Toshiki Yagi

Memory deduplication as a threat to the guest OS

Memory deduplication shares same-content memory pages and reduces the consumption of physical memory. It is effective on environments that run many virtual machines with the same operating system. Memory deduplication, however, is vulnerable to memory disclosure attacks, which reveal the existence of an application or file on another virtual machine. Such an attack takes advantage of a difference in write access times on deduplicated memory pages that are re-created by Copy-On-Write. In our experience on KSM (kernel samepage merging) with the KVM virtual machine, the attack could detect the existence of sshd and apache2 on Linux, and IE6 and Firefox on WindowsXP. It also could detect a downloaded file on the Firefox browser. We describe the attack mechanism in this paper, and also mention countermeasures against this attack.

Kernel Memory Protection by an Insertable Hypervisor Which Has VM Introspection and Stealth Breakpoints

Recent device drivers are under threat of targeted attack called Advanced Persistent Threat (APT) since some device drivers handle industrial infrastructure systems and/or contain sensitive data e.g., secret keys for disk encryption and passwords for authentication. Even if attacks are found in these systems, it is not easy to update device drivers since these systems are required to be non-stop operation and these attacks are based on zero-day attacks. DriverGuard is developed to mitigate such problems. It is a light weight hypervisor and can be inserted into pre-installed OS (Windows) from USB memory at boot time. The memory regions for sensitive data in a Windows kernel are protected by VM introspection and stealth breakpoints in the hypervisor. The hypervisor recognizes memory structure of guest OS by VM introspection and manipulates a page table entry (PTE) using stealth breakpoints technique. DriverGuard prevents malicious write-access to code region that causes Blue Screen of Death of Windows, and malicious read and write access to data region which causes information leakage. Current implementation is applied on pre-installed Windows7 and increases security of device drivers from outside of OS.

Impact on Chunk Size on Deduplication and Disk Prefetch

CAS (Content Addressable Storage) systems reduce total volume of vir- tual disk with deduplication technique. The effects of deduplication has been eva- luated and confirmed in some papers. Most evaluations, however, were achieved by small chunk size (4KB-8KB) and did not care about I/O optimization (disk pre- fetch) on a real usage. Effective disk prefetch is larger than the chunk size and causes many CAS operations. Furthermore, previous evaluations did not care about ratio of effective data in a chunk. The ratio is improved by block realloca- tion of file system, which considers access profile. Chunk size should be decided by considering these effects on a real usage. This paper evaluates effectiveness of deduplication on a large chunk of CAS system which considers the optimization for disk prefetch and effective data in a chunk. The optimization was achieved for boot procedure, because it was a mandatory operation on any operating systems. The results showed large chunk (256KB) was effective on booting Linux and could maintain the effect of deduplication.

SFS-KNOPPIX

KNOPPIX is a bootable CD with a collection of GNU/Linux software. KNOPPIX is very convenient but it requires downloading 700 MB iso image and burning a CD-ROM when it is renewed. In order to solve this problem we made SFS-KNOPPIX which boots from Internet with SFS (self-certifying file system), SFS-KNOPPIX requires 20 MB boot-loader with Linux-kernel and miniroot. Root file system is obtained from Internet with SFS at boot time. It enables to change root file system and makes easy to try new version of KNOPPIX. In this paper we describe the detail of SFS-KNOPPIX and its performance

Rollback mechanism of nested virtual machines for protocol fuzz testing

Secure communications (HTTPS, SSH, etc) are important in the current Internet services. Implementations of secure protocols should be tested as exhaustively as possible. Repeated protocol fuzz testing from every reachable state is necessary and snapshot/rollback mechanism is required. Ordinary snapshot tools, however, only bring back a state of process or virtual machine (VM), and do not take care of packets on a wire. It means that they have no feature of distributed snapshot defined by Chandy-Lamport. Furthermore, secure protocols inherently depend upon a computing environment (e.g., random number) and make it difficult to repeat same testing. In order to solve these problems easily and generally, we propose a new protocol for controlling snapshot/rollback of VM, and an implementation which uses nested VMs and proxies. The internal VM of nested VM emulates whole hardware for exact repeat of protocol handling, and the external VM and proxies work for managing the state of internal VM and packets on a wire. In the current implementation internal VM is the instruction emulator QEMU and external VM is KVM which uses virtualization instructions. On a feasibility study, 4 TLS 1.2 servers (OpenSSL, GnuTLS, CyaSSL, and PolarSSL) were verified, and we found 2 bugs in CyaSSL and 1 bug in PolarSSL.