Nioh : Hardening The Hypervisor by Filtering Illegal I/O Requests to Virtual Devices

Vulnerabilities in hypervisors are crucial in multi-tenant clouds since they can undermine the security of all virtual machines (VMs) consolidated on the vulnerable hypervisor. Unfortunately, 107 vulnerabilities in KVM+QEMU and 38 vulnerabilities in Xen are reported solely in 2016. The device emulation layer in hypervisors is a hotbed of vulnerabilities because the code for virtualizing devices is complicated and requires the knowledge about the device internals. This paper proposes a “device request filter”, or Nioh, that raises the bar for attackers to exploit the vulnerabilities in hypervisors. The key insight behind Nioh is that malicious I/O requests, attempting to exploit vulnerabilities, violate the device specification in many cases. Nioh inspects I/O requests from VMs and rejects those that do not conform to the device specification. The device specification is modeled as device automata in Nioh, an extended automaton to facilitate the description of device specifications. A software framework is also provided to encapsulate the interactions between the device request filter and the underlying hypervisors. Our attack evaluation demonstrates Nioh can defend against attacks that exploit vulnerabilities in device emulation: CVE-2015-5158, CVE-2016-1568, CVE-2016-4439 and CVE-2016-7909. This paper also shows the notorious VENOM attack can be detected and rejected by Nioh.