實作基於 Rust 之安全 Linux KVM 虛擬機器監測器

Abstract

通用的虛擬機器監測器在雲端計算環境中發揮著至關重要的作用，它們負責監管虛擬機器的硬體資源。然而，其日益複雜的設計和廣泛的攻擊面引發了重大的安全憂慮。攻擊者如果利用特權虛擬機器監測器的漏洞，就能夠不受限制地存取虛擬機器中的數據，從而危及其資訊安全。以前嘗試將虛擬機器監測器重構為小型受信任核心的嘗試存在局限性，因其安全性仍然依賴於受信任核心的實現。此外，對 TCB 的形式化驗證需要大量的人力投入，難以適用於快速發展的軟體專案。最近，由於其強大的記憶體安全保證和高性能，Rust 語言的應用逐漸增加。本論文着眼於解決將 SeKVM 中基於 C 語言的 KVM（內核虛擬機器）TCB 改寫並遷移到 Rust 的挑戰，為此選擇了最近版本的 Linux 長期支持版本。通過這樣的改寫，我們實作出的虛擬機器監測器 KrustVM 不僅能從最新的 Linux 進展中獲益，而且還能受益於 Rust 提供的安全保障。KrustVM 的設計重點在於最大化其不安全Rust 程式碼的安全性。我們將不安全程式碼與安全 Rust 隔離，並通過安全抽象將不安全程式碼最小化。此外，利用 Rust 的型別系統，我們確保了受信任 Rust 核心進行的不安全記憶體訪問的安全性。與 KVM 和 SeKVM 相比，KrustVM 的性能損失不大，展示了通過 C 到 Rust 的改寫來保障現有虛擬機器監測器的可行性。

Commodity hypervisors play a vital role in cloud computing environments by overseeing hardware resources for virtual machines. However, their growing complexity and extensive attack surface pose significant security concerns. An attacker that exploits vulnerabilities in the privileged hypervisor codebase can gain unfettered access to VM data, compromising their safety. Previous attempts to retrofit hypervisors into small trusted cores have limitations, as the security still relies on the implementation of the trusted core. Moreover, formal verification on the TCB necessitates significant human effort and is not easily applicable to rapidly evolving codebases. Recently, Rust adoption has been increasing for its strong memory safety guarantees and performance efficiency. This thesis addresses challenges in rewriting and porting the C-based KVM TCB in SeKVM to Rust for a recent Linux long term support version. This allows the resulting hypervisor, KrustVM, to not only benefit from recent Linux advancements, but also be protected by Rust’s safety guarantees. KrustVM is designed with a focus on maximizing the safety of its unsafe Rust usages. We minimized and separated unsafe code from safe Rust by enclosing unsafe code within safe abstractions. Additionally, Rust's type system is utilized to ensure the memory safety of the unsafe memory accesses done by the trusted Rust core. KrustVM incurs modest overhead compared to mainline KVM and SeKVM, and demonstrates the practicality of securing existing hypervisors through a C-to-Rust rewrite.