Design, Development and Automated Verification of an Integrity-Protected Hypervisor

Sagar Chaki, Amit Vasudevan, Limin Jia, Jonathan McCune, and Anupam Datta

July 16, 2012

CMU-CyLab-12-017

CyLab
Carnegie Mellon University
Pittsburgh, PA 15213
Design, Development, and Automated Verification of an Integrity-Protected Hypervisor

Sagar Chaki  Amit Vasudevan  Limin Jia  Jonathan McCune  Anupam Datta
Carnegie Mellon University, Pittsburgh, PA, USA
chaki@sei.cmu.edu  amitvasudevan@acm.org  liminjia@cmu.edu  jonmccune@cmu.edu  danupam@cmu.edu

ABSTRACT

Hypervisors are a popular mechanism for implementing software virtualization. Since hypervisors execute at a very high privilege level, they must be secure. A fundamental security property of a hypervisor is memory integrity—the hypervisor’s memory must not be modified by software running at a lower privilege level. In this paper, we present a methodology—called DRIVE—for designing, developing, and verifying hypervisors to ensure memory integrity. DRIVE combines the power of architectural constraints (captured by a set of system properties and verification conditions) with that of formal analysis (used to discharge the verification conditions). We prove that any hypervisor satisfying the DRIVE properties and verification conditions has memory integrity. We validate DRIVE by using it to develop a hypervisor called XMHF for multi-core systems. In particular, we show how to ensure the DRIVE properties in XMHF by combining hardware virtualization support with design and development decisions. We also show how to discharge the DRIVE verification conditions on XMHF using the CBMC model checker. CBMC verified XMHF’s implementation—about 4700 lines of C code—in about 80 seconds using less than 2GB of RAM.

General Terms
Security; Verification; Hypervisor; Integrity; Model Checking; Design

1. INTRODUCTION

Hypervisors [54] are increasingly used on modern computing platforms, including desktops, servers, mobile and cloud computing [25, 55]. A hypervisor is a mechanism to help implement a virtual computing platform. It sits between the hardware and one or more “guest” operating systems, presenting to the guests a virtual operating platform and managing their execution. Hypervisors have proved to be an effective means to improve hardware utilization, reduce power and cooling costs, and streamline backup, recovery, and data center management, thus leading to their widespread adoption in practice.

However, from a system security perspective, hypervisors are yet another maximally privileged software component in the trusted computing base. While they are always designed and implemented to meet stringent performance and feature requirements, formal assurances about their security and functional correctness properties are often ignored. In several instances, vulnerabilities have been reported in deployed hypervisors (e.g., [1–7, 46, 70]), which have subsequently been patched. Recognizing that iterative patching of discovered vulnerabilities is both expensive and dangerous as hypervisors and related systems software become more complex and tightly interwoven into critical software systems, there have been several efforts at verifying security-relevant properties of the source code of these systems [22, 40, 45, 68]. However, most of these efforts have required significant manual effort.

Against this background, we make two contributions. Our first contribution is a methodology for designing, developing, and automatically verifying hypervisors to ensure memory integrity. Roughly, memory integrity means that the hypervisor memory is only modified by software running in privileged mode. In particular, this implies that guests are unable to modify hypervisor memory directly. We focus on memory integrity because it is a key security property for virtualized systems. Without memory integrity, portions of the hypervisor that manage the isolation of memory pages between guests are open to malicious modifications, thereby allowing one guest to read and modify the code or data of another guest or the hypervisor itself. Memory integrity is therefore necessary for other important security goals, such as data secrecy and availability of the hypervisor as well as guests.

We call our methodology DRIVE—“Designing hypervisors for Rigorous Integrity Verification”. Intuitively, DRIVE is composed of a set of hypervisor properties, a set of verification conditions required to be true of the hypervisor, and a proven claim that the properties and verification conditions entail the hypervisor’s memory integrity. Thus, DRIVE combines architectural constraints (expressed by the system properties and verification conditions) with that of automated formal analysis (used to discharge the verification conditions). Specifically, DRIVE stipulates the following properties:

1. The hypervisor architecture is modular (property MOD)—it includes an initialization function that runs when the system starts executing and a set of intercept handlers that are invoked when certain events are caused by guests (e.g., I/O operations, interrupts) and devices (e.g., direct memory access). Following prior work in the security literature [32, 49], we define the capabilities of the adversary against the hypervisor in terms of the hypervisor interfaces (i.e., the intercept handlers) that it can invoke with arbitrary inputs.

2. The hypervisor includes a mandatory access control mecha-
nism to mediate access to hypervisor memory in unprivileged mode (property MAC).

3. The hypervisor has control flow integrity [8], i.e., the control flow during the execution of \( H \) always respects its source code (CFI).

4. The initialization function executes atomically in a single-threaded environment and each intercept handler also executes atomically in a single-threaded environment (ATOM).

