When it comes to the adoption and success of embedded systems, security is a key factor in a world where professional hackers and APTs are the harsh everyday reality. Threats vary, from attacks on exposed interfaces to the undocumented or aggressive behavior of peripheral equipment (e.g. PCI, USB). After a successful attack, an intruder can go further, for example, by exploiting operating system vulnerabilities, potentially threatening critical processes. Despite the vulnerabilities and large attack surface of general-purpose systems, vendors prefer popular platforms because of the widespread availability of software.
Virtualization technology presents an opportunity to harden system security, while retaining the ability to reuse an existing code base.
Kaspersky Secure Hypervisor is a Type 2 hypervisor that runs on the KasperskyOS microkernel. The main benefit of a virtualization solution is the separation of potentially untrusted guest operating systems from each other and from critical services collocated on the same physical machine, reducing the attack surface and minimizing the possible impact of exploited vulnerabilities. The hypervisor is protected from guest OS actions in such a way that malicious activities by a guest system cannot damage the critical services or the hypervisor itself. An additional benefit of KSH is its ability to reduce expenses on hardware maintenance.
Kaspersky Secure Hypervisor contains two software components: one running in a privileged kernel mode, and the other running in a user mode. The privileged kernel component is responsible for the management of resources (e.g. memory, CPU) and provides access to I/O devices. User mode components of Kaspersky Secure Hypervisor include common host user-mode device drivers and a special guest driver, that provides communication channels between domains or between a domain and the hypervisor itself.
Kaspersky Secure Hypervisor uses virtualization support for hardware devices to create virtual environments (domains) that share a common CPU and memory. If present, hardware virtualization features can be used to pass through PCI devices (such as a video adapter, network adapter, hard disk controller, USB) to guest OSs. This technique improves the performance of these devices but makes sharing impossible.
If sharing of devices is required, we use a user-space device emulation technique. The idea is to run a KasperskyOS user-space driver with direct access to a device that needs to be shared. The driver implements device emulation, i.e. it provides an interface for guest OSs that can be used to access a device, without guest OSs knowing that the device is virtual. One of the security benefits of device emulation is that the hypervisor can intercept all the transactions between a guest OS and the device (e.g. network card, SATA controller) and implement additional security measures (e.g. traffic filtering, encryption) that a guest OS cannot bypass. Device emulation can also be used when hardware virtualization features are not available.
Kaspersky Secure Hypervisor utilizes KasperskyOS features, providing the means to run multiple guest operating systems and KasperskyOS native applications on a VM. Isolation between domains is guaranteed by the kernel component of KSH. All communications between domains and between a domain and the kernel are mediated by KSS according to a predefined security policy. Even if an attacker performs a virtual machine escape, further actions are limited by the security policy.
When used with KasperskyOS as a host OS, Kaspersky Secure Hypervisor benefits from the KasperskyOS microkernel design, providing a small verifiable trusted computing base (TCB is the set of all components (hardware, firmware and software) critical to overall security of a solution. Small TCB facilitates exhaustive testing and verification). All device drivers are run in a host user mode, further reducing the risk of a hypervisor being damaged or hijacked.
Kaspersky Secure Hypervisor restricts the amount of resources (such as memory or physical device access) available to guest systems to protect the whole environment from possible resource exhaustion attacks coming from guest OSs. Potentially dangerous external devices can be restricted, so that erroneous or malicious hardware is unable to access the memory of guest operating systems or the hypervisor.
Kaspersky Security System is grounded on an attribute-based model and supports a wide range of policies (e.g. object capabilities, flow control, Type Enforcement and multilevel security). Its flexible, extendable nature makes it possible to develop custom domain-specific policies relevant to an application area.
Kaspersky Secure Hypervisor is a proprietary solution fully supported by Kaspersky. The development process is based on best practices with systematic testing and verification.
Kaspersky Secure Hypervisor includes features to guarantee the integrity of the hypervisor and guest OSs.
Kaspersky Secure Hypervisor is capable of protecting a guest OS’s sensitive data from modifications or unauthorized access via a memory protection mechanism. Memory protection is achieved by setting appropriate permissions to guest physical pages. In a typical scenario, a guest OS calls Kaspersky Secure Hypervisor to protect the guest OS’s sensitive data before running an untrusted application. Examples of protectable data include guest OS kernel code, guest security services, and configurations.
In this architecture, certificate storage and encryption services are kept in a separate trusted domain. Guest OS applications run in another domain, and get access to encryption services via Kaspersky Secure Hypervisor communication channels. With proper authentication, the trusted components can give additional privileged permissions to guest OS applications (e.g. permissions to administrative services). Even if guest OS applications have been hacked, they cannot get access to keys or escalate their privilege due to the security policy enforcement and domain separation guaranteed by the hypervisor.
In this architecture, all network communications between guest OS applications and the external world are filtered transparently (i.e. with no modification to guest OS applications and with guest OS applications unaware of filtering). If needed, traffic inspection can be implemented, remaining invisible to potential attacks from guest OS applications. Even if guest OS applications have been compromised, they cannot bypass filtering and send data to a remote party.
A hypervisor solution can create separate domains or profiles for (1) corporate data and critical applications (e.g. broadband software stack, VPN, security services, storage for certificates and credit cards) and (2) personal data. This approach helps to separate confidential business data, communications and private information from each other.
US 7386885 B1, US 7730535 B1, US 8370918 B1, EP 2575318 A1, US 8522008 B2, US 20130333018 A1, US 8381282 B1, EP 2575317 A1, US 8370922 B1, EP 2575319 A1, US 9015797 B1, DE 202014104595 U1.