Integrity in untrusted environments

Integrity in untrusted environments

[Shiva V]

Hello,
 I am exploring ideas to implement a service inside a virtual machine on 
untrusted hypervisors under current cloud infrastructures.
 Particularly, I am interested how one can verify the integrity of the 
service in an environment where hypervisor is not trusted. This is my setup.

1. I have two virtual machines. (Normal client VM's).
2. VM-A is executing a service and VM-B wants to verify its integrity.
3. Both are executing on untrusted hypervisor.

Though, Intel SGX will solve this, by using the concept of enclaves, its not 
publicly available yet.

One could also use SMM to verify the integrity. But since this is time based 
approach, one could easily exploit between the time window.

I was drilling down this idea, We know Write xor Execute Memory Protection 
Scheme. Using this idea,If we could lock down the VM-A memory pages where 
the service is running and also corresponding page-table entries, then have 
a handler code that temporarily unlocks them for legitimate updates, then 
one could verify the integrity of the service running. 

Since if attacker needs to inject some malicious code, he needs to update 
the page tables and if this is locked down, he will not be able to inject 
arbitrary code without notice. Since the unmodified hypervisor handler will 
not handle this situation.  

But here are my questions:

1. Is write xor execute feasible solution in cloud environments? Since this 
scheme fails or could be exploited if there is double mapping. So, what if 
there is mapping from different vm's to same physical memory? Will this 
fail?

2. what are the security threats involved if one proceeds with this scheme?

Any help in this regard is greatly appreciated.

Re: Integrity in untrusted environments

[Nakajima, Jun]

On Thu, Jul 31, 2014 at 2:25 PM, Shiva V <shivaramakrishnan740@gmail.com> wrote:
> Hello,
>  I am exploring ideas to implement a service inside a virtual machine on
> untrusted hypervisors under current cloud infrastructures.
>  Particularly, I am interested how one can verify the integrity of the
> service in an environment where hypervisor is not trusted. This is my setup.
>
> 1. I have two virtual machines. (Normal client VM's).
> 2. VM-A is executing a service and VM-B wants to verify its integrity.
> 3. Both are executing on untrusted hypervisor.
>
> Though, Intel SGX will solve this, by using the concept of enclaves, its not
> publicly available yet.

Just clarification. The concept of enclaves and the specs of Intel SGX
are available in public.

See the following, for example:
https://software.intel.com/en-us/intel-isa-extensions

-- 
Jun
Intel Open Source Technology Center

Re: Integrity in untrusted environments

[Shiva V]

Nakajima, Jun <jun.nakajima <at> intel.com> writes:

 
> On Thu, Jul 31, 2014 at 2:25 PM, Shiva V <shivaramakrishnan740 <at> 
gmail.com> wrote:
Hello,
 I am exploring ideas to implement a service inside a virtual machine on
 untrusted hypervisors under current cloud infrastructures.
Particularly, I am interested how one can verify the integrity of the
service in an environment where hypervisor is not trusted. This is my 
setup.

1. I have two virtual machines. (Normal client VM's).
2. VM-A is executing a service and VM-B wants to verify its integrity.
 3. Both are executing on untrusted hypervisor.

 Though, Intel SGX will solve this, by using the concept of enclaves, its 
not
 publicly available yet.

 Just clarification. The concept of enclaves and the specs of Intel SGX
are available in public.
 
> See the following, for example:
> https://software.intel.com/en-us/intel-isa-extensions

Thanks for the reply. By mentioning Not publicly available, 
I meant that the Intel SGX processors are not available in market yet.

Re: Integrity in untrusted environments

[Paolo Bonzini]

Il 31/07/2014 23:25, Shiva V ha scritto:
> Hello,
>  I am exploring ideas to implement a service inside a virtual machine on 
> untrusted hypervisors under current cloud infrastructures.
>  Particularly, I am interested how one can verify the integrity of the 
> service in an environment where hypervisor is not trusted. This is my setup.
> 
> 1. I have two virtual machines. (Normal client VM's).
> 2. VM-A is executing a service and VM-B wants to verify its integrity.
> 3. Both are executing on untrusted hypervisor.
> 
> Though, Intel SGX will solve this, by using the concept of enclaves, its not 
> publicly available yet.
> 
> One could also use SMM to verify the integrity. But since this is time based 
> approach, one could easily exploit between the time window.
> 
> I was drilling down this idea, We know Write xor Execute Memory Protection 
> Scheme. Using this idea,If we could lock down the VM-A memory pages where 
> the service is running and also corresponding page-table entries, then have 
> a handler code that temporarily unlocks them for legitimate updates, then 
> one could verify the integrity of the service running. 

You can make a malicious hypervisor that makes all executable pages also
writable, but hides the fact to the running process.  But really, if you
control the hypervisor you can just write to guest memory as you wish.

SMM will be emulated by the hypervisor.

If the hypervisor is untrusted, you cannot solve _everything_.  For the
third time, what attacks are you trying to protect from?

Paolo

Re: Integrity in untrusted environments

[Shiva V]

Paolo Bonzini <pbonzini <at> redhat.com> writes
>
 Hello,
 I am exploring ideas to implement a service inside a virtual machine on 
 untrusted hypervisors under current cloud infrastructures.
 Particularly, I am interested how one can verify the integrity of the 
 service in an environment where hypervisor is not trusted. This is my 
setup.
 
 1. I have two virtual machines. (Normal client VM's).
 2. VM-A is executing a service and VM-B wants to verify its integrity.
 3. Both are executing on untrusted hypervisor.
 
 Though, Intel SGX will solve this, by using the concept of enclaves, its 
not 
 publicly available yet.
 
One could also use SMM to verify the integrity. But since this is time based 
approach, one could easily exploit between the time window.

 I was drilling down this idea, We know Write xor Execute Memory Protection 
 Scheme. Using this idea,If we could lock down the VM-A memory pages where 
 the service is running and also corresponding page-table entries, then have 
 a handler code that temporarily unlocks them for legitimate updates, then 
 one could verify the integrity of the service running. 

> You can make a malicious hypervisor that makes all executable pages also
 writable, but hides the fact to the running process.  But really, if you
 control the hypervisor you can just write to guest memory as you wish.

 SMM will be emulated by the hypervisor.
If the hypervisor is untrusted, you cannot solve _everything_.  For the
third time, what attacks are you trying to protect from?
 
 Paolo


Thanks Paolo, I was considering all critical attacks possible that a client 
virtual machine could have under the untrusted hypervisor scenarios. For 
example,Memory based,Hypervisor based and few major side channel attacks. I 
am ignoring the network based attacks for the time being. 
And one more question to your reply. I did'nt understand as to what you were 
trying to describe here 
"You can make a malicious hypervisor that makes all executable pages also 
writable, but hides the fact to the running process.  But really, if you 
control the hypervisor you can just write to guest memory as you wish"

This is my understanding, Correct me if I am wrong here. 
If we lock down the code pages of genuine hypervisor as I discussed before, 
Isn't it sufficent? Because essentially hypervisor is the one that handles 
the traps from the virtual machines for execution.So, even if the hypervisor 
wishes to write to the client virtual machine, it will be captured since the 
memory pages of the hypervisor is locked down and is essentially non 
bypassable.