In addition, DRIVE includes two verification conditions that state that memory integrity holds after the initialization function executes and is preserved by every intercept handler. Our main result (Theorem 1) is that any hypervisor satisfying the DRIVE properties and verification conditions has memory integrity.

Even though a virtualized system is inherently concurrent – e.g., guests are multi-threaded and execute on multiple cores – an important feature of DRIVE is that discharging its verification conditions requires us to verify only sequential programs. The main reason behind this is that the system properties mandated by DRIVE enable us to “sequentialize” (see Definition 1) the semantics of the target virtualized system. Verification of sequential programs is recognized to be more tractable than that of concurrent programs. Thus, DRIVE concretizes the idea [15,59,69] that architectural constraints enable more effective analysis for ensuring quality attributes. Further details are presented in Section 3.

Our second contribution is the development of a hypervisor called XMHF [65] using DRIVE. In particular, we show how the DRIVE system properties are ensured in XMHF by a combination of hardware virtualization primitives, and design and development decisions. In addition, we show how the DRIVE verification conditions are discharged on XMHF using the software model checker CBMC [19]. CBMC discharged the verification conditions on the entire XMHF runtime – about 4700 lines of C code – in about 90 seconds using less than 2GB of RAM (see Section 4.6 for more details).

The verification of XMHF was not only automated, but also development compatible. More specifically, it was engineered to be repeatable with minimal effort as the implementation of XMHF was modified. In particular, this means that the verification required no manually supplied invariants or annotations. Development compatibility was extremely useful as XMHF was verified repeatedly and routinely (in fact, as part of its build process) during development. Further details about the engineering of XMHF verification and its development compatibility are presented in Sections 4.3–4.5.

Indeed, our experience with XMHF has led to the belief that DRIVE is compatible with – and would aid – cost-effective software maintenance. Maintainability is a desirable quality attribute of system software, such as hypervisors, which typically have long life spans. History suggests that disentangling development and evaluation for desired security properties of software [17,23,24,28,33,34,60,62,63] is extremely expensive. In the case of general software assurance, maintainability is often aided by a set of standards [64] for evaluating whether a patch or other change warrants full re-evaluation. We expect that DRIVE would play a similar role in the context of hypervisor integrity.

From here on, unless otherwise mentioned, we use the term integrity to refer to memory integrity. The rest of this paper is organized as follows. Section 2 provides background on hypervisors, hardware virtualization primitives, and memory integrity. Section 3 presents the DRIVE methodology. In Section 4 we describe our experience in applying DRIVE to develop and verify XMHF in a development compatible manner. In Section 5, we survey related work. Finally, we discuss important issues raised by this research and conclude in Section 6.

2. BACKGROUND

A hypervisor is a popular hardware virtualization technique that allows multiple operating systems, termed guests, and virtual devices to run concurrently on a host computer. It is so named because it is conceptually one level higher than a supervisory (OS kernel) program. The hypervisor presents to the guests and devices a virtual operating platform and manages their execution. In general, the guests consist of multiple instances of a variety of operating systems sharing the virtualized hardware resources. The guests and devices are untrusted and constitute the attacker.

2.1 Virtualization Primitives

We focus on hypervisors that rely on certain hardware virtualization primitives. These primitives are supported by current x86 computing platforms [11,43], and are also making their way on embedded ARM architectures [12]. In particular, we are interested in hardware virtualization primitives that enable the following features:

- The CPU executes in two overarching modes: (a) host-mode (or privileged mode) – where the hypervisor executes, and (b) guest-mode (or unprivileged mode) – where the guests execute. The privileged and unprivileged modes have separate address spaces and CPU registers.
- At system boot time, the hypervisor is able to execute a designated piece of code before the attacker has access to system memory. This is used by the hypervisor to correctly initialize memory protection mechanisms.
- The execution state of each guest is maintained in a separate data structure. This is important for guest event handling, as described next.
- The hypervisor is able to associate intercept handlers with certain events caused by the attacker. Specifically, these events are caused by guests (e.g., instructions, I/O operations, exceptions and interrupts) and devices (e.g., direct memory access). The hardware ensures that whenever such an event \( e \) occurs, the following sequence of actions occur:
  1. The execution state of each guest is saved in its own data structure.
  2. CPU execution is switched to privileged mode.
  3. The intercept handler for \( e \) is executed.
  4. CPU execution is switched back to unprivileged mode.
  5. Execution state of each guest is restored and guest execution is resumed.

Figure 1 shows a high level architectural view of a virtualized system that relies on the virtualization features presented above. Popular commercial and open-source hypervisors – e.g., VMware ESX/ESXi, Hyper-V, KVM, and VirtualBox – adhere to this architectural view. Note that memory access occurs in three ways: (i) during hypervisor initialization; (ii) by guests and devices; and (iii) by intercept handlers triggered by the guests and devices.
2.2 Integrity Protection

Recall that we focus on integrity as our security objective. Note that in Figure 1, we differentiate between two types of memory – hypervisor memory denoted by a set of addresses $M$, and guest memory. Note that $M$ refers to both hypervisor code and data. Integrity means that hypervisor memory is never modified by attacker code. Since attacker code always runs in unprivileged mode, integrity is ensured if hypervisor memory is only modified by code executing in privileged mode.

