés:I/O virtualization; Virtual Machine Monitor; Passthrough; Interrupt attack; DMA attack; MMIO; PIO
Type:Conférence
Langue:English
Ville:Kyoto
Pays:JAPON
Date:
Département:Sécurité numérique
Eurecom ref:4234
Copyright: © ACM, 2014. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ASIACCS 2014, 9th ACM Symposium on Information, Computer and Communications Security, June 4-6, 2014, Kyoto, Japan http://dx.doi.org/10.1145/2590296.2590299
Bibtex: @inproceedings{EURECOM+4234, doi = {http://dx.doi.org/10.1145/2590296.2590299}, year = {2014}, title = {{O}n the feasibility of software attacks on commodity virtual machine monitors via direct device assignment}, author = {{P}ek, {G}abor and {L}anzi, {A}ndrea and {S}rivastava, {A}bhinav and {B}alzarotti, {D}avide and {F}rancillon, {A}ur{\'e}lien and {N}eumann, {C}hristoph }, booktitle = {{ASIACCS} 2014, 9th {ACM} {S}ymposium on {I}nformation, {C}omputer and {C}ommunications {S}ecurity, {J}une 4-6, 2014, {K}yoto, {J}apan}, address = {{K}yoto, {JAPON}}, month = {06}, url = {http://www.eurecom.fr/publication/4234} }
Voir aussi: