Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scientists Propose Guaranteed Hypervisor Security

Posted by kdawson on from the can't-write-there dept.

schliz writes "NCSU researchers are attempting to address today's 'blind trust' of virtualization with new security techniques that 'guarantee' malware does not infect hypervisors. Their HyperSafe software uses the write-protect bit on hypervisor hardware, as well as a technique called restricted pointer indexing, which characterizes the normal behavior of the system and prevents any deviation. A proof-of-concept prototype has been tested on BitVisor and Xen, in research that will be presented (PDF) at an IEEE conference today."

2 of 104 comments (clear)

  1. Re:Dangerous by fuzzyfuzzyfungus · · Score: 3, Interesting

    Well, to be fair, CS is math, and can involve definite formal proofs, Now, once you compromise on hardware requirements(Due to a scarcity of Turing machines, $IDEAL_ALGORITHM has been ported to x86...) or have to produce software at the speed of programming rather than the speed of proof...

  2. Re:Dangerous by OeLeWaPpErKe · · Score: 3, Interesting

    One thing that does seem curiously absent is how the NX bit helps you with DMA transfers. Ok, granted, you'd need to trick hardware other than the cpu into overwriting it, but given how much buggy hardware *cough* wireless broadcom chips for example *cough* there is in this imperfect world that isn't going to take all that long.

    So you'd need to forbid virtual machines from accessing any non-emulated hardware* (which I'd say is going to cost you in performance) and even then any mistake in the hypervisor's drivers for the real hardware will be fatal (the latest linux release needed about 6.3 megabytes to describe the driver changes done)

    * if you allow direct access to any device capable of DMA transfers, that will enable the VM to overwrite any memory it chooses