Design and Implementation of SecPod, A Framework for Virtualization-Based Security Systems

• Published in: IEEE transactions on dependable and secure computing Vol. 16; no. 1; pp. 44 - 57
• Main Authors: Wang, Xiaoguang, Qi, Yong, Wang, Zhi, Chen, Yue, Zhou, Yajin
• Format: Journal Article
• Language: English
• Published: Washington IEEE 01.01.2019; IEEE Computer Society
• Subjects: Cybersecurity; Data structures; Hardware; Kernel; kernel security; Kernels; Logic gates; operating system; Paging; paging-based isolation; Security; Security systems; Virtual machine monitors; Virtualization
• ISSN: 1545-5971; 1941-0018
• DOI: 10.1109/TDSC.2017.2675991

The OS kernel is critical to the security of a computer system. Many systems have been proposed to improve its security. A fundamental weakness of those systems is that page tables, the data structures that control the memory protection, are not isolated from the vulnerable kernel, and thus subject to tampering. To address that, researchers have relied on virtualization for reliable kernel memory protection. Unfortunately, such memory protection requires to monitor every update to the guest's page tables. This fundamentally conflicts with the recent advances in the hardware virtualization support. In this paper, we present the design and implementation of SecPod, a practical and extensible framework for virtualization-based security systems that can provide both strong isolation and the compatibility with modern hardware. SecPod has two key techniques: paging delegation delegates and audits the kernel's paging operations to a secure space; execution trapping intercepts the (compromised) kernel's attempts to subvert SecPod by misusing privileged instructions. We have implemented a prototype of SecPod based on KVM. Our experiments show that SecPod is both effective and efficient.