Protecting Encrypted Virtual Machines from Nested Page Fault Controlled Channel

AMD Secure Encrypted Virtualization (SEV) assumes the hypervisor (HV) is untrusted and introduces hardware memory encryption support for virtual machines (VMs). Previous studies have proposed various attacks against encrypted VMs by exploiting SEV security flaws such as unencrypted VMCB and lack of memory integrity. Most of these flaws have been solved by the subsequent releases of SEV with Encrypted State (SEV-ES) and SEV with Secure Nested Paging (SEV-SNP). However, the latest SEV-SNP cannot stop the malicious HV tampering with critical flags in the nested page table (NPT). So SEV-SNP is still vulnerable to the nested page fault (NPF) controlled channel attack, which is a commonly shared step of most attacks against SEV. Existing works on SEV also cannot defend against NPF controlled channel. In this paper, we first analyze the root cause of NPF controlled channel. Then we propose a software-based approach to protect encrypted VMs from NPF controlled channel. We introduce a virtualization security module (VSM) as a software TCB to deprivilege the HV by modifing the HV to access critical resources indirectly through interfaces managed by VSM. To prevent the untrusted HV from compromising the VSM-based protection, we extend the nested kernel architecture to the virtualization layer to provide isolation for VSM at the same privilege level. A prototype of this approach is implemented based on KVM. The experiments show that the approach can protect encrypted VMs from NPF controlled channel with 1.21% average runtime overhead and 1.47% average I/O overhead.