More specifically, integrity means that all changes to hypervisor memory are caused by direct action within the intended execution of the hypervisor’s own instructions (e.g., initialization and intercept handlers). Further, integrity requires that neither hypervisor code nor data can be directly accessed via Direct Memory Accesses (DMA) by devices. Note that shared memory pages between the hypervisor and guests – which are writable by guests – are considered to be part of guest memory. Modification of these pages by the attacker, therefore, does not violate integrity. Finally, we assume that the hardware behaves in accordance with its specification.

3. THE DRIVE METHODOLOGY

In this section, we present the DRIVE methodology for hypervisor design and development. We consider a virtualized system $V = (H, A, M)$, where $H$ is the hypervisor, $A$ is the attacker representing malicious guests and devices, and $M$ is the hypervisor memory. As mentioned before, DRIVE consists of a set of system properties and verification conditions, together with an argument the these properties and verification conditions imply hypervisor integrity. We first present the DRIVE properties and verification conditions in detail. We end this section with the argument – see Theorem 1 – that any hypervisor satisfying the DRIVE properties and verification conditions has memory integrity.

3.1 DRIVE Properties

Recall that $V$ executes in two modes – privileged and unprivileged. The DRIVE methodology mandates four properties on $V$. The first property ensures mandatory control of accesses to hypervisor memory. It is expressed as two sub-properties:

- $(MAC)(a)$ $H$ uses an access control mechanism to control access to memory in unprivileged mode, and stores all state related to the access control mechanism in $M$; $(MAC)(b)$ in unprivileged mode, the hardware ensures that all access to memory is subjected to the access control mechanism.

The remaining three properties impose restrictions on the hypervisor’s implementation and its response to the attacker’s actions.

- $(CFI)$ The hypervisor has control flow integrity [8], i.e., the control flow during the execution of $H$ always respects its source code.

- $(MOD)$ Initialization is implemented by a function $init()$ and the intercept handlers are implemented by functions $ih_1(), \ldots, ih_k()$.

- This property ensures the atomicity of initialization and intercept handling. It is expressed by two sub-properties: $(ATOM)(a)$ at the start of $V$’s execution, $init()$ runs completely in a single-threaded environment before any other code executes; $(ATOM)(b)$ the intercept handlers $ih_1(), \ldots, ih_k()$ always execute in a single-threaded environment.

Note that ATOM requires only privileged (i.e., hypervisor) code to be serialized. Unprivileged code is able to exercise all available cores and spawn as many threads as necessary. As recent CPUs supporting hardware virtualization are designed to minimize traps to the hypervisor when executing in unprivileged mode, ATOM does not unacceptably degrade the hypervisor’s performance.

Figure 2 gives an architectural view of a virtualized system developed with DRIVE. Note that it is a refined version of Figure 1. In particular, it shows that all memory accesses by the attacker are mediated by the access control mechanism implemented in hardware. The mechanism checks whether the memory access is allowed by the access control mechanism state, and either lets it proceed, or triggers the appropriate intercept handler in $H$.

3.2 Sequentialization

Properties $CFI$, $MOD$ and $ATOM$ lead to a natural sequentialization of $V$’s execution, denoted by $Seq(V)$, and shown in Figure 3. Intuitively, the first step after “power on” is initialization, during which the memory access table is set up. Subsequently, code executes either:

- in unprivileged mode by $A$, specifically, by guest code and direct memory access (DMA) by devices; or

- in privileged mode by $H$, specifically, by intercept handlers triggered by $A$.

Given two sequential programs $f$ and $g$, let $f + g$ denote the sequential program that non-deterministically executes either $f$ or $g$. Clearly $+$ is commutative and associative. Also, for any function $f$, let $f(\ast)$ denote the execution of $f$ under an arbitrary calling context. Then $Seq(V)$ is defined formally as follows:
guest code

\section{Guests}

\section{Attacker}

\section{Access Control}

\section{M}

\section{Proof Sketch.}

Recall that integrity means that the contents of 

\section{ϕ}

\section{condition – denoted by 

\section{init}

\section{Definition of integrity protected memory. 

\section{ Initialization conditions hold: 

\section{VC1} \section{init(*)} \section{ensures} \section{ϕ(M). 

\section{VC2} \section{for} \section{i ∈ [1, k]} \section{ih}_{i}(*) \section{preserves} \section{ϕ(M). 

\section{Theorem 1.} \section{V} \section{is integrity protected iff} \section{the following two verification conditions hold: 

1. \section{VC1} \section{init(*)} \section{ensures} \section{ϕ(M). 

