Scientists Propose Guaranteed Hypervisor Security

schliz writes "NCSU researchers are attempting to address today's 'blind trust' of virtualization with new security techniques that 'guarantee' malware does not infect hypervisors. Their HyperSafe software uses the write-protect bit on hypervisor hardware, as well as a technique called restricted pointer indexing, which characterizes the normal behavior of the system and prevents any deviation. A proof-of-concept prototype has been tested on BitVisor and Xen, in research that will be presented (PDF) at an IEEE conference today."

Dangerous

[Nerdfest]

It's very dangerous to say "guaranteed" when it comes to security. It's very rarely true.

Re:Dangerous

[fuzzyfuzzyfungus]

Well, to be fair, CS is math, and can involve definite formal proofs, Now, once you compromise on hardware requirements(Due to a scarcity of Turing machines, $IDEAL_ALGORITHM has been ported to x86...) or have to produce software at the speed of programming rather than the speed of proof...

Re:Dangerous

[T+Murphy]

Saying guaranteed is very dangerous for a corporation that will lose $$$ in sales should they be proven wrong. For researchers who are actually concerned about trying to make something that is guaranteed safe, using the word is great as it begs people to put them to the test. Better to be proven wrong quickly so they can get back to work, than to falsely believe it may truly be safe.

Re:Dangerous

[SharpFang]

"Guaranteed" is a sound mathematical concept that works flawlessly in a mathematically perfect environment.
It's not the algorithm that is usually compromised, it's the implementation. Like, the algorithm is based on strong randomness and none is assured, or the algorithm assumes a medium to be read-only while it is just write-protected in software and so on.

Re:Dangerous

[OeLeWaPpErKe]

One thing that does seem curiously absent is how the NX bit helps you with DMA transfers. Ok, granted, you'd need to trick hardware other than the cpu into overwriting it, but given how much buggy hardware *cough* wireless broadcom chips for example *cough* there is in this imperfect world that isn't going to take all that long.

So you'd need to forbid virtual machines from accessing any non-emulated hardware* (which I'd say is going to cost you in performance) and even then any mistake in the hypervisor's drivers for the real hardware will be fatal (the latest linux release needed about 6.3 megabytes to describe the driver changes done)

* if you allow direct access to any device capable of DMA transfers, that will enable the VM to overwrite any memory it chooses

Re:Dangerous

[ircmaxell]

Reminds me of the story of the Tortoise and the Crab from Gödel, Escher, Bach: An Eternal Golden Braid by Douglas R. Hofstadter. The Crab kept buying a "Perfect record player". One that could reproduce any sound possible. The Tortoise kept bringing over records that would induce harmonics and destroy the player. The conclusion drawn by Hofstadter was that if it's perfect, by the very nature of its perfection it can be destroyed by a record. In fact, all record players that reproduce a sound predictably can be destroyed by a record entitled "I Cannot Be Played on Record Player x". So that means that anything useful as a record player is vulnerable.

I think you can draw the same analogy here. There's always a way to break any system, no matter how "secure" you make it. The key is does the record player actually play records (is the computer useful in computing)? You could make a perfectly secure computer, so long as you never turn it on. But by the very nature that it's running, it's vulnerable to SOMETHING. It's a byproduct of working with a complex system... An application of Gödel's incompleteness theorem proves that in any sufficiently powerful formal system, there's always a question that can break that system (or at least break it with respect to that system). So basically the only secure computer is one that's incapable of actual computation. Once it becomes useful, there will always be a way to break it...

Re:Dangerous

[smallfries]

It's an interesting technique, but it is not a guarantee.

The summary doesn't mention the number of assumptions that the researchers make:
+ A working TPM module
+ An adversary limited to memory corruption
+ No unknown faults in the underlying system that can be exploited.

Also the second technique (restricter pointer indexing) relies on performing a static analysis of the target hypervisor and rewriting it into a suitable form. This is not guaranteed to terminate, let alone guaranteed to work, although it does on the small number of test-cases that they considered.

Seems like quite an interesting paper, standard amount of overselling for American academic work (where every paper solves the world) and a shame that the reviewers didn't tone down the claims a touch.

Re:Dangerous

[Enter+the+Shoggoth]

One thing that does seem curiously absent is how the NX bit helps you with DMA transfers. Ok, granted, you'd need to trick hardware other than the cpu into overwriting it, but given how much buggy hardware *cough* wireless broadcom chips for example *cough* there is in this imperfect world that isn't going to take all that long.

