Thursday, October 25, 2007

Razor-Thin Hypervisors

I just came back from Stockholm where I attended the Virtualization Forum, and saw several, quite interesting vendor presentations. One that caught my attention was a talk by VMware, and especially the part that talked about the new ESX 3i hypervisor and presented it as "razor-thin". This "razor-thin" hypervisor will have, according to VMWare, the footprint "of only 32MB".

My regular readers might sense that I’m a bit ironic here. Well, 32MB of code is definitely not a "razor-thin" hypervisor in my opinion and it’s not even close to a thin hypervisor... But why am I so picky about it? Is it really that important?

Yes, I think so, because the bigger the hypervisor the more chances that there is a bug somewhere out there. And one of the reasons for using virtual machines is to provide isolation. Even if we use virtualization because of business reasons (server consolidation), still we want each VM to be properly isolated, to make sure that if an attackers "gets into" one VM, she will not be able to 0wn all the other VMs on the same hardware… In other words, isolation of VMs, is an extremely important feature.

During my presentation I also talked about thin hypervisors. I first referenced a few bugs that were found in various VMMs in the recent months by other researchers (congrats to Rafal Wojtczuk of McAfee for some interestingly looking bugs in VMWare and Microsoft products). I used them as an argument that we should move towards very thin hypervisor architecture, exploiting hardware virtualization extension as much as possible (e.g. Nested Paging/EPT, IOMMU/DEV/NoDMA, etc) and avoiding doing things "in software".

Nobody should be really surprised seeing VMMs bugs – after all we have seen so many bugs in OS kernels over years, so no surprise we will see more and more bugs in VMMs, unless we switch to very thin hypervisors, so thin that it would be possible to understand and verify their code by one person. Only then we would be able to talk about security advantage (in terms of isolation) offered by VMMs comparing to traditional OSes.

I couldn’t refrain myself from mentioning that the existence of those bugs in popular VMMs clearly shows that having a VMM already installed doesn’t currently prevent from the "Blue Pill threat" – a point often expressed by some virtualization vendors, who notoriously try to diminish the importance of this problem (i.e. the problem of virtualization based malware).

I also announced that Invisible Things Lab has just started working with Phoenix Technologies. Phoenix is the world leader in system firmware, particularly known for providing BIOSes for PCs for almost 25 years, and currently is working on a new product called HyperCore that would be a very thin and lightweight hypervisor for consumer systems. ITL will be helping Phoenix to ensure the security of this product.

HyperCore hypervisor will use all the latest hardware virtualization extensions, like e.g. Nested Paging/EPT to minimize the unnecessary complexity and to provide negligible performance impact. For the same reasons, the I/O access will go through almost natively, just like in case of our Blue Pill...

Speaking about Blue Pill – Phoenix is also interested in further research on Blue Pill, which will be used as a test bed for trying various ideas – e.g. nested virtualization, which might be adopted in the future versions of HyperCore to allow users to use other commercial VMMs inside their already-virtualized OSes. Blue Pill’s small size and minimal functionality makes it a convenient tool for experimenting. Phoenix will also support The Blue Pill Project which means that some parts of our research will be available for other researchers (including code)!

In case you still feel like having a look into my slides, you can get them here.

10 comments:

Anonymous said...

Theo de Radt mentions missind hardware capabilities to make V. really useful and that such capabilities would of course be added to the OS, so V. is not very helpful regarding security.

While I disagree with his overall result, I wonder what missing features he is talking about. Will everything be fine once we have IOMMU?

http://kerneltrap.org/OpenBSD/Virtualization_Security

Anonymous said...

Hypervisor Functional Specification

Brief Description

Microsoft Windows Server 2008
This document is the top-level functional specification (TLFS) of the first-generation Microsoft hypervisor. It specifies the externally-visible behavior. The document assumes familiarity with the goals of the project and the high-level hypervisor architecture...

http://www.microsoft.com/downloads/details.aspx?FamilyID=91e2e518-c62c-4ff2-8e50-3a37ea4100f5&DisplayLang=en

Anonymous said...

One note about nested VMs. Are they really providing a new layer of security or just being a resource and money effort? But the idea is very interesting.

Joanna Rutkowska said...

@nkr: I've never said that nested VMMs provide any additional level of security.

Anonymous said...

Always interesting posts but wish they were more frequent

Timov said...

You must be very busy, but please don't forget your blog :)

Joanna Rutkowska said...

Yup, I've been a bit busy recently, but promise to get back and start posting some more stuff here. I guess that would be mid-april...
joanna.

Anonymous said...

I've recently started studing about rootkit implementation for my BSC project.
I found your web site...Great! thanks :)

Anonymous said...

Ms Rutkowska, I am not a security expert; my friends say that you will probably discount what I say for that reason. But your research, which I can but understand partially, ultimately aims at protecting the systems of end users, the ordinary guy and gal. I am 65, a poet, and discovered several years ago that I was ignorant of computer security, so I began a journey of learning. I researched security relying on free online courses and the experts I vetted with the help of fellow members of S.I.N.(Subliminal Insidious Network, white hat hackers of which I am the grandpa). I know that you write for the pros, but consider including the non-experts like me who are ready and willing to learn. I am learning now to use IceSword, DarkSpy, and Gmer. I run my browsers with lower privilege or sandboxed, depending on whether I plan to download. I don't use the popular antiviruses or firewalls. I use NOD32 and Online Armor, though there are a few others with about equal efficacy. Before all this I hardened my XP Pro with the securest native settings. I helped my family and friends with setting up and securing their systems so much that they began to pay me without me soliciting it. None have been infected in years. My security recommendations have evolved as threats evolved. I am educating myself more to understand what you and other experts are doing. Please devote a small amount of your time addressing what we non-experts can learn. I am now, though still learning and evolving, in the position to translate what some of the experts have discovered into practical application to the end user. One of my cousins, 92, she has not had an infection in several years. She is the role model of what an ordinary user can do. I know that you probably do not recommend specific programs, but some general guidance can help me and others to make judicious choices.

Anonymous said...

to me, razor-thin is something that could comfortably fit inside a single DMA page