2. \section{VC2} \section{for} \section{i ∈ [1, k]} \section{ih}_{i}(*) \section{preserves} \section{ϕ(M). 

\section{Proof Sketch.} 

Recall that integrity means that the contents of hypervisor memory \section{M} are only modified in privileged mode. The forward implication is trivial since, if either \section{VC1} or \section{VC2} does not hold, then there is an input \section{x} such that \section{init}(\section{x}) or \section{ih}_{i}(\section{x}) leads to a violation of \section{ϕ(M)}. Subsequently, unprivileged code is free to modify \section{M}. 

For the reverse implication, recall the definition of \section{Seq(V)} from Definition 1. Note that \section{MAC} implies that the execution of the attacker code \section{A()} preserves \section{ϕ(M)}. Indeed, since the access control mechanism state is itself part of \section{M}, any attempt by \section{A()} to violate \section{ϕ(M)} leads to the triggering of an intercept handler. 

Therefore, if \section{VC1} and \section{VC2} holds, then from Definition 1, we know that \section{ϕ(M)} is an inductive invariant of \section{Seq(V)}. This, together with \section{MAC}, implies that \section{V} is integrity protected. 

Note that \section{MAC} is used directly in the proof of Theorem 1. The remaining three properties (\section{CFI}, \section{MOD}, and \section{ATOM}) are required to define \section{Seq(V)} (Definition 1), on which the proof of Theorem 1 relies as well. Thus, all \section{DRIVE} properties are necessary for the soundness of our approach. Note that \section{VC1} and \section{VC2} can be discharged by verifying a sequential program, even though the virtualized system itself is concurrent. The key here is of course properties \section{CFI}, \section{MOD}, and \section{ATOM}, which enable us to define the semantics of \section{V} as a sequential program and subsequently prove Theorem 1.

\section{4. Using \section{DRIVE} To Develop \section{XMHF}}

In this section, we report on our experience in using \section{DRIVE} to develop \section{XMHF} [65]. In particular, we show how the \section{DRIVE} properties guide the design and development of \section{XMHF}, and how the \section{DRIVE} verification conditions are reduced to assertions that are then automatically model checked on \section{XMHF}'s source code.

\section{4.1 \section{XMHF Background}}

Architecturally, \section{XMHF} consists of an \section{XMHFCORE} and an \section{HYPPAPP} [65]. The \section{XMHFCORE} contains the core hypervisor functionality (e.g., platform initialization, multi-core support, memory and DMA protections) while the \section{HYPPAPP} extends this core functionality.

\section{Figure 2: High level view of a virtualized system developed via \section{DRIVE}.} 

\section{Figure 3: Life cycle of a \section{DRIVE} virtualized system from the point of view of memory accesses.}
to implement a customized hypervisor. XMHF runs on commodity hardware-virtualized x86 platforms (Intel and AMD).

XMHF supports a single guest. If the underlying hardware is multicore, the guest is able to utilize as many cores as it needs. All interrupts are passthru to the guest. This means that the guest handles all these interrupts directly without intervention from XMHF, resulting in optimal system performance. Note that this hypervisor execution model of a single-guest with passthru interrupts resonates with mechanisms employed by several recent research efforts in the ad-hoc hypervisor space such as CloudVisor [72], TrustVisor [50], Lockdown [66], XTRec [67], SecVisor [57], Proxox [61] and Nizza [39]. XMHF therefore provides a common base which helps in realizing these existing hypervisor solutions as HYAPP instances, while also providing memory integrity.

Figure 4 shows a high level view of a virtualized system based on XMHF. Note that Figure 4 further refines Figure 2 by incorporating details specific to XMHF. In particular, the access control mechanism state consists of two tables – the Memory Management Unit (MMU) table 1, and the Input Output Memory Management Unit (IOMMU) table.

Each core on a hardware-virtualized x86 CPU executes in either host-mode (where the hypervisor executes) or guest-mode (where the guest executes). In either mode, the hardware uses the IOMMU table to determine if a DMA transfer by a particular device is allowed. If a violation of the IOMMU permissions is observed, the hardware disallows the requested DMA. In contrast, the hardware enforces MMU table access control only in guest mode. In particular, the hardware ensures that all memory accesses by guest instructions go via a two-level translation in the presence of the MMU table. First, the virtual address supplied by the guest is translated to a guest physical addresses using guest paging structures. Next, the guest physical addresses are translated into the actual system physical addresses using the permissions specified within the MMU table.

If the access requested by the guest violates the permissions stored in the MMU table, the hardware triggers an exception.

