We propose SecVisor, a tiny hypervisor that ensures code integrity for commodity OS kernels. In particular, SecVisor ensures that only user-approved code can execute in kernel mode over the entire system lifetime. This protects the kernel against code injection attacks, such as kernel rootkits. SecVisor can achieve this propertyeven against an attacker who controls everything but the CPU, the memory controller, and system memory chips. Further, SecVisor can even defend against attackers with knowledge of zero-day kernel exploits.

Our goal is to make SecVisor amenable to formal verificationand manual audit, thereby making it possible to rule out known classes of vulnerabilities. To this end, SecVisor offers small code size and small external interface. We rely on memory virtualization to build SecVisor and implement two versions, one using software memory virtualization and the other using CPU-supported memory virtualization. The code sizes of the runtime portions of these versions are 1739 and 1112 lines, respectively. The size of the external interface for both versions of SecVisor is 2 hypercalls. It is easy to port OS kernels to SecVisor. We port the Linux kernel version 2.6.20 by adding 12 lines and deleting 81 lines, out of a total of approximately 4.3 million lines of code in the kernel.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Advanced Micro Devices. AMD64 Architecture Programmer's Manual Volume 2: System Programming, 3.12 edition, September 2006.
	2	Advanced Micro Devices. AMD64 Architecture Programmer's Manual Volume 3: General-Purpose and System Instructions, 3.12 edition, September 2006.
	3	M. Becher, M. Dornseif, and C.N. Klein. FireWire all your memory are belong to us. In Proceedings of CanSecWest, 2005.
	4	Shuo Chen , Jun Xu , Emre C. Sezer , Prachi Gauriar , Ravishankar K. Iyer, Non-control-data attacks are realistic threats, Proceedings of the 14th conference on USENIX Security Symposium, p.12-12, July 31-August 05, 2005, Baltimore, MD
	5	A. Chuvakin. Ups and downs of UNIX/Linux host-based security solutions. ;login: The Magazine of USENIX and SAGE, 28(2), April 2003.
	6	John Criswell , Andrew Lenharth , Dinakar Dhurjati , Vikram Adve, Secure virtual architecture: a safe execution environment for commodity operating systems, Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles, October 14-17, 2007, Stevenson, Washington, USA
	7	Joan G. Dyer , Mark Lindemann , Ronald Perez , Reiner Sailer , Leendert van Doorn , Sean W. Smith , Steve Weingart, Building the IBM 4758 Secure Coprocessor, Computer, v.34 n.10, p.57-66, October 2001  [doi>10.1109/2.955100]
	8	Tal Garfinkel , Ben Pfaff , Jim Chow , Mendel Rosenblum , Dan Boneh, Terra: a virtual machine-based platform for trusted computing, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
	9	T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proc. Network and Distributed Systems Security Symposium, February 2003.
	10	Intel Corporation. Trusted eXecution Technology -- preliminary architecture specification and enabling considerations. Document number 31516803, November 2006.
	11	K. J. Jones. Loadable Kernel Modules. ;login: The Magazine of USENIX and SAGE, 26(7), November 2001.
	12	P. Jones. RFC3174: US Secure Hash Algorithm 1 (SHA-1). http://www.faqs.org/rfcs/rfc3174.html, September 2001.
	13	K. Kaneda. Tiny virtual machine monitor. http://www.yl.is.s.u--tokyo.ac.jp/~kaneda/tvmm/.
	14	Vladimir Kiriansky , Derek Bruening , Saman P. Amarasinghe, Secure Execution via Program Shepherding, Proceedings of the 11th USENIX Security Symposium, p.191-206, August 05-09, 2002
	15	Larry McVoy , Carl Staelin, lmbench: portable tools for performance analysis, Proceedings of the 1996 annual conference on USENIX Annual Technical Conference, p.23-23, January 22-26, 1996, San Diego, CA
	16	Ron Minnich , James Hendricks , Dale Webster, The linux BIOS, Proceedings of the 4th annual Linux Showcase & Conference, p.21-21, October 10-14, 2000, Atlanta, Georgia
	17	Nick L. Petroni, Jr. , Timothy Fraser , Jesus Molina , William A. Arbaugh, Copilot - a coprocessor-based kernel runtime integrity monitor, Proceedings of the 13th conference on USENIX Security Symposium, p.13-13, August 09-13, 2004, San Diego, CA
	18	R. Russell. Lguest: The simple x86 hypervisor. http://lguest.ozlabs.org/.
	19	J. Rutkowska. Beyond the CPU: Defeating hardware based RAM acquisition. In Proceedings of BlackHat DC 2007, Feb 2007.
	20	Arvind Seshadri , Mark Luk , Elaine Shi , Adrian Perrig , Leendert van Doorn , Pradeep Khosla, Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
	21	Hovav Shacham, The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86), Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA  [doi>10.1145/1315245.1315313]
	22	Sean W. Smith , Steve Weingart, Building a high-performance, programmable secure coprocessor, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.31 n.9, p.831-860, April 23, 1999
	23	J. von Neumann. First draft of a report on the EDVAC. In B. Randall, editor, The origins of digital computers: selected papers, pages 383--392. 1982.
	24	Y. Wang, R. Roussev, C. Verbowski, A. Johnson, and D. Ladd. AskStrider: What has changed on my machine lately? Technical Report MSR--TR-2004--03, Microsoft Research, 2004.
	25	Y. Wang, B. Vo, R. Roussev, C. Verbowski, and A. Johnson. Strider GhostBuster: Why it's a bad idea for stealth software to hide files. Technical Report MSR-TR-2004-71, Microsoft Research, 2004.
	26	Glenn Wurster , P. C. van Oorschot , Anil Somayaji, A Generic Attack on Checksumming-Based Software Tamper Resistance, Proceedings of the 2005 IEEE Symposium on Security and Privacy, p.127-138, May 08-11, 2005  [doi>10.1109/SP.2005.2]

• ACM SIGOPS Operating Systems Review
  Volume 41 ,  Issue 6   December 2007