Virtual malware faces HyperSafe lockdown

A team of researchers has come up with a way to stop malicious code from spreading from one virtual machine to the hypervisor and from there to other virtual machines.

The researchers from North Carolina State University said that their "hypersafe" technology could protect virtualised system against this kind of threat, known as "virtual machine escape". The team's research is set to be presented in a paper called HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity on 18 May at the thirty-first IEEE Symposium.

While such virtual machine risks remain largely theoretical, the fear of them is holding back wider adoption of technologies such as cloud computing, according to assistant professor of computer science Xuxian Jiang and PhD student Zhi Wang, the developers of the technology.

Cloud computing routinely relies on virtualisation to host the computing capacity of multiple customers on the same physical system, raising the possibility that a compromise of a virtual machine belonging to one customer could spread to those of other customers.

The software developed by Jiang and Wang, called HyperSafe, aims at stopping such attacks by protecting the integrity of the hypervisor, they said.

It uses two techniques to ensure this integrity: non-bypassable memory lockdown and restricted pointer indexing. The first relies on security features built into modern processors to lock down the memory range that includes executable code, according to the researchers.

The effect is to protect the hypervisor's code and static data from being compromised, even in the presence of exploitable memory corruption bugs such as buffer overflows, they said. New code can only be introduced by the hypervisor administrator.

The second technique — restricted pointer indexing — creates an initial profile of the hypervisor's normal behaviour, and then prevents any deviation from that profile.

"Restricted pointer indexing introduces one layer of indirection to convert the control data into pointer indexes," Jiang and Wang wrote in the paper. "These pointer indexes are restricted such that the corresponding call/return targets strictly follow the hypervisor control flow graph, hence expanding protection to control-flow integrity."

Only the hypervisor administrators can introduce changes to the hypervisor code, according to Jiang.

So far the HyperSafe code developed by Jiang and Wang works with the BitVisor and Xen hypervisors, but the researchers said it could be adapted for other Type-I, bare-metal hypervisors such as VMware ESX and Microsoft Hyper-V.

In its current form the hypervisor code would need to be modified to work with HyperSafe, the researchers said. They said they currently have no plans to commercialise the project, but are open to working with software vendors.

HyperSafe was developed with funding from the US Army Research Office and the National Science Foundation.

Commercial vendors have also begun to recognise the importance of security for pushing cloud adoption. In January, for instance, Cisco, VMware and NetApp announced a three-way partnership and a new architecture for secure, multi-tenant cloud datacentres.

The Secure Multi-tenancy Design Architecture (SMDA) works across existing products from the three companies to isolate the IT resources and applications of different clients or business units that share a common cloud infrastructure.