請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/89481
完整後設資料紀錄
DC 欄位 | 值 | 語言 |
---|---|---|
dc.contributor.advisor | 黎士瑋 | zh_TW |
dc.contributor.advisor | Shih-Wei Li | en |
dc.contributor.author | 章瑋麟 | zh_TW |
dc.contributor.author | Wei-Lin Chang | en |
dc.date.accessioned | 2023-09-07T17:11:55Z | - |
dc.date.available | 2024-12-31 | - |
dc.date.copyright | 2023-09-11 | - |
dc.date.issued | 2023 | - |
dc.date.submitted | 2023-07-27 | - |
dc.identifier.citation | [1] Cloud hypervisor - run cloud virtual machines securely and efficiently. https://www.cloudhypervisor.org/, 2023.
[2] Rust for linux. https://rust-for-linux.com/, 2023. [3] A. R. Adam Greig. aarch64-cpu rust crate. https://crates.io/crates/aarch64-cpu, 2023. [4] A. Agache, M. Brooker, A. Iordache, A. Liguori, R. Neugebauer, P. Piwonka, and D.-M. Popa. Firecracker: Lightweight virtualization for serverless applications. In 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 20), pages 419–434, Santa Clara, CA, Feb. 2020. USENIX Association. [5] B. Anderson, L. Bergstrom, M. Goregaokar, J. Matthews, K. McAllister, J. Mof fitt, and S. Sapin. Engineering the servo web browser engine using rust. In 2016 IEEE/ACM 38th International Conference on Software Engineering Companion (ICSE-C), pages 81–89, 2016. [6] Arm. Arm and aws: Working together to ” re:invent”the cloud. https://www.arm.com/company/news/2018/11/arm-and-aws-working-together-to-reinvent-the-cloud, 2018. [7] Arm. Arm neoverse adopted by google cloud. https://www.arm.com/company/news/2022/07/arm-neoverse-adopted-by-google-cloud, 2022. [8] V. Astrauskas, P. Müller, F. Poli, and A. J. Summers. Leveraging rust types for modular specification and verification. Proc. ACM Program. Lang., 3(OOPSLA), oct 2019. [9] M. Backes, G. Doychev, and B. Kopf. Preventing Side-Channel Leaks in Web Traffic: A Formal Approach. In 20th Annual Network and Distributed System Security Symposium (NDSS 2013), San Diego, CA, Feb. 2013. [10] A. Bhardwaj, C. Kulkarni, R. Achermann, I. Calciu, S. Kashyap, R. Stutsman, A. Tai, and G. Zellweger. Nros: Effective replication and sharing in an operating system. In OSDI, pages 295–312, 2021. [11] bindgen maintainer. bindgen. https://github.com/rust-lang/rust-bindgen, 2023. [12] K. Boos, N. Liyanage, R. Ijaz, and L. Zhong. Theseus: an experiment in operating system structure and state management. In 14th USENIX Symposium on Operating Systems Design and Implementation (OSDI 20), pages 1–19. USENIX Association, Nov. 2020. [13] Brian Cooper. Yahoo! Cloud Serving Benchmark. https://github.com/brianfrankcooper/YCSB, Feb. 2021. [14] J. Chen, D. Li, Z. Mi, Y. Liu, B. Zang, H. Guan, and H. Chen. Duvisor: a user-level hypervisor through delegated virtualization, 2022. [15] Y.-H. Chiang, W.-L. Chang, J.-T. Du, and S.-W. Li. Krustvm: a rust-based secure kvm hypervisor. https://github.com/ntu-ssl/linux-sekvm-rust, 2023. [16] B. Cooper, A. Silberstein, E. Tam, R. Ramakrishnan, and R. Sears. Benchmarking cloud serving systems with ycsb. pages 143–154, 09 2010. [17] C. Dall and J. Nieh. Supporting kvm on the arm architecture. https://lwn.net/Articles/557132/, 2013. [18] C. Dall and J. Nieh. Kvm/arm: The design and implementation of the linux arm hypervisor. In Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS ’14, page 333–348, New York, NY, USA, 2014. Association for Computing Machinery. [19] X. Denis, J.-H. Jourdan, and C. Marché. Creusot: A foundry for the deductive ver ification of rust programs. In Formal Methods and Software Engineering: 23rd International Conference on Formal Engineering Methods, ICFEM 2022, Madrid, Spain, October 24–27, 2022, Proceedings, page 90–105, Berlin, Heidelberg, 2022. Springer-Verlag. [20] Google. Google Cloud Security and Compliance Whitepa per - How Google protects your data. https://static.googleusercontent.com/media/gsuite.google.com/en//files/google-apps-security-and-compliance-whitepaper.pdf, Sept. 2017. [21] Google. Chromiumos virtual machine monitor. https://chromium.googlesource.com/chromiumos/platform/crosvm/, 2023. [22] R. Gu, Z. Shao, H. Chen, X. N. Wu, J. Kim, V. Sjöberg, and D. Costanzo. Cer tiKOS: An extensible architecture for building certified concurrent OS kernels. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16), pages 653–669, Savannah, GA, Nov. 2016. USENIX Association. [23] J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calan drino, A. J. Feldman, J. Appelbaum, and E. W. Felten. Lest We Remember: Cold Boot Attacks on Encryption Keys. In Proceedings of the 17th USENIX Security Symposium (USENIX Security 2008), pages 45–60, San Jose, CA, July 2008. [24] S. Ho and J. Protzenko. Aeneas: Rust verification by functional translation. Proc. ACM Program. Lang., 6(ICFP), aug 2022. [25] G. Irazoqui, T. Eisenbarth, and B. Sunar. S$A: A Shared Cache Attack That Works Across Cores and Defies VM Sandboxing – and Its Application to AES. In Proceedings of the 2015 IEEE Symposium on Security and Privacy (SP 2015), pages 591–604, San Jose, CA, May 2015. [26] Jake Edge. KVM for Android, Nov. 2020. https://lwn.net/Articles/836693/. [27] Y. Jia, S. Liu, W. Wang, Y. Chen, Z. Zhai, S. Yan, and Z. He. HyperEnclave: An open and cross-platform trusted execution environment. In 2022 USENIX Annual Technical Conference (USENIX ATC 22), pages 437–454, Carlsbad, CA, July 2022. USENIX Association. [28] R. Jones. Netperf. https://github.com/HewlettPackard/netperf, June 2018. [29] A. Kivity, Y. Kamay, D. Laor, U. Lublin, and A. Liguori. KVM: the Linux Virtual Machine Monitor. In In Proceedings of the 2007 Ottawa Linux Symposium (OLS 2007), Ottawa, ON, Canada, June 2007. [30] G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elka duwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. Sel4: Formal verification of an os kernel. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, SOSP ’09, page 207–220, New York, NY, USA, 2009. Association for Computing Machinery. [31] A. Lattuada, T. Hance, C. Cho, M. Brun, I. Subasinghe, Y. Zhou, J. Howell, B. Parno, and C. Hawblitzel. Verus: Verifying rust programs using linear ghost types. Proc. ACM Program. Lang., 7(OOPSLA1), apr 2023. [32] N. Lehmann, A. Geller, N. Vazou, and R. Jhala. Flux: Liquid types for rust, 2022. [33] A. Levy, B. Campbell, B. Ghena, D. B. Giffin, P. Pannuto, P. Dutta, and P. Levis. Multiprogramming a 64kb computer safely and efficiently. In Proceedings of the 26th Symposium on Operating Systems Principles, pages 234–251, 2017. [34] D. Li, Z. Mi, Y. Xia, B. Zang, H. Chen, and H. Guan. Twinvisor: Hardware-isolated confidential virtual machines for arm. In Proceedings of the ACM SIGOPS 28th Symposium on Operating Systems Principles, SOSP ’21, page 638–654, New York, NY, USA, 2021. Association for Computing Machinery. [35] S.-W. Li, J. S. Koh, and J. Nieh. Protecting cloud virtual machines from com modity hypervisor and host operating system exploits. In Proceedings of the 28th USENIX Conference on Security Symposium, SEC’19, page 1357–1374, USA, 2019. USENIX Association. [36] S.-W. Li, X. Li, R. Gu, J. Nieh, and J. Zhuang Hui. A secure and formally verified linux kvm hypervisor. In 2021 IEEE Symposium on Security and Privacy (SP), pages 1782–1799, 2021. [37] F. Liu, Y. Yarom, Q. Ge, G. Heiser, and R. B. Lee. Last-Level Cache Side-Channel Attacks Are Practical. In Proceedings of the 2015 IEEE Symposium on Security and Privacy (SP 2015), pages 605–622, San Jose, CA, May 2015. [38] Z. Mi, D. Li, H. Chen, B. Zang, and H. Guan. (mostly) exitless VM protection from untrusted hypervisor through disaggregated nested virtualization. In 29th USENIX Security Symposium (USENIX Security 20), pages 1695–1712. USENIX Associa tion, Aug. 2020. [39] Microsoft. Hyper-V Technology Overview. https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-technology-overview, Nov. 2016. [40] V. Narayanan, T. Huang, D. Detweiler, D. Appel, Z. Li, G. Zellweger, and A. Burtsev. Redleaf: Isolation and communication in a safe operating system. In Proceedings of the 14th USENIX Conference on Operating Systems Design and Implementation, pages 21–39, 2020. [41] B. Qin, Y. Chen, Z. Yu, L. Song, and Y. Zhang. Understanding memory and thread safety practices and issues in real-world rust programs. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2020, page 763–779, New York, NY, USA, 2020. Asso ciation for Computing Machinery. [42] Redis Labs. memtier_benchmark. https://github.com/RedisLabs/memtier_benchmark, Apr. 2015. [43] T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, You, Get off of My Cloud: Exploring Information Leakage in Third-party Compute Clouds. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS 2009), pages 199–212, Chicago, IL, Nov. 2009. [44] R. Russell. Hackbench. http://people.redhat.com/mingo/cfs-scheduler/tools/hackbench.c, Jan. 2008. [45] rust-vmm maintainers. rust-vmm. https://github.com/rust-vmm, 2023. [46] M. Sung, P. Olivier, S. Lankes, and B. Ravindran. Intra-unikernel isolation with intel memory protection keys. In Proceedings of the 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE ’20, page 143–156, New York, NY, USA, 2020. Association for Computing Machinery. [47] J. Thalheim, P. Okelmann, H. Unnibhavi, R. Gouicem, and P. Bhatotia. Vmsh: Hypervisor-agnostic guest overlays for vms. In Proceedings of the Seventeenth European Conference on Computer Systems, EuroSys ’22, page 678–696, New York, NY, USA, 2022. Association for Computing Machinery. [48] The Apache Software Foundation. ab - Apache HTTP server benchmarking tool. http://httpd.apache.org/docs/2.4/programs/ab.html, Apr. 2015. [49] S. Wan, M. Sun, K. Sun, N. Zhang, and X. He. Rustee: Developing memory-safe arm trustzone applications. In Annual Computer Security Applications Conference, ACSAC ’20, page 442–453, New York, NY, USA, 2020. Association for Computing Machinery. [50] H. Wang, P. Wang, Y. Ding, M. Sun, Y. Jing, R. Duan, L. Li, Y. Zhang, T. Wei, and Z. Lin. Towards memory safe enclave programming with rust-sgx. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS ’19, page 2333–2350, New York, NY, USA, 2019. Association for Computing Machinery. [51] F. Zhang, J. Chen, H. Chen, and B. Zang. CloudVisor: Retrofitting Protection of Virtual Machines in Multi-tenant Cloud with Nested Virtualization. In Proceedings of the 23rd ACM Symposium on Operating Systems Principles (SOSP 2011), pages 203–216, Cascais, Portugal, Oct. 2011. [52] Y. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart. Cross-VM Side Channels and Their Use to Extract Private Keys. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS 2012), pages 305–316, Raleigh, NC, Oct. 2012. [53] Y. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart. Cross-Tenant Side-Channel Attacks in Paas Clouds. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS 2014), pages 990–1003, Nov. 2014. | - |
