KVM Forum 2021 has ended
Virtual Event | September 15-16, 2021
View More Details

The Sched app allows you to build your schedule but is not a substitute for your event registration. In addition, you must be registered for KVM Forum to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Coordinated Universal Time (UTC)Please select from the drop-down menu to the right to see the schedule in your preferred timezone above "Filter by Date."
Thursday, September 16 • 15:05 - 15:30
Securing the Hypervisor with Control-Flow Integrity - Daniele Buono, IBM

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
In the cloud, the Hypervisor is usually the first line of defense against attacks from malicious users. But what if the Hypervisor itself is vulnerable to attacks? What can we do to protect the host, and other VMs, against Hypervisor attacks, specifically zero-day exploits, where only generic security countermeasures can be taken? In this seminar, we present our work with the QEMU community to upstream a new security mechanism by leveraging Clang's software implementation of both backward and forward Control-Flow Integrity (CFI) for x86 systems. We show how, and why, this technique can provide an effective protection against zero-day remote execution exploits based on buffer overflows and ROP attacks, sooner and more extensively than current countermeasures such as SELinux, AppArmor, or Seccomp. We will also explain why compiler-driven CFI offers better protection than hardware-based techniques such as Intel's CET. Finally, we will discuss the few incompatibilities we encountered in QEMU's codebase, and the possibility of enabling CFI with QEMU's plugins and modules, which are currently unsupported.

avatar for Daniele Buono

Daniele Buono

Daniele Buono is a Research Staff Member and Manager at the IBM T.J. Watson Research Center, where is currently leading the Security and Attestation for Hybrid Cloud group. He joined the Data-Centric Systems group at IBM Research in 2014, where he focused on High-Performance Computing... Read More →

Thursday September 16, 2021 15:05 - 15:30 UTC
  KVM Track 1
  • Presentation Slides Attached Yes