Design And Implementation Of Hypervisor Memory Protection Mechanism Based On The Nested Virtualization

Virtual machine monitor(i.e.,hypervisor)is a key component of cloud computing and provides protection for guest virtual machines(VMs).The hypervisor maintains some critical data used to manage and protect the VMs.The security of VMs will be threatened if the integrity of hypervisor's crucial data is compromised.Unfortunately,the commodity hypervisor usually has a considerable attack surface and its memory data are prone to be tampered with by an attacker(a malicious VM),which threatens the security of other VMs.To solve this problem,current solutions propose hypervisor introspection(HVI)architecture which leverages the nested virtualization to make the hypervisor run on a higher privileged software layer(nested hypervisor).The HVI guarantees the memory security of the hypervisor by using a monitor to dynamically validate its behaviors.To ensure the security of the monitor,the monitor is put into a trusted VM which is isolated from the untrusted hypervisor and protected by the nested hypervisor.Although monitoring from outside of the hypervisor is very effective to guarantee its security,the large number of context switches among the hypervisor and the monitor incurs significant performance overhead in a nested virtualized environment,making HVI unsuitable for the cloud environment.This paper introduces In-Hypervisor Memory Introspection(IHMI)architecture which is based on the nested virtualization and protects hypervisor's memory by monitoring its behaviors from inside of it.IHMI aims at achieving higher performance than HVI while guaranteeing the same level of memory security as HVI.To improve the performance,IHMI puts the monitor into the hypervisor and leverages hardware virtualization technologies to achieve an efficient switch between them.To ensure the security of the monitor,IHMI isolates the monitor from the untrusted hypervisor through the Extended Page Table(EPT).IHMI configures a unidirectional mapping in the EPT which allows the monitor to access the hypervisor's memory while forbidding the hypervisor from accessing the monitor's memory.Further,IHMI adopts a series of security policies which are used to protect monitor from attacks produced by the malicious hypervisor.Besides,the monitor uses the same page table as the hypervisor and its EPT is constructed to replicate the hypervisor's guest virtual address to host physical address translation.Thus the monitor can access the hypervisor's memory at native speed,which helps to improve the performance of the monitor.The security analysis shows that IHMI can guarantee the same level of memory security as HVI.In addition,the evaluation shows that the switching between the monitor and the hypervisor in IHMI incurs 59.1 percent less overhead than that of HVI.In IHMI,the monitor accesses the hypervisor's memory at more than five times the speed of HVI.The average performance cost of IHMI is only 4.54 percent which is less than half that of HVI.At the same time,IHMI has lower overhead than HVI in all application scenarios and in some application scenarios,IHMI can reduce performance overhead by up to 44.91 percent compared to HVI.Our work makes the following contributions:· Based on the nested virtualization,this paper proposes In-Hypervisor Memory Introspection architecture.IHMI provides memory protection for the hypervisor using a monitor residing inside the hypervisor.· IHMI ensures the same level of security as HVI and leverages hardware virtualization technologies to achieve a better performance than HVI.