Fabian Schwarz

Fabian Schwarz

Dr.-Ing., Cybersecurity researcher with focus on TEE-based system and network security architectures

00SEVen: Remote Inspection of TEE VMs using In-VM Agents

Published:

Many hypervisors offer support for VM Introspection (VMI) capabilities to monitor VMs for a compromise and enable post-mortem analysis. Typical VMI features include access to the memory and registers of a VM, on demand execution pausing, and memory access traps.


However, considering that cloud platforms can be prone to insider attackers or vulnerabilities in the host software (e.g., cloud OS or hypervisor), cloud-level attackers can abuse VMI to attack customer VMs and manipulate or steal their sensitive data. Therefore, CPU vendors came up with TEE VMs (also: TVMs, confidential VMs), i.e., hardware-protected VMs forming trusted execution environments (TEEs). TVMs are isolated from the software and peripherals of the cloud platform, including tenants VMs. Technologies such as AMD SEV, Intel TDX, and Arm CCA implement TVMs and thus enable sensitive customers to protect their offloaded services and data against a compromised cloud platform. However, the strong isolation of TEE VMs also renders benign attempts to monitor TVMs for in-VM attackers unfeasible. Out-of-VM accesses are blocked while in-VM agents are not isolated from attackers that have compromised the TVM.



Therefore, we provide 00SEVen which fills this gap by enabling secure remote VMI of TEE VMs using protected in-VM agents. 00SEVen uses hardware-based in-VM security domains to isolate the in-VM agents and their VMI operations from compromised TVM software, including the TVM OS. The in-VM agent securely exposes VMI primitives to the remote TVM owner for monitoring the TVM for attacks---without leaking any information to in-VM or out-of-VM attackers (incl. cloud software). The TVM owner can use remote attestation to verify the protection and authenticity of in-VM agents before starting a secure analysis session. 00SEVen extends the hypervisor and re-designs existing VMI techniques to securely enable: memory and register access, pausing of the TVM, trapping of memory accesses and kernel functions of the TVM OS, and an attested remote channel to the TVM owner. With 00SEVen, sensitive customer can benefit from both: the strong hardware-based protection of TEE VMs, and the flexible analysis capabilities of VMI.

We have implemented and evaluated a prototype of 00SEVen for AMD SEV-SNP TVMs and the QEMU/KVM hypervisor of Linux based on SEV-SNP's hardware-based VM Privilege Levels (VMPLs). The remote analysis client is based on a custom backend for the LibVMI library.

For more information on 00SEVen, please check out the corresponding research paper that has been published at the USENIX Security conference 2024.