[BitVisor-devel-en:10] Re: Bitvisor memory protection

Takahiro Shinagawa shina at ecc.u-tokyo.ac.jp
Tue Apr 12 21:35:59 JST 2011 

Dear Nafise Sadat Moosavi:

Thank you for being interested in BitVisor.

> Thank you for your response. However, this statements has been stated in
> "BitVisor: A Thin Hypervisor for Enforcing I/O Device Security" paper:
> "The guest OS of parapass-through hypervisors use the physical address space
> that is identical to the machine (real) physical address space. The
> hypervisor does not need to carry out address translations. This contributes
> to reducing the size of the hypervisor."

The identical-mapping is only applied to guest memory regions, not to 
hypervisor memory regions.

> "Hypervisors must hide their own memory regions from the guest OS so that
> the guest OS do not use them. BitVisor hooks the BIOS functions for
> obtaining the memory usage map (function e820h) to fake that the memory
> regions are reserved. "
> So we have concluded int0x15 would be the only mechanism  for protecting
> Bitvisor memory area.

The paper also said "the hypervisor cannot directly use the guest page 
table because the guest OS can access the memory regions of the 
hypervisor by setting a physical address of the memory regions to the 
page table. To prevent such attacks, the hypervisor must verify each 
page table entry before the entry is used by the processor."

So the protection is done by verifying page table entries, not by 
hooking int 0x15, as Eiraku said. Int 0x15 just tells the normal 
(non-malicious) guest OS not to use the hypervisor memory regions. Since 
a malicious guest OS can ignore it and try to access the hypervisor 
memory regions, it does not work as a protection mechanism.

> Indeed, there is no address translation in gmm_pass_gp2hp() function, it
> just check whether the mentioned memory area is located in Bitvisor memory
> region or not and set the fakerom based on the result.

Setting the fakerom is a kind of address translation and works as 
protection; gmm_pass_gp2hp() verifies page table entries and prevents 
the guest OS from setting the physical address of hypervisor memory 
regions. Therefore, even a malicious guest OS, which may ignore int 
0x15, cannot read or write the hypervisor memory regions.

Takahiro Shinagawa

More information about the BitVisor-devel-en mailing list