[CCS 2010] HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity

HyperSentry introduces a software component that is properly isolated from the hypervisor to enable stealthy and in-context measurement of the runtime integrity of the hypervisor.

 

 - Stealthiness : necessary to ensure that a compromised hypervisor does not have a chance to hide the attack traces upon detecting an up-coming measurement

 - In-context measurement : necessary to retrieve all the needed inputs for a successful integrity measurement

 

Previous work

 - HyperGuard, HyperCheck

- rely on the SMM

- limitation

1. none of these frameworks provide a way to trigger the integrity measurement without altering the Hypervisor(vulnerable to scrubbing attack)

(scrubbing attack : compromised hypervisor can clean up the attack traces before the integrity measurement starts)

2. hypervisor context is hidden in the CPU if the SMM interrupts a guest VM rather than the hypervisor

 - Flicker

- uses late launch capability

- limitation

measurement target (the running system) is the one responsible for invoking the integrity measurement

 

 

Challenges

1. stealthy invocation

2. measurement agent has to be verifiable despite the hypervisor's ability to tamper with any code or data stored in the system memory

3. the measurement agent execution has to be deterministic and non-interruptible

4. in-context measurement that reveals the entire CPU state essential for integrity measurement

5. attestation to the authenticity of the measurement output

 

TCB : hardware, firmware, software component properly isolated from the highest privileged software.

 

The out-of-band channel is used to invoke a System Management Interrupt(SMI)

Intelligent Platform Management Interface(IPMI) is used to establish out-of-band channel.

 

System Management Mode (SMM)

 - SMM is an x86 operating mode designed to handle system management functions

 - The CPU enters the SMM upon receiving an SMI, triggered by either software or hardware events.

 - SMM's code is stored in a designated, lockable memory called SMRAM.

 - Currently, all BIOS manufacturers lock the SMRAM before the system boots to prevent SMM misuses.

 - When SMI is invoked, the hardware saves the current CPU state to a dedicated state save map and switches the context to the SMM

 - After the SMI finishes, it executes the RSM instruction to resume the interrupted CPU operation.

 - All interrupts, including the non-maskable ones, are disabled upon entering the SMM.

 

Intelligent Platform Management Interface (IPMI)

 - server-oriented platform management interface directly implemented in hardware and firmware

 - IPMI relies on a microcontroller embedded on the motherboard of each server, called Baseboard Management Controller (BMC)

 

We use IPMI to reach the BMC on the target platform's motherboard to remotely trigger a hardware SMI

 

Threat model

 - SMI generated by BMC can be either disabled or rerouted by the hypervisor

 - hypervisor has the ability to trigger SMI with different methods

 

 - As a result, a compromised hypervisor can mask the original SMI invocation, scrub attack traces, and then invoke a fake measurement request.

 

To solve this attack

 - it is critical for HyperSentry to differentiate between SMI generated by the out-of-band channel and other fake ones.

 

 - The BMC has a direct connection to the platform's south bridge(I/O control hub), or more specifically, the first General Purpose Input port (GPI 0)

 - The south bridge is then connected to the CPU through the north bridge and the Front Side Bus (FSB).

 

 - When the BMC nneds to trigger an SMI, it generates a signal on GPI 0.

 

 - status registers

GPU_ROUT : specifies the interrupt generated by the GPI.

SMI_EN : least significant bit prevent all SMI.

SMI_STS : indicates that SMI was triggered by a GPI

ALT_GPI_SMI_EN, ALT_GPI_SMI_STS : The exact GPI port that triggers the SMI is identified.

 

 - HyperSentry SMI handler checks the status registers upon invocation.

 - The measurement process only starts if the SMI is generated by the GPI connected to the BMC

 

 - A compromised hypervisor may attempt to disable SMI by overwriting GPI_ROUT.

 - This attack can be easily detected by the remote user due to the lack of response from HyperSentry.