[BitVisor-devel-en:9] Re: Bitvisor memory protection

Wed Apr 6 15:30:20 JST 2011

Dear Hideki EIRAKU,

Hi,
Thank you for your response. However, this statements has been stated in
"BitVisor: A Thin Hypervisor for Enforcing I/O Device Security" paper:
"The guest OS of parapass-through hypervisors use the physical address space
that is identical to the machine (real) physical address space. The
hypervisor does not need to carry out address translations. This contributes
to reducing the size of the hypervisor."
"Hypervisors must hide their own memory regions from the guest OS so that
the guest OS do not use them. BitVisor hooks the BIOS functions for
obtaining the memory usage map (function e820h) to fake that the memory
regions are reserved. "
So we have concluded int0x15 would be the only mechanism  for protecting
Bitvisor memory area.
Indeed, there is no address translation in gmm_pass_gp2hp() function, it
just check whether the mentioned memory area is located in Bitvisor memory
region or not and set the fakerom based on the result.

Thanks again,

On Tue, Apr 5, 2011 at 2:40 PM, Hideki EIRAKU <hdk at igel.co.jp> wrote:

> Hi,
>
> From: Nafise Sadat Moosavi <ns.moosavi at gmail.com>
> Subject: [BitVisor-devel-en:7] Bitvisor memory protection
> Date: Sun, 3 Apr 2011 15:55:02 +0430
> Message-ID: <BANLkTimak_mJC7G6Svcg1rEYbXdPvpLzag at mail.gmail.com>
>
> > Dear Bitvisor developers,
> >
> > As stated in the first Bitvisor paper, Bitvisor uses Int0x15 for
> protecting
> > its memory from guest OS. However, there are manual way of probing memory
> > map instead of using BIOS int0x15, which are not recommended but still
> can
> > be used.
>
> BitVisor hooks int0x15 to change the memory map, not to protect
> BitVisor's memory from the guest OS. The protection of memory is
> implemented in the gmm_pass_gp2hp() function, which is an address
> translator
> that translates guest-physical address to host-physical address.
>
> If the guest attempts to access an address in use by BitVisor, the address
> translater returns the physical address of a blank page with the read-only
> flag (fakerom) set. The shadow page table implementation calls panic()
> if the guest OS tries to modify a page with the read-only flag set.
>
> > Assume a guest OS which contains a rootkit for detection and destruction
> of
> > Bitvisor. It can guess the memory area of Bitvisor by using int0x15
> results
> > during Bitvisor presence and absence in the same system, and then it can
> use
> > manual ways of memory access (without using int0x15) for destruction of
> the
> > hypervisor in memory.
> > Can Bitvisor protect itself against such attacks?
>
> Yes. The gmm_pass_gp2hp function will protect against this scenario as
> well.
> However, the protection works only if the access is performed by the CPU,
> not via DMA.
>
> --
> Hideki EIRAKU <hdk at igel.co.jp>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.bitvisor.org/archives/bitvisor-devel-en/attachments/20110406/9f2e6fb8/attachment.html 