English | 中文

【打印本页】      【下载PDF全文】   查看/发表评论  下载PDF阅读器  关闭
←前一篇|后一篇→ 过刊浏览    高级检索
本文已被:浏览 1343次   下载 1336 本文二维码信息
分享到: 微信 更多
(上海交通大学并行与分布式系统研究所, 上海 中国 200240)
关键词:  虚拟化安全  内存分配  Rowhammer攻击  Xen
Defense against Rowhammer Attack with Memory Isolation in Virtualized Environments
SHI Peitao,LIU Yutao,CHEN Haibo
Institution of Parallel and Distributed Systems, Shanghai Jiaotong University, Shanghai 200240, China
The virtualization security has increasingly gained widespread attention with the spreading of cloud computation in recent years. And some common hardware-software contracts which were supposed to be the base of security system have been violated by some attacks like "rowhammer". Adversaries have used rowhammer attack to break the isolation between virtual machines and hypervisor as well as to threaten the security in the virtualization environment. To date, all the known defenses against rowhammer either require the modification on hardware or are hard to be deployed in the virtualization environment. We present a novel method, which can prevent the spreading of rowhammer attacks by isolating the memory of different security domains (e.g., the kernel of hypervisor and the virtual machines). We extent the physical memory allocator of Xen to be aware of rowhammer. Our solution does not require any modification to the hardware, and it is transparent to the guest VMs. The evaluation shows its effectiveness in preventing against rowhammer attacks, as well as the efficiency in introducing negligible overhead (the runtime performance overhead is lower than 6%, and the memory cost is lower than 0.1%).
Key words:  virtualization security  rowhammer attack  memory allocator  Xen