[Cryptography] Determining TLS session keys from the hypervisor
leichter at lrw.com
Mon Jun 13 14:53:05 EDT 2016
> I think something like AMD's Secure Memory Encryption could help foil
> this sort of attack. Assuming of course that the hypervisor actually
> enabled it.
This leads to an interesting challenge: How could you design a system in which it would be possible for a hypervisor to prove to a guest OS that something like Secure Memory Encryption is enabled, and remains enabled?
One way would be to provide a non-virtualizable instruction that would check the SME status of a page. Yes, a hypervisor could rewrite the code to eliminate the instruction - but if that's within your attack model, there's clearly nothing you can do, as you have no control at all over what runs in the guest. (There are various mechanisms out there - Microsoft has some papers on the problem - that make this considerably harder, though it'll always be possible.)
Of course, a hypervisor could turn SME off after the fact, so you'd also need some kind of callback - directly to the guest, not through the hypervisor's typical mediated dispatch - if the setting ever changes.
Granted, ultimately you have to trust the chip to get these instructions right. There's not really a way around trusting *some* base level.
There's a neat proposal out there - I read the paper but don't recall exactly where - that uses the inverse of this idea: If you trust your hypervisor, it allows you to run trusted processes *inside an untrusted guest OS*. The basic idea is that the hypervisor leaves pages that are declared by a process to be "sensitive" inaccessible even to the guest OS. Attempts to access such a page trap to the hypervisor as always. If they come from user mode, the page is decrypted and rendered accessible; if they come from the guest OS, the page is encrypted (using an authenticated mode) and then rendered accessible to the OS level. On a transition from user to OS mode, the pages are rendered inaccessible again. So both user mode and OS mode can see the pages - but OS mode only sees an encrypted version, and if it tries to modify the values, the hypervisor will know the next time it decrypts. (Many details to deal with, but they actually have it all working. The guest OS is unmodified. You can even have individual processes within the guest OS that run in encrypted mode while others don't.)
More information about the cryptography