4.2 Mechanisms to Ensure Drive Properties
At system startup, XMHF is loaded via a dynamic-launch operation [42] – a feature available on commodity x86 CPUs. Using dynamic-launch ensures that the XMHF loader code executes in a hardware-protected environment, which in turn transfers control to the XMHFCORE runtime. The runtime initializes the hypervisor memory such that \( M \) (see Definition 2) holds, switches the CPU execution to guest-mode, and starts executing the guest. We now describe how XMHF ensures MAC, CFI, MOD, and ATOM.

4.2.1 Ensuring MAC
For MAC (a), XMHF uses the MMU table and the IOMMU table to store memory access permissions for guests and devices, respectively. In addition, XMHF ensures that both MMU and IOMMU tables reside in the hypervisor memory \( M \). Thus, as shown in Figures 4, the access control mechanism is logically partitioned into two sub-mechanisms, one for guests (that uses the MMU table) and the other for devices (that relies on the IOMMU table).

XMHF ensures MAC (b) by a combination of system initialization, runtime intercept handling, and hardware semantics. Recall that IOMMU and MMU tables can only be initialized and activated by software running on the CPU in host-mode. However, the IOMMU table access control protections are enforced by the hardware for all devices in the system in both guest and host modes. In contrast, MMU access control protections are enforced by a CPU core only when the core is operating in guest-mode. On x86 (and ARM) platforms, only one core – called the boot-strap processor (BSP) – is enabled when the system starts. The other cores are placed in a halted state until activated by software running on the BSP. The BSP starts up devoid of any memory protections. During its initialization, XMHF switches the BSP to host-mode and sets up the IOMMU table. This ensures that IOMMU access control remains enabled in all future system states. XMHF then activates the remaining cores in the system and switches them to host-mode as well. Next, XMHF sets up the MMU table on all the cores and switches the BSP to guest-mode to boot the guest operating system; the remaining cores idle in host-mode. Finally, XMHF uses intercept handling to ensure that the remaining cores are switched to guest-mode before they execute guest code. This scheme ensures that MMU access control is always enabled for all CPU cores in the

1The MMU table is called the “Nested Page Table” and the “Extended Page Table” on AMD and Intel platforms, respectively.
Figure 5: Partial call graph of the top-level intercept handler `ihub()` in XMHF. The function `setprot()` is used to make all changes to the MMU and IOMMU tables.

System. The exact details behind this process are presented later in Section 4.3.

4.2.2 Ensuring CFI
We assume that XMHF satisfies CFI, i.e., it has control flow integrity. Since XMHF is implemented in C, we believe that existing techniques [8] are capable of discharging this assumption.

4.2.3 Ensuring MOD
MOD is ensured by organizing the source code of XMHF to make the implementations of `init()`, `ih_1()`, ..., `ih_k()` modular. We now present this step in more detail.

The name of the `init()` function in XMHF is `emhf_runtime_main()`. This function first performs required platform initialization, initializes memory such that \( \varphi(M) \) holds, then switches the boot-strap processor (BSP) to guest-mode before starting the guest.

XMHF has a single top-level intercept handler function called `emhf_parteventhub_intercept_handler`. For brevity, we refer to this function as `ihub()`. This function is called whenever one of the following seven intercepts\(^2\) is triggered:

- `ioio` - for I/O port interception;
- `msr` - for trapping accesses to critical CPU model specific registers;
- `npf` - for handling nested page faults;
- `dbexception` - for ensuring guest-mode execution (see Section 4.3);
- `init` - for handling guest shutdown and restarts;
- `vmmcall` - for handling guest hypercalls; and
- `nmi` - for ensuring ATOM (see Section 4.2.4).

The arguments of `ihub()` indicate the actual interrupt that was triggered. Based on the value of these arguments, `ihub()` executes an appropriate sub-handler. For simplicity, we refer to the sub-handler that handles intercept \( e \) as `ih_e()`. Figure 5 shows a partial call graph for `ihub()` highlighting the sub-handlers, and a special function `setprot()` used to discharge VC1 on XMHF (see Section 4.4 for more details).

As mentioned before, the `npf` intercept indicates a violation of MMU table permissions by a guest memory access. The `nmi` intercept is used to ensure ATOM (b), and the `dbexception` intercept is used to ensure MAC (b) on multi-core hardware. These are discussed in more detail later.

4.2.4 Ensuring ATOM
ATOM (a) is ensured by initially boot-strapping XMHF using a dynamic-launch operation. Dynamic-launch is a capability on current x86 (AMD and Intel) platforms that allows an arbitrary piece of code to execute in isolation from everything else on the system except for the CPU, memory, and chipset. The use of dynamic-launch and the launched code is securely recorded in the Trusted Platform Module (TPM) [36]. Further, the environment after dynamic-launch does not allow any interrupts or asynchronous executions.