dc.identifier.uri | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/89481 | - |
dc.description.abstract | 通用的虛擬機器監測器在雲端計算環境中發揮著至關重要的作用,它們負責監管虛擬機器的硬體資源。然而,其日益複雜的設計和廣泛的攻擊面引發了重大的安全憂慮。攻擊者如果利用特權虛擬機器監測器的漏洞,就能夠不受限制地存取虛擬機器中的數據,從而危及其資訊安全。以前嘗試將虛擬機器監測器重構為小型受信任核心的嘗試存在局限性,因其安全性仍然依賴於受信任核心的實現。此外,對 TCB 的形式化驗證需要大量的人力投入,難以適用於快速發展的軟體專案。最近,由於其強大的記憶體安全保證和高性能,Rust 語言的應用逐漸增加。本論文着眼於解決將 SeKVM 中基於 C 語言的 KVM(內核虛擬機器)TCB 改寫並遷移到 Rust 的挑戰,為此選擇了最近版本的 Linux 長期支持版本。通過這樣的改寫,我們實作出的虛擬機器監測器 KrustVM 不僅能從最新的 Linux 進展中獲益,而且還能受益於 Rust 提供的安全保障。KrustVM 的設計重點在於最大化其不安全Rust 程式碼的安全性。我們將不安全程式碼與安全 Rust 隔離,並通過安全抽象將不安全程式碼最小化。此外,利用 Rust 的型別系統,我們確保了受信任 Rust 核心進行的不安全記憶體訪問的安全性。與 KVM 和 SeKVM 相比,KrustVM 的性能損失不大,展示了通過 C 到 Rust 的改寫來保障現有虛擬機器監測器的可行性。 | zh_TW |
dc.description.abstract | Commodity hypervisors play a vital role in cloud computing environments by overseeing hardware resources for virtual machines. However, their growing complexity and extensive attack surface pose significant security concerns. An attacker that exploits vulnerabilities in the privileged hypervisor codebase can gain unfettered access to VM data, compromising their safety. Previous attempts to retrofit hypervisors into small trusted cores have limitations, as the security still relies on the implementation of the trusted core. Moreover, formal verification on the TCB necessitates significant human effort and is not easily applicable to rapidly evolving codebases. Recently, Rust adoption has been increasing for its strong memory safety guarantees and performance efficiency. This thesis addresses challenges in rewriting and porting the C-based KVM TCB in SeKVM to Rust for a recent Linux long term support version. This allows the resulting hypervisor, KrustVM, to not only benefit from recent Linux advancements, but also be protected by Rust’s safety guarantees. KrustVM is designed with a focus on maximizing the safety of its unsafe Rust usages. We minimized and separated unsafe code from safe Rust by enclosing unsafe code within safe abstractions. Additionally, Rust's type system is utilized to ensure the memory safety of the unsafe memory accesses done by the trusted Rust core. KrustVM incurs modest overhead compared to mainline KVM and SeKVM, and demonstrates the practicality of securing existing hypervisors through a C-to-Rust rewrite. | en |
dc.description.provenance | Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2023-09-07T17:11:55Z No. of bitstreams: 0 | en |
dc.description.provenance | Made available in DSpace on 2023-09-07T17:11:55Z (GMT). No. of bitstreams: 0 | en |
dc.description.tableofcontents | Contents
