SecVisor

Seshadri, Arvind; Luk, Mark; Qu, Ning; Perrig, Adrian

doi:10.1145/1323293.1294294

Cited by 82 publications

(9 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This conforms to expectations in that the more thorough the security [45] CF 5579 SVA [44] M & CF No Data SecVisor [41] M 4092 SBCFI [46] CF No Data kGuard [22] CF 1000 PaX [49], [50] M & CF No Data Return-less Kernel [48] CF 2100…”

Section: (Ijacsa) International Journal Of Advanced Computer Science Andsupporting

confidence: 76%

See 1 more Smart Citation

Containing a Confused Deputy on x86: A Survey of Privilege Escalation Mitigation Techniques

Brookes¹,

Taylor²

2016

ijacsa

View full text Add to dashboard Cite

Abstract-The weak separation between user-and kernelspace in modern operating systems facilitates several forms of privilege escalation. This paper provides a survey of protection techniques, both cutting-edge and time-tested, used to prevent common privilege escalation attacks. The techniques are compared against each other in terms of their effectiveness, their performance impact, the complexity of their implementation, and their impact on diversification techniques such as ASLR. Overall the literature provides a litany of disjoint techniques, each of which trades some performance cost for effectiveness against a particular isolated threat. No single technique was found to effectively mitigate all known and potential attack vectors with reasonable performance cost overhead.

show abstract

Section: (Ijacsa) International Journal Of Advanced Computer Science Andsupporting

confidence: 76%

“…SecVisor [41] is an alternative virtualization technology leveraging hardware facilities to virtualize physical memory associated with modern processors. By utilizing this additional layer of translation from "guest physical" to "real physical" memory addresses, additional hardware memory protections can be enforced.…”

Section: B Secvisormentioning

confidence: 99%

Containing a Confused Deputy on x86: A Survey of Privilege Escalation Mitigation Techniques

Brookes¹,

Taylor²

2016

ijacsa

View full text Add to dashboard Cite

show abstract

“…Our initial code base was extracted from CMU's SecVisor's code [25]. However, we made various simplifications to eliminate functionality orthogonal to our concerns and to simplify our initial proof target.…”

Section: High Level Strategymentioning

confidence: 99%

“…Several research efforts have demonstrated that it is possible to construct small, robust and useful hypervisors. The SecVisor project [25] implemented two hypervisors (1739 and 1112 lines of code, respectively) supporting Linux kernel version 2.6.20. Their systems provide strong integrity guarantees.…”

Section: Related Workmentioning

confidence: 99%

“…Though our target hypervisor, called MinVisor, runs only one guest, its features provide some of the minimum requirements of typical hypervisors and provide some of the guarantees of CMU's SecVi-sor [25], a simple research hypervisor that we used as our initial jumping off point. Thus, MinVisor provides a simplified but useful platform on which to carry out our initial verification efforts.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Toward the Verification of a Simple Hypervisor

Dahlin

Johnson

Krug

et al. 2011

Electron. Proc. Theor. Comput. Sci.

View full text Add to dashboard Cite

Virtualization promises significant benefits in security, efficiency, dependability, and cost. Achieving these benefits depends upon the reliability of the underlying virtual machine monitors (hypervisors). This paper describes an ongoing project to develop and verify MinVisor, a simple but functional Type-I x86 hypervisor, proving protection properties at the assembly level using ACL2. Originally based on an existing research hypervisor, MinVisor provides protection of its own memory from a malicious guest. Our long-term goal is to fully verify MinVisor, providing a vehicle to investigate the modeling and verification of hypervisors at the implementation level, and also a basis for further systems research. Functional segments of the MinVisor C code base are translated into Y86 assembly, and verified with respect to the Y86 model. The inductive assertions (also known as "compositional cutpoints") methodology is used to prove the correctness of the code. The proof of the code that sets up the nested page tables is described. We compare this project to related efforts in systems code verification and outline some useful steps forward.

show abstract

Toward a flexible and fine‐grained access control framework for infrastructure as a service clouds

Liu

et al. 2015

Security Comm Networks

View full text Add to dashboard Cite

Cloud computing, as an emerging computing paradigm, greatly facilitates resource sharing and enables providing computing power as services over the Internet. However, it also brings new challenges for security and access control, especially in infrastructure as a service clouds. The introduction of virtualization layer increases new security risks, which should be restricted and confined by more stringent access control techniques. In this paper, we propose a flexible and fine-grained access control framework, named IaaS-oriented Hybrid Access Control (iHAC), which combines the advantages of both the role-based access control and type enforcement model. We consider access control issues from the perspective of virtual machines. A permission transition model is designed to dynamically assign permissions to virtual machines. A Virtual Machine Monitor (VMM)-based access control mechanism is presented to confine the virtual machine's behaviors in a fine-grained manner. A VMM-enabled network access control approach is proposed to regulate the communication among virtual machines. iHAC is successfully implemented in the Internet based Virtual Computing Infrastructure (iVIC)† platform, and several experiments are conducted to evaluate its effectiveness and efficiency. The results show that iHAC can make correct access control decisions with low performance overhead

show abstract

SecVisor

Cited by 82 publications

References 9 publications

Containing a Confused Deputy on x86: A Survey of Privilege Escalation Mitigation Techniques

Containing a Confused Deputy on x86: A Survey of Privilege Escalation Mitigation Techniques

Toward the Verification of a Simple Hypervisor

Toward a flexible and fine‐grained access control framework for infrastructure as a service clouds

Contact Info

Product

Resources

About