ATOM (b) is ensured by XMHF using a mechanism called core quiescing, which is implemented as follows. Suppose an intercept \( e \) is triggered on a specific core \( C \). If \( e \) is `nmi`, then `ih_e()` is implemented to be an idle loop. Otherwise, the first thing done by `ih_e()` is to send a Non-Maskable Interrupt (NMI) to all cores other than \( C \). Since the NMI cannot be masked, this causes all these other cores to execute `ih_nmi()`. Since `ih_nmi()` is an idle loop, in effect, all these other cores stall. `ih_e()` then handles \( e \) properly, and finally reactivates the other cores before resuming the guest.

4.3 Verifying Guest-Mode Execution
Recall that to ensure MAC (b), we must ensure that each core is set to execute in guest-mode before it executes any attacker code (Section 4.2.1). As mentioned before, on a single core CPU, XMHF's `init()` code switches the BSP core to guest-mode before booting the OS. For a multi core CPU, XMHF then activates the remaining cores in the system and switches them to host-mode which then idle within XMHF. Finally, XMHF uses the hardware's multi-core bring-up logic and intercept handling to ensure that the remaining cores are also switched to guest-mode before they execute guest code. We now describe this process in more detail in the context of commodity x86 platforms.

To bring a new core \( C \) online, the guest sends a startup interrupt processor interrupt (SIPI) to \( C \). However, on current x86 platforms, the default operating mode of \( C \) in response to a SIPI does not include any memory protections. Therefore, XMHF intercepts the SIPI and switches \( C \) to guest-mode before handing back execution to the guest. For x86 platforms, a SIPI interrupt is delivered to \( C \) via the CPU Local Advanced Programmable Interrupt Controller (LAPIC). Specifically, the LAPIC has an Interrupt Control Register (ICR) that is used to deliver the SIPI to \( C \).

To support both Intel and AMD x86 platforms, XMHF uses a unified scheme to intercept guest multi-core activation. On both Intel and AMD hardware virtualized platforms, the LAPIC registers are accessed via memory-mapped I/O. The memory-mapped I/O region typically encompasses a single physical memory page. XMHF...
by the guest causes the hardware to trigger a
write to the LAPIC ICR. If a SIPI command was being written
Subsequently, assuming initialization.
leverages memory integrity to trap and intercept any changes to the
Guest
XMHF
triggered in response
Macro
Global
VC1
is discharged by manually inspecting the
emhf_runtime_main function of XMHF. Recall that this function is the
function for XMHF. In particular, we manually verified that the function assigns each entry in the MMU table and
the IOMMU table such that all addresses in \( M \) are designated read-only.

In the context of XMHF, discharging VC2 reduces to verifying that the execution of \( ihub() \) preserves \( \varphi(M) \). We discharge this verification condition via software model checking. In particular, we verify that the execution of \( ihub() \) does not modify permissions of any address in \( M \). Again, the key insight is that this property can be verified by proving the validity of a properly inserted assertion in XMHF. Specifically, we engineer the verification as follows:

1. The hypervisor memory is maintained in a contiguous set of addresses beginning at HVLO and ending at HVHI. This means that preserving \( \varphi(M) \) reduces to ensuring that permissions of memory addresses between HVLO and HVHI are unaltered.

2. All changes to MMU and IOMMU tables are performed in a function called setprot(). Figure 7 shows the outline of setprot(). Note that every statement that potentially modifies the permission of a memory address \( a \) is preceded by an assertion that checks that \( a < HVLO \land a > HVHI \).

Therefore, we discharge VC2 by verifying that no execution of \( ihub() \) leads to the failure of the assertion embedded in setprot(). Once again, we used CBMC to check the validity of this assertion. Our experiments and results are presented in detail in Section 4.6.

Again, note that the assertions inserted in setprot() are for verification purposes only. They are eliminated by the preprocessor while compiling the production version of XMHF, ensuring that there are no unnecessary assertion checks at runtime.

4.4 Discharging Verification Conditions

4.5 Development Compatible Verification

The mechanisms used to ensure properties MAC (a), CFI, MOD, and ATOM discussed in Section 4.2 are independent of XMHF’s
implementation. They depend either on the hardware or on design choices embedded in XMHF. These mechanisms do not change during XMHF’s development, and are therefore development compatible. We now discuss how the verification of guest-mode execution – i.e., MAC (b) – and the discharging of verification conditions were both achieved in a development compatible manner for XMHF.

Development Compatible Discharging of Verification Conditions. Recall our approach to discharge VC1 and VC2 on XMHF presented in Section 4.4. Although VC1 is discharged manually, it requires inspection of a small piece of code (approximately 400 SLOC), and is therefore development compatible. Also, the discharging of VC2 requires no user-supplied invariants or annotations. Therefore, after any change to XMHF’s implementation, we are able to re-verify ihub() with minimal manual effort. In particular, if there are no changes to ihub(), then we simply repeat the verification with CBMC. If there are changes to ihub(), we ensure that ihub() is consistent with Figure 6 before re-verifying with CBMC. Hence, our approach to verify guest-mode execution is development compatible.

