Skip to content
@heki-linux

Hypervisor-Enforced Kernel Integrity (Heki)

Proof-of-concept that implements new KVM features (extended page tracking, MBEC support, CR pinning) and defines a new API to protect guest VMs.

Linux Virtualization Based Security (LVBS)

On common operating systems, one powerful way to bypass security policies is to exploit the kernel. Linux kernel vulnerabilities are common and exploited. Among other things, kernel self-protection mechanisms include control-register pinning and memory page protection restrictions that help harden systems. Unfortunately, none is bullet proof because they are implemented at the same level as the vulnerabilities they try to protect against. To get a more effective defense, we propose to move (or copy) some of these protection mechanisms out of the kernel thanks to virtualization.

Linux Virtualization Based Security (LVBS) is an umbrella term under which we can offer various hypervisor backed kernel protection solutions. This is a common hypervisor agnostic extendable architecture in Linux kernel that can be used by any hypervisor to implement and extend Linux kernel protections. Different hypervisor frameworks (Hyper-V as an example of type-1 hypervisor and KVM as an example of type-2 hypervisor) can plug into the common layer to harden the Linux kernel.

Open Source Summit 2024 talk: Booting a Linux Kernel in a Higher Privilege Level

Linux Security Summit 2024 talk: Linux Virtualization Based Security

Hypervisor-Enforced Kernel Integrity (Heki)

Heki is a proof-of-concept that implements new KVM features (extended page tracking, MBEC support, CR pinning) and defines a new API to protect guest VMs. It is designed to be merged with the mainline project. It is inspired from other private implementations currently in use (e.g. Windows's Virtual Secure Mode), but our approach is tailored to Linux specificities.

RFC v2

Patched Linux source tree

LKML patches

RFC v1

LVBS Hyper-V

The LVBS Hyper-V implementation leverages the existing Hyper-V's VTL mechanism. Our implementation includes the guest kernel changes (VTL0) and the secure kernel (VTL1).

Patched Linux source tree for VTL0 (guest)

Patched Linux source tree for VTL1 (secure kernel)

Pinned Loading

  1. linux linux Public

    Forked from torvalds/linux

    Linux kernel source tree patched with Hypervisor-Enforced Kernel Integrity

    C 10 1

  2. lvbs-linux lvbs-linux Public

    Forked from torvalds/linux

    Linux kernel source tree with changes to support LVBS with Hyper-V

    C 17

Repositories

Showing 3 of 3 repositories

People

This organization has no public members. You must be a member to see who’s a part of this organization.

Top languages

Loading…

Most used topics

Loading…