[BitVisor-devel-en:11] Re: Bitvisor memory protection

Nafise Sadat Moosavi ns.moosavi at gmail.com
Sat Apr 23 19:53:08 JST 2011 

Dear Professor Shinagawa,

Thank you very much for your useful help.
Is it possible to implement a complete shadow paging mechanism (like XEN) in
Bitvisor in order to have more complicated protection mechanisms for memory?

Thanks again,
Best Regards,

On Tue, Apr 12, 2011 at 5:05 PM, Takahiro Shinagawa <shina at ecc.u-tokyo.ac.jp
> wrote:

> Dear Nafise Sadat Moosavi:
>
> Thank you for being interested in BitVisor.
>
>
>  Thank you for your response. However, this statements has been stated in
>> "BitVisor: A Thin Hypervisor for Enforcing I/O Device Security" paper:
>> "The guest OS of parapass-through hypervisors use the physical address
>> space
>> that is identical to the machine (real) physical address space. The
>> hypervisor does not need to carry out address translations. This
>> contributes
>> to reducing the size of the hypervisor."
>>
>
> The identical-mapping is only applied to guest memory regions, not to
> hypervisor memory regions.
>
>
>  "Hypervisors must hide their own memory regions from the guest OS so that
>> the guest OS do not use them. BitVisor hooks the BIOS functions for
>> obtaining the memory usage map (function e820h) to fake that the memory
>> regions are reserved. "
>> So we have concluded int0x15 would be the only mechanism  for protecting
>> Bitvisor memory area.
>>
>
> The paper also said "the hypervisor cannot directly use the guest page
> table because the guest OS can access the memory regions of the hypervisor
> by setting a physical address of the memory regions to the page table. To
> prevent such attacks, the hypervisor must verify each page table entry
> before the entry is used by the processor."
>
> So the protection is done by verifying page table entries, not by hooking
> int 0x15, as Eiraku said. Int 0x15 just tells the normal (non-malicious)
> guest OS not to use the hypervisor memory regions. Since a malicious guest
> OS can ignore it and try to access the hypervisor memory regions, it does
> not work as a protection mechanism.
>
>
>  Indeed, there is no address translation in gmm_pass_gp2hp() function, it
>> just check whether the mentioned memory area is located in Bitvisor memory
>> region or not and set the fakerom based on the result.
>>
>
> Setting the fakerom is a kind of address translation and works as
> protection; gmm_pass_gp2hp() verifies page table entries and prevents the
> guest OS from setting the physical address of hypervisor memory regions.
> Therefore, even a malicious guest OS, which may ignore int 0x15, cannot read
> or write the hypervisor memory regions.
>
> Takahiro Shinagawa
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.bitvisor.org/archives/bitvisor-devel-en/attachments/20110423/c082106f/attachment.html

More information about the BitVisor-devel-en mailing list