HyperMI: A Privilege-level VM Protection Approach against Compromised Hypervisor

Abstract

Sensitive data in guest virtual machine is easy to be leaked once hypervisor is compromised. Therefore, VM protection is important to protect the memory of VM from compromised hypervisor's malicious access causally. Previous efforts employ extra customized hardware or employ new software relying on a higher privilege level than hypervisor. This paper proposes HyperMI, a novel approach that provides a privilege-level secure execution environment for VM protection in cloud computing against compromised hypervisor. It provides HyperMI world, effective VM isolation and event-driven VM monitoring in order to prevent customers' sensitive data in VM from being leaked. HyperMI world, placed at the same privilege level with hypervisor, is a privilege-level secure isolated execution environment. As TCB, it is used for VM isolation and VM monitoring. What's the most important, HyperMI focuses on decoupling the function of interaction between hypervisor and VM and decoupling the function of address mapping of VM from hypervisor. As a result, HyperMI can only controls page mapping of VM and EPT updating when a page is allocated to a VM. We have implemented a prototype for KVM hypervisor with multiple Linux as guest OSes, which can be used in commercial cloud computing industry with portability and compatibility for all kinds of CPU platforms. The security analysis shows that this approach can provide protection for VM with effective isolation and event-driven monitoring, and the performance evaluation confirms the efficiency of HyperMI.