FortifyPatch: Towards Tamper-Resistant Live Patching in Linux-Based Hypervisor
Linux-based hypervisors in the cloud server suffer from an increasing number of vulnerabilities in the Linux kernel.To address these vulnerabilities in a timely manner while avoiding the economic loss caused by unplanned shutdowns, live patching schemes have been developed. Unfortunately, existing live patching solutions have failed to protect patches from post-deployment attacks. In addition, patches that involve changes to global variables can lead to practical issues with existing solutions. To address these problems, we present FortifyPatch, a tamper-resistant live patching solution for Linux-based hypervisors in cloud environments. Specifically, FortifyPatch employs multiple Granule Protection Tables from Arm Confidential Computing Architecture to protect the integrity of deployed patches. TrustZone Address Space Controller and Performance Monitor Unit are used to prevent the bypassing of the Patch via kernel code protection and timely page table verification. FortifyPatch is also able to patch global variables via well-designed data access traps.We prototype FortifyPatch and evaluate it using real-world CVE patches. The result shows that FortifyPatch is capable of deploying $81.5$% of CVE patches. The performance evaluation indicates that FortifyPatch protects deployed patches with $0.98%$ and $3.1%$ overhead on average across indicative benchmarks and real-world applications, respectively.
Thu 19 SepDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
15:30 - 17:10 | Vulnerabilities and MalwareTechnical Papers at EI 10 Fritz Paschke Chair(s): Wei You Renmin University of China | ||
15:30 20mTalk | Silent Taint-Style Vulnerability Fixes Identification Technical Papers Zhongzhen Wen Nanjing University, Jiayuan Zhou Huawei, Minxue Pan Nanjing University, Shaohua Wang Central University of Finance and Economics, Xing Hu Zhejiang University, Tongtong Xu Huawei, Tian Zhang Nanjing University, Xuandong Li Nanjing University DOI | ||
15:50 20mTalk | FortifyPatch: Towards Tamper-Resistant Live Patching in Linux-Based Hypervisor Technical Papers Zhenyu Ye Hunan University, Lei Zhou National University of Defense Technology, Fengwei Zhang Southern University of Science and Technology, Wenqiang Jin Hunan University, Zhenyu Ning Hunan University; Xinchuang Haihe Laboratory, Yupeng Hu Hunan University, Zheng Qin Hunan University DOI | ||
16:10 20mTalk | Maltracker: A Fine-Grained NPM Malware Tracker Copiloted by LLM-Enhanced Dataset Technical Papers Zeliang Yu Huazhong University of Science and Technology, Ming Wen Huazhong University of Science and Technology, Xiaochen Guo Huazhong University of Science and Technology, Hai Jin Huazhong University of Science and Technology DOI | ||
16:30 20mTalk | PatchFinder: A Two-Phase Approach to Security Patch Tracing for Disclosed Vulnerabilities in Open-Source Software Technical Papers Kaixuan Li East China Normal University; Nanyang Technological University, Jian Zhang Nanyang Technological University, Sen Chen Tianjin University, Han Liu East China Normal University, Yang Liu Nanyang Technological University, Yixiang Chen East China Normal University DOI Pre-print | ||
16:50 20mTalk | An Empirical Study of Static Analysis Tools for Secure Code Review Technical Papers Wachiraphan (Ping) Charoenwet University of Melbourne, Patanamon Thongtanunam University of Melbourne, Thuan Pham University of Melbourne, Christoph Treude Singapore Management University DOI | ||