So you'd need to forbid virtual machines from accessing any non-emulated hardware* (which I'd say is going to cost you in performance) and even then any mistake in the hypervisor's drivers for the real hardware will be fatal (the latest linux release needed about 6.3 megabytes to describe the driver changes done)

* if you allow direct access to any device capable of DMA transfers, that will enable the VM to overwrite any memory it chooses

Although I have some very grave reservations about the idea of "guaranteeing" the security of a hypervisor (or anything else on x86 for that matter) you're DMA example is incorrect assuming that you use the lastest processors that have an IOMMU.

The real issue as the grandfather post points out is that you can provide a formal proof of any program the problem is that there is no formal proof of the correctness of any AMD or Intel CPU AFAIK.

Re:Dangerous

[ray-auch]

And I've seen woodworm...

Re:Dangerous

[Thanshin]

So what you mean is:

- Kill everyone
- Burn down all locations

Guys. I've got someone here who knows about protocol ICU2. There's been a leak. Apply procedure K111 to subject and all related to the sixth degree.

Re:Dangerous

[sexconker]

An application of Gödel's incompleteness theorem proves that in any sufficiently powerful formal system, there's always a question that can break that system (or at least break it with respect to that system). So basically the only secure computer is one that's incapable of actual computation. Once it becomes useful, there will always be a way to break it...

Bullshit.

Saying a perfect computer can't be secure because one of the things it can compute is how to break it's own security is absurd. You can simply define the computer as having limitations as to what it can do. To imply that such a computer is useless is to imply that all computers we have today are useless. All existing computers have physical and logical limitations.

Saying that this is then not a "perfect" computer is also bullshit. You can always wrap your output. You can always spit out the doomsday code instead of executing it. You can always escape your special characters.

The computer can still solve any problem you give it. It just won't execute it's own automatic suicide code. You can make one that does execute said code, but requires the user to confirm. You can make one that does execute said code, automatically. It all depends on how you want it to behave.

Defining a system that behaves in a certain way, then trying to get it to break that behavior is simply retarded. It's the nerd version of "Can God make a boulder so big he himself couldn't lift it?".

There are zero real-world implications of this "thinking" exercise, regardless or which end you look at it from, any conclusions you draw, etc.

Re:Dangerous

[SharpFang]

self-repairing systems.
only possible with multiple cores [parallel processing] and a limited speed of 'blotting' - two or more processes monitor validity of each-other and repair the damage if any, using undamaged code from read-only medium.
[so that even a glitch that makes an invalid process to 'repair' a valid one will do so with good data.

Re:Dangerous

[franl]

The world's shortest explaination of Godel's Incompleteness Theorem by Raymond Smullyan.

We have some sort of machine that prints out statements in some sort of language. It need not be a statement-printing machine exactly; it could be some sort of technique for taking statements and deciding if they are true. But lets think of it as a machine that prints out statements. In particular, some of the statements that the machine might (or might not) print look like these:

P*x (which means that the machine will print x)
NP*x (which means that the machine will never print x)
PR*x (which means that the machine will print xx)
NPR*x (which means that the machine will never print xx)

For example, NPR*FOO means that the machine will never print FOOFOO. NP*FOOFOO means the same thing. So far, so good.

Now, lets consider the statement NPR*NPR*. This statement asserts that the machine will never print NPR*NPR*.

Either the machine prints NPR*NPR*, or it never prints NPR*NPR*. If the machine prints NPR*NPR*, it has printed a false statement. But if the machine never prints NPR*NPR*, then NPR*NPR* is a true statement that the machine never prints.

So either the machine sometimes prints false statements, or there are true statements that it never prints. So any machine that prints only true statements must fail to print some true statements. Or conversely, any machine that prints every possible true statement must print some false statements too.

pdf?

[Cmdr-Absurd]

Link to a pdf version of the paper? Given recent security problems with that format, does anyone else find it funny?

Re:pdf?

[fuzzyfuzzyfungus]

Seems perfectly reasonable to me. Who would care more about provable hypervisor security than somebody with a badly infected guest?

They should have my cousin test this

[NotSoHeavyD3]

Because if anybody could get a machine infected it'd be him.

Re:Want guaranteed security?

[LordBmore]

Okay, I filled all of my servers with concrete and tossed them into the volcano. What next? I can't wait to tell my boss how secure we are.

Assumptions...

[DrYak]

And an even bigger assumption :

How does the über-secure hypervisor it-self know that it is running on the real hardware ? And is not simply stacked upon another layer of abstraction in the control of the malware ?