SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes

Arvind Seshadri, Mark Luk, Ning Qu, Adrian Perrig
[doi] [Google Scholar] [DBLP] [Citeseer]
Read: 03 November 2019

SOSP
Volume 41
ACM
Pages 335-350
2007
Topic(s): os security
Papers: franklin:cmu:2008

SecVisor is a hypervisor that virtualizes physical RAM, the MMU and the IO-MMU in order to protect the kernel executable code from modification. It uses the AMD architectural support for hypervisors to provide most of the protection and switches memory protection on every entry/exit from kernel. And it requires small changes to parts of Linux that normally load/modify the kernel executable: boot and module load/unload.

Although it is a hypervisor, only one virtual machine is supported – this keeps SecVisor small. Small kernel, lots of great detail about implementation, option to rely more on software (for use on older hardware that lacks virtualization support) and good benchmarking.

Limitations:

  • It seems that this paper came out more or less simultaneously with ROP/JOP attacks and, by itself, this work does not protect against these attacks since they do not modify the kernel code – they just repurpose it.

  • This is a uniprocessor hypervisor – discussion of MP support sounds plausible (although I worry about how switching protection on entry/exit could work?)

  • Self-modifying code is a major issue. The easy case is code that patches itself against known bugs.

See later paper by Franklin, et al. that describes security issues in design, use of formal verification to model design, fixes and performance impact.


  • Attacking, repairing, and verifying SecVisor: A retrospective on the security of a hypervisor [franklin:cmu:2008]