Jeroen Van Cleemput
+32 9 264 98 54 (phone)
+32 9 264 35 94 (fax)
System Software Lab
Computing Systems Lab (CSL)
Electronics and Information Systems (ELIS) department
Sint Pietersnieuwstraat 41
Efficient Protection against information leaks in virtual machines
After the breakthrough of process virtualization with Java and .net, system virtualization is also making strong headway with products as VMWare, Xen, VirtualBox and Android. In datacenters it is mainly used for consolidating server hardware. On desktops and laptops however, it is used to facilitate system administration and finally on embedded systems security and isolation are the main advantages. For example on a cell phone, system virtualization can be used to make sure user application can't harm the communication subsystem, despite the fact that both are running on the same processor. Virtualization is increasingly applied to applications that require extra security measures, like bank transactions and processing confidential data.
Few people however question the safety risks of this extra software layer. Security measures using the traditional protection domains like user and kernel mode don't apply anymore when those domains are used inside a virtual machine running as a user mode program on top of the operating system. With the lack of a trusted computing base (TCB), which can not be guaranteed for this kind of system virtualization, all protection domains within the VM are equally vulnerable as other programs.
Besides the security problems with compromised VMs described above, even trusted VMs can pose security related problems. Simple experiments demonstrate how carefully secured code can be optimized by a Just-In-Time compiler or binary translator, effectively removing the security measures. Such effects could in their turn lead to information leaks between VMs, just as they have existed for a long time between different user mode programs. Indeed VMs have separated virtual resources, but they till share the physical resources (processors, memory, disksâ€¦), which can serve as covert communication channels through which VMs can observe each other. This, in combination with detailed knowledge about the workload of the other machine, is in some cases sufficient to obtain secured information like the hamming weight of and encryption key. An information leak like that isn't fundamentally different from similar leaks between processes on the same operating system. The use of VMs however deprives the user and applications of the possibility to check with which other applications resources are shared. They make the problem even worse.
Securing critical software is an expensive and complex process because it requires thorough knowledge about the TCB, which consists of the underlying hardware, system software and the possible covert communication channels. The used security measures are by consequence not easily portable to other hardware or system software. This further increases the cost of securing software. Designing software requires a lot of effort from the programmer, which reduces productivity and thus increases the cost of producing software. As already mentioned above, current VMs only add extra problems.
All this shows that the use of virtualization, initially famed for its isolation possibilities, is in fact far from evident in a secure environment. The fundamental problem is that the application programmer is responsible for securing his software against information leaks through covert channels in physical hardware components, while he only has the virtual components of the VM to work with. These headaches for the programmer lower his productivity, thus making software unnecessarily expensive, and moreover still not guaranteed safe.
The goal of this project is to develop virtual machines that are free of information leaks through covert communication channels. Consequently security measures don't have to be taken on application level, they are agreed upon in a contract between the virtual machine and the user. This way we want to obtain safer, more efficient software and increase the productivity of the programmer. More precisely we want to increase the productivity of the programmer by separating security requirements from implementation details of the sofware. Instead of obligating the programmer to apply security measures in algorithms, source code or programming tools, we will develop a contract based approach that will allow the programmer to specify his security needs, completely independent of the domain specific development tools. This specification will be in terms of security requirements only and not in terms of properties of the underlying hardware. Translation between the different domains, i.e. from the security domain to the hardware domain, will be the responsibility of the VM. This way applications and contracts are portable and can be used easily. The main challenge (and innovation) for the project is to define a practical, usable and sufficiently abstract contract specification and in particular the automatic translation from abstract contracts to security mechanisms on the software-hardware interface.
In the manner outlined we will bundle the complexity associated with securing information leaks in the VM. This fits in the European and worldwide shared vision that 90% of the programmers work as so-called productivity programmers in their own domain-specific environment, without having to worry about hardware-dependent implementation details. The remaining 10% of the programmers are the efficiency programmers, who need to supply the productivity programmers with the necessary tools. The project proposed here is clearly part of the solution to reach that ideal situation, which is also a strategic goal of the PARIS research group. Once this situation is established, only the efficiency programmers, as experts, will have to worry about security measures. Eventually this will lead to more secure software. The challenge in this area is to identify the best security measures to mitigate information leaks, and that are suitable for use in VMs with Just-In-Time compilation.
Finally moving the responsibility of security to the VM offers the possibility to produce more efficient software. For that we will make the security measures adaptive. Where a programmer needs to assume the worst case scenario, i.e. his software will always share resources with hostile applications that try to steal sensitive information through the shared resources, a VM has runtime information about the execution of the program, like the knowledge that there no other application is executing on the same processor. In that case sensitive information doesn't need to be protected and the VM can use all means to accelerate the application. For this we will need to develop innovative strategies that dynamically use the best suited security measures at any time, based on the security contracts and the current state of the system.
We will first develop active and then passive security measures. Passive security measures are completely developed and implemented within the VM, so every application running on the VM can enjoy complete security. For the active security measures, applications and VM will work together to reduce the security overhead. New applications will have to specify which parts need to be secured and on what level. We will supply programmers of the necessary tools to simplify and automate this process, for example by using offline analysis tools.
These goals are clearly in line with the fifth VRWB cluster and are priorities for user friendly and safe advanced ICT networks.
Efficient Protection against information leaks in virtual machines
Publications to Appear
- Jeroen Van Cleemput, Bart Coppens and Bjorn De Sutter Compiler mitigations for time attacks on modern x86 processors ACM TRANSACTIONS ON ARCHITECTURE AND CODE OPTIMIZATION, Vol. 8(4), pp. 20 (2012)
- Jeroen Van Cleemput Verdedigingsmechanismen tegen micro-architecturale crypto-analyse Afstudeerwerk FEA, UGent, pp. (2009)