Experience with Other Model Checkers. We also tried to verify P and the ten buggy programs with three other publicly available software model checkers that target C code – BLAST [41], SATABS [21], and WOLVERINE [47]. In each case, we used the latest publicly available version of the model checker. All these model checkers are able to verify programs with loops and use an approach called Counterexample Guided Abstraction Refinement (CEGAR) [13, 20] combined with predicate abstraction [35]. BLAST 2.5 could not parse any of the target programs. In contrast, SATABS 3.1 timed out in all cases after several iterations of the CEGAR loop. On the other hand, WOLVERINE 0.5c ran out of memory in all cases during the first iteration of the CEGAR loop. Further details are presented in Table 1.

BLAST only accepts preprocessed C code. Therefore, to provide consistent input to all model checkers, we first preprocessed XMHF source code with gcc. This resulted in about 237 KLOC for each of our eleven target programs, even though the actual XMHF implementation is about 4700 LOC.

5. RELATED WORK

A sound architecture [15, 59] is known to be essential for the development of high quality software. Moreover, there has been a
Table 1: Summary of experimental results with CBMC, SATABS, and WOLVERINE. OP = number of assignments after slicing; SP = number of assignments after slicing; VCC = number of VCCs after simplification; Vars = number of variables in SAT formula; CLS = number of clauses in SAT formula; DPT = time (sec) taken by SAT solver; Time = total time (sec); Mem = maximum memory (MB); in all cases, SATABS timed out and WOLVERINE ran out of memory; Iter = number of CEGAR iterations that were started before time or memory out.

<table>
<thead>
<tr>
<th>Program</th>
<th>OP</th>
<th>SP</th>
<th>VCC</th>
<th>Vars</th>
<th>CLS</th>
<th>DPT</th>
<th>Time</th>
<th>Mem</th>
<th>Iter</th>
<th>Mem</th>
<th>Iter</th>
<th>Time</th>
</tr>
</thead>
<tbody>
<tr>
<td>$P$</td>
<td>1654</td>
<td>1452</td>
<td>111</td>
<td>437688</td>
<td>1560024</td>
<td>24.813</td>
<td>75.75</td>
<td>1938</td>
<td>36</td>
<td>394</td>
<td>1</td>
<td>168.47</td>
</tr>
<tr>
<td>$P^{+}$</td>
<td>1667</td>
<td>1465</td>
<td>116</td>
<td>438172</td>
<td>1561191</td>
<td>26.964</td>
<td>80.85</td>
<td>1959</td>
<td>36</td>
<td>394</td>
<td>1</td>
<td>168.52</td>
</tr>
<tr>
<td>$P^{++}$</td>
<td>1668</td>
<td>1466</td>
<td>116</td>
<td>438308</td>
<td>1561585</td>
<td>24.840</td>
<td>78.76</td>
<td>1959</td>
<td>36</td>
<td>394</td>
<td>1</td>
<td>168.60</td>
</tr>
<tr>
<td>$P^{++++}$</td>
<td>1669</td>
<td>1467</td>
<td>116</td>
<td>438436</td>
<td>1561919</td>
<td>24.823</td>
<td>78.96</td>
<td>1910</td>
<td>36</td>
<td>394</td>
<td>1</td>
<td>297.17</td>
</tr>
<tr>
<td>$P^{+++}$</td>
<td>1653</td>
<td>1451</td>
<td>117</td>
<td>463813</td>
<td>1668782</td>
<td>25.707</td>
<td>79.85</td>
<td>1910</td>
<td>36</td>
<td>394</td>
<td>1</td>
<td>247.28</td>
</tr>
<tr>
<td>$P^{++}$</td>
<td>1654</td>
<td>1452</td>
<td>111</td>
<td>476241</td>
<td>1728039</td>
<td>28.325</td>
<td>81.90</td>
<td>1910</td>
<td>36</td>
<td>394</td>
<td>1</td>
<td>168.64</td>
</tr>
<tr>
<td>$P^{+}$</td>
<td>1652</td>
<td>1450</td>
<td>111</td>
<td>437676</td>
<td>1559556</td>
<td>24.894</td>
<td>78.74</td>
<td>1910</td>
<td>36</td>
<td>394</td>
<td>1</td>
<td>205.72</td>
</tr>
<tr>
<td>$P$</td>
<td>1634</td>
<td>1441</td>
<td>111</td>
<td>437848</td>
<td>1560013</td>
<td>24.983</td>
<td>78.74</td>
<td>1910</td>
<td>36</td>
<td>394</td>
<td>1</td>
<td>173.81</td>
</tr>
<tr>
<td>$P^{+}$</td>
<td>1652</td>
<td>1450</td>
<td>111</td>
<td>437687</td>
<td>1560021</td>
<td>24.532</td>
<td>77.70</td>
<td>1910</td>
<td>36</td>
<td>394</td>
<td>1</td>
<td>281.44</td>
</tr>
<tr>
<td>$P^{++}$</td>
<td>1652</td>
<td>1450</td>
<td>111</td>
<td>437686</td>
<td>1560018</td>
<td>24.672</td>
<td>78.80</td>
<td>1958</td>
<td>36</td>
<td>394</td>
<td>1</td>
<td>275.40</td>
</tr>
</tbody>
</table>

The idea of an interface constrained adversary [26, 32] has been used to model and verify security properties of a number of different classes of systems. In particular, pinning down the attacker’s interface enables systematic and rigorous reasoning about security guarantees. This idea appears in our work as well. Specifically, restricting the attacker’s interface with the hypervisor to a set of intercept handlers is crucial for the feasibility of DRIVE.