Verification Letter from the Oral Examination Committee i 致謝 iii 摘要 v Abstract vii Contents ix List of Figures xi List of Tables xiii Chapter 1 Introduction 1 Chapter 2 Background 5 2.1 Overview of the ARM Architecture . . . . . . . . . . . . . . . . . . 5 2.2 KVM ARM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.3 HypSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.4 SeKVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.5 The Rust Programming Language . . . . . . . . . . . . . . . . . . . 9 Chapter 3 Assumptions and Threat Model 17 Chapter 4 Implementing a Linux KVM TCB in Rust 19 4.1 Forward Porting SeKVM from Linux 4.18 to Linux 5.15 . . . . . . . 19 4.2 Integrating Rust and Linux . . . . . . . . . . . . . . . . . . . . . . . 21 4.3 Rewriting C-based KCore into Rust-based Rcore . . . . . . . . . . . 22 4.3.1 The Rewrite Process . . . . . . . . . . . . . . . . . . . . . . . . . 22 4.3.2 Rust Code Organization . . . . . . . . . . . . . . . . . . . . . . . . 22 4.3.3 Rust-Rewrite Challenges . . . . . . . . . . . . . . . . . . . . . . . 24 4.3.4 Unsafe Rust Usages . . . . . . . . . . . . . . . . . . . . . . . . . . 25 4.4 Bringing up KrustVM on Real Hardware . . . . . . . . . . . . . . . 27 Chapter 5 Securing Rcore Memory Accesses 31 5.1 Rcore Memory Regions . . . . . . . . . . . . . . . . . . . . . . . . 32 5.2 Memory Region Isolation . . . . . . . . . . . . . . . . . . . . . . . 33 5.2.1 Raw Pointer Access: Rcore Metadata . . . . . . . . . . . . . . . . 34 5.2.2 Raw Pointer Access: Generic Area . . . . . . . . . . . . . . . . . . 35 5.2.3 Raw Pointer Access: Page Table Pool . . . . . . . . . . . . . . . . 36 5.2.4 Raw Pointer Access: SMMU . . . . . . . . . . . . . . . . . . . . . 38 Chapter 6 Evaluation 39 Chapter 7 Related Work and Future Work 43 7.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 7.1.1 VM Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 7.1.2 Rust-based Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 44 7.1.3 Verification and Formal Methods . . . . . . . . . . . . . . . . . . . 44 7.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Chapter 8 Conclusions 49 References 51 List of Figures Figure 4.1 KVM ARM Per-CPU Variables Mechanism . . . . . . . . . . . . 27 Figure 4.2 KCore overlaps the unusable hole on Rpi-4B . . . . . . . . . . . . 28 Figure 4.3 Overlap prevention . . . . . . . . . . . . . . . . . . . . . . . . . 29 Figure 5.1 Memory Regions . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Figure 6.1 Application Benchmark Performance: Overhead normalized to the bare-metal setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Figure 6.2 Application Benchmark Performance: Overhead normalized to main line KVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 List of Tables Table 4.1 Rcore metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Table 6.1 Application Benchmarks . . . . . . . . . . . . . . . . . . . . . . . 41 | - |
dc.language.iso | en | - |
dc.title | 實作基於 Rust 之安全 Linux KVM 虛擬機器監測器 | zh_TW |
dc.title | On Implementing a Secure Rust-based Linux KVM Hypervisor | en |
dc.type | Thesis | - |
dc.date.schoolyear | 111-2 | - |
dc.description.degree | 碩士 | - |
dc.contributor.oralexamcommittee | 蕭旭君;黃敬群 | zh_TW |
dc.contributor.oralexamcommittee | Hsu-Chun Hsiao;Ching-Chun Huang | en |
dc.subject.keyword | 系統安全,作業系統,虛擬化,KVM,Rust, | zh_TW |
dc.subject.keyword | System Security,Operating Systems,Virtualization,KVM,Rust, | en |
dc.relation.page | 58 | - |
dc.identifier.doi | 10.6342/NTU202301822 | - |
dc.rights.note | 同意授權(全球公開) | - |
dc.date.accepted | 2023-07-31 | - |
dc.contributor.author-college | 電機資訊學院 | - |
dc.contributor.author-dept | 資訊工程學系 | - |
dc.date.embargo-lift | 2024-12-31 | - |
顯示於系所單位: | 資訊工程學系 |
文件中的檔案:
檔案 | 大小 | 格式 | |
---|---|---|---|
ntu-111-2.pdf | 738.57 kB | Adobe PDF | 檢視/開啟 |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。