Eliminating the hypervisor attack surface for a more secure cloud

Jakub Szefer, Eric Keller, Ruby Bei-Loh Lee, Jennifer L. Rexford

Research output: Chapter in Book/Report/Conference proceedingConference contribution

180 Scopus citations

Abstract

Cloud computing is quickly becoming the platform of choice for many web services. Virtualization is the key underlying technology enabling cloud providers to host services for a large number of customers. Unfortunately, virtualization software is large, complex, and has a considerable attack surface. As such, it is prone to bugs and vulnerabilities that a malicious virtual machine (VM) can exploit to attack or obstruct other VMs - a major concern for organizations wishing to move'to the cloud." In contrast to previous work on hardening or minimizing the virtualization software, we eliminate the hypervisor attack surface by enabling the guest VMs to run natively on the underlying hardware while maintaining the ability to run multiple VMs concurrently. Our NoHype system embodies four key ideas: (i) pre-allocation of processor cores and memory resources, (ii) use of virtualized I/O devices, (iii) minor modifications to the guest OS to perform all system discovery during bootup, and (iv) avoiding indirection by bringing the guest virtual machine in more direct contact with the underlying hardware. Hence, no hypervisor is needed to allocate resources dynamically, emulate I/O devices, support system discovery after bootup, or map interrupts and other identifiers. NoHype capitalizes on the unique use model in cloud computing, where customers specify resource requirements ahead of time and providers offer a suite of guest OS kernels. Our system supports multiple tenants and capabilities commonly found in hosted cloud infrastructures. Our prototype utilizes Xen 4.0 to prepare the environment for guest VMs, and a slightly modified version of Linux 2.6 for the guest OS. Our evaluation with both SPEC and Apache benchmarks shows a roughly 1% performance gain when running applications on NoHype compared to running them on top of Xen 4.0. Our security analysis shows that, while there are some minor limitations with current commodity hardware, NoHype is a significant advance in the security of cloud computing.

Original languageEnglish (US)
Title of host publicationCCS'11 - Proceedings of the 18th ACM Conference on Computer and Communications Security
Pages401-412
Number of pages12
DOIs
StatePublished - Nov 14 2011
Event18th ACM Conference on Computer and Communications Security, CCS'11 - Chicago, IL, United States
Duration: Oct 17 2011Oct 21 2011

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221

Other

Other18th ACM Conference on Computer and Communications Security, CCS'11
CountryUnited States
CityChicago, IL
Period10/17/1110/21/11

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications

Keywords

  • Attack vectors
  • Hardware security
  • Hypervisor security
  • Multicore
  • Secure cloud computing
  • Virtualization

Fingerprint Dive into the research topics of 'Eliminating the hypervisor attack surface for a more secure cloud'. Together they form a unique fingerprint.

  • Cite this

    Szefer, J., Keller, E., Lee, R. B-L., & Rexford, J. L. (2011). Eliminating the hypervisor attack surface for a more secure cloud. In CCS'11 - Proceedings of the 18th ACM Conference on Computer and Communications Security (pp. 401-412). (Proceedings of the ACM Conference on Computer and Communications Security). https://doi.org/10.1145/2046707.2046754