Control flow integrity (CFI) is one of the key system properties on which DRIVE relies. Techniques for ensuring CFI [8] have been widely studied and implemented. In essence, all source code analysis techniques assume CFI in some form. We therefore consider CFI to be an important but complementary problem.

There has been considerable work on verifying security at the level of models. For example, Gutman et al. [37] employ model checking to verify information-flow properties of SELinux. Lie et al. verify XOM [48] using MURPHI\(^3\). XOM is a hardware-based approach for tamper-resistance and copy-resistance. Mitchell et al. [51, 52] use MURPHI to verify the correctness of (and find bugs in) security protocol specifications. Franklin et al. [29, 30] have developed a set of techniques for parametric verification of security properties of models of hypervisors. In contrast, we focus on verifying security at the level of source-code.

A number of projects have used software model checking and static analysis to find errors in source code, without a specific attacker model. Some of these projects [18, 38, 71] target a general class of bugs. Others focus on specific types of errors, e.g., Kidd et al. [44] detect atomic set serializability violations, while Emmi et al. [27] verify correctness of reference counting implementation. All these approaches require abstraction, e.g., random isolation [44] or predicate abstraction [27], to handle source code, and therefore, are unsound and/or incomplete. In contrast, our focus is on a methodology to develop a hypervisor that achieves a specific security property against a well-defined attacker.

Finally, there has been several research projects on security of operating system and hypervisor implementations. Neumann et al. [53], Rushby [56], and Shaprio and Weber [58] propose verifying the design of secure systems by manually proving properties using a logic and without an explicit adversary model. A number of groups [40, 45, 68] have employed theorem proving to verify security properties of OS implementations. Barthe et al. [14] formalized an idealized model of a hypervisor in the Coq proof assistant and Alkassar et al. [9, 10] and Baumann et al. [16] annotated the C code of a hypervisor and utilized the VCC [22] verifier to prove correctness properties. Approaches based on theorem proving are applicable to a more general class of properties, but also require considerable manual effort. For example, the verification of the SEL4 operating system [45] required several man years effort. In contrast our approach is more automated but focuses on the specific property of memory integrity. Franklin’s thesis [31] reports initial results on using CBMC to model check integrity properties of related small-TCB hypervisors’ runtimes (300 LOC). This work demonstrates that CBMC can be used to check integrity properties with very little manual input for a much larger hypervisor runtime (4700 LOC).

6. DISCUSSION AND CONCLUSION

We presented an approach, called DRIVE, to design, develop and automatically verify integrity-protected hypervisors. We also validated DRIVE by using it to develop an extensible and modular hypervisor framework called XMHF [65]. In particular, the verification steps involved were performed on the actual source code of XMHF—consisting of about 4700 lines of C code—using the CBMC model checker. Our experience suggests that DRIVE is applicable to develop integrity-protected hypervisors of realistic complexity.

Of the software model checkers that we experimented with, CBMC was the only one that succeeded in the verification tasks posed by XMHF and DRIVE. We believe that this is due to a combination of two factors: (i) the reachable code in XMHF had only bounded loops—CBMC would fail if this was not the case; (ii) CBMC models

---

\(^3\)http://verify.stanford.edu/dill/murphi.html
The system properties and verification conditions required by DRIVE are sufficient to guarantee memory integrity. However, we have not proven them to be necessary. Nevertheless, they serve as a useful checklist for reasoning about the integrity of other hypervisors as well. If a certain hypervisor satisfies the DRIVE properties and verification conditions, then, by Theorem 1, it is also integrity protected. If, on the other hand, it violates a certain property or verification condition, then the failure offers a starting point to detect integrity-related vulnerabilities.

We believe that DRIVE provides a good starting point for research and development on hypervisors with rigorous and “designed-in” security guarantees. One direction for future work is to extend DRIVE to other security properties, such as confidentiality. An immediate challenge here is that such a property may not be as easily expressible as integrity since the attacker’s interface is much less well-defined due to the possibility of covert channels etc. Yet another direction is to develop a hypervisor that supports multiple guests. The question here is whether DRIVE still guarantees integrity in such situations, and if not, how it must be updated so that integrity is assured.

7. REFERENCES
12-113.pdf.


