Securing the Hypervisor with Control-Flow Integrity

n the cloud, the Hypervisor is usually the first line of defense against attacks from malicious users. But what if the Hypervisor itself is vulnerable to attacks? What can we do to protect the host, and other VMs, against Hypervisor attacks, specifically zero-day exploits, where only generic security countermeasures can be taken? In this seminar, we present our work with the QEMU community to upstream a new security mechanism by leveraging Clang's software implementation of both backward and forward Control-Flow Integrity (CFI) for x86 systems. We show how, and why, this technique can provide an effective protection against zero-day remote execution exploits based on buffer overflows and ROP attacks, sooner and more extensively than current countermeasures such as SELinux, AppArmor, or Seccomp. We will also explain why compiler-driven CFI offers better protection than hardware-based techniques such as Intel's CET. Finally, we will discuss the few incompatibilities we encountered in QEMU's codebase, and the possibility of enabling CFI with QEMU's plugins and modules, which are currently unsupported.