Data

Tools

Indexes

Applications

Experiments

Open Source Science

hyde

Hypervisor Dissociative Execution (HyDE) SDK and example programs

https://github.com/andrewfasano/hyde

Science Score: 44.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
    Found CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (13.8%) to scientific vocabulary
Last synced: 9 months ago · JSON representation ·

Repository

Hypervisor Dissociative Execution (HyDE) SDK and example programs

Basic Info
  • Host: GitHub
  • Owner: AndrewFasano
  • License: mit
  • Language: C++
  • Default Branch: main
  • Homepage:
  • Size: 650 KB
Statistics
  • Stars: 1
  • Watchers: 5
  • Forks: 0
  • Open Issues: 0
  • Releases: 0
Created about 4 years ago · Last pushed about 1 year ago
Metadata Files
Readme License Citation

README.md

Hypervisor Dissociative Execution (HyDE)

License: MIT Project Status: Active

HyDE (Hypervisor Dissociative Execution) is an innovative, modified virtualization environment that empowers the host system to inject system calls into a guest virtual machine, enabling advanced control and monitoring of guest behavior. This repository contains the HyDE software development kit (SDK), examples, and documentation.

Table of Contents

Abstract

To understand the HyDE system, we recommend reading our full paper, the abstract of which is below:

Both cloud providers and users wish to manage, monitor, and secure virtualized guest systems. Traditionally, this has been accomplished with custom agent programs that run inside a guest or complex virtual machine introspection (VMI) systems that operate outside a guest. Agents are limited by the need to install and maintain them in each guest, while VMI systems are limited by the need to understand guest kernel internals. We introduce Hypervisor Dissociative Execution, or HyDE, a new approach that operates between these extremes to avoid their limitations and provide a robust and flexible mechanism to examine and modify a guest from the outside. In the HyDE model, developers assemble programs that mix out-of-guest logic with in-guest system calls. These programs are launched from outside a guest where they are able to coopt the execution of guest processes. We present a prototype HyDE implementation paired with 10 HyDE programs that address a wide range of user needs from password resets and guest process enumeration to dynamically generating a software bill of materials. We evaluate the utility, robustness, and performance of HyDE by executing these example programs while concurrently running standard benchmarks within multiple guest systems. Our results show that HyDE maintains system stability and incurs negligible overhead for one-off analyses or modifications. In persistent operation, HyDE incurs overhead as low as 7% in a multi-node cloud application benchmark.

Key Features

  • Inject system calls into guest VMs from the host system
  • Flexible guest monitoring and control without in-guest agents
  • Minimal performance overhead
  • Wide range of applications from password resets to software bill of materials generation

HyDE Repositories

  • HyDE Core: HyDE SDK, examples, and documentation (this repo).
  • HyDE KVM: Customized Linux KVM logic for HyDE.
  • HyDE QEMU Customized QEMU for HyDE.

Getting Started

Prerequisites

  • Linux environment
  • clang-15++
  • Git

Installation

  1. Clone this repository: git clone https://github.com/AndrewFasano/hyde-capabilities.git cd hyde-capabilities
  2. Set up dependencies:
    • Build and install a Linux kernel with support for HyDE's KVM (follow instructions in the HyDE KVM repo).
    • Build and install the HyDE QEMU fork (follow instructions in the HyDE QEMU repo).
    • Build one or more HyDE programs (instructions below).
    • Run an emulated guest and load a HyDE program (instructions below).

Building HyDE Programs

After cloning this repo, simply run make to build the programs in hyde_programs into .so shared objects. The build process requires you to have clang-15++ and to have cloned the hyde-qemu repo in the parent directory of this repo. The generated shared objects will be produced in the hyde_programs directory.

Running a HyDE Program

To run a HyDE program, you can either:

  1. Launch QEMU with the -hyde-enable argument: sh qemu-system-x86_64 -enable-kvm your_image.qcow2 -m 8G -smp 8,sockets=2,cores=4 -hyde-enable /path/to/your/hyde/program.so

  2. Load a HyDE program from the QEMU monitor after guest startup:

    • Launch QEMU without the -hyde-enable argument
    • Press control-a then c to access the (QEMU) prompt
    • Type: hyde_enable /path/to/your/hyde/program.so

Contributing

We welcome contributions to HyDE! We would be excited by additional HyDE programs, bug fixes, and other improvements. Please open an issue or pull request in this repository to contribute.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Citation

To cite our work, please use the following BibTeX entry:

bibtex @inproceedings{fasano2024hypervisor, title={Hypervisor Dissociative Execution: Programming Guests for Monitoring, Management, and Security}, author={Fasano, Andrew and Estrada, Zak and Leek, Tim and Robertson, William}, booktitle={Proceedings of the Annual Computer Security Applications Conference}, series={ACSAC '24}, year={2024}, month={Dec}, address={Waikiki, Hawaii, USA}, publisher={Association for Computing Machinery}, location={Waikiki, Hawaii, USA}, dates={9-13} }

Support

For questions, issues, or feature requests, please open an issue in this repository!

Owner

  • Name: Andrew Fasano
  • Login: AndrewFasano
  • Kind: user

Citation (CITATION.cff) 

cff-version: 1.2.0
title: "Hypervisor Dissociative Execution: Programming Guests for Monitoring, Management, and Security"
authors:
  - family-names: "Fasano"
    given-names: "Andrew"
  - family-names: "Estrada"
    given-names: "Zak"
  - family-names: "Leek"
    given-names: "Tim"
  - family-names: "Robertson"
    given-names: "William"
date-released: "2024-12-09"
abstract: "Both cloud providers and users wish to manage, monitor, and secure virtualized guest systems. This is typically accomplished with custom agent programs that run inside a guest or complex virtual machine introspection (VMI) systems that operate outside a guest. Agents are limited by the need to install and maintain them in each guest, while VMI systems are limited by the need to understand guest kernel internals. We introduce Hypervisor Dissociative Execution, or HyDE, a new approach that operates between these extremes to avoid their limitations and provide a robust and flexible mechanism to examine and modify a guest from the outside. In the HyDE model, developers assemble programs that mix out-of-guest logic with in-guest system calls. These programs are launched from outside a guest where they are able to co-opt the execution of guest processes. We present an open-source prototype HyDE implementation paired with 10 HyDE programs that address a wide range of user needs from password resets and guest process enumeration to dynamically generating a software bill of materials. We evaluate the utility, robustness, and perfor- mance of HyDE by executing the example programs while concurrently running standard benchmarks within multiple guest systems. Our results show that HyDE maintains system stability and incurs negligible overhead for one-off analyses or modifications. In persistent operation, HyDE incurs overhead as low as 7% in a multi-node cloud application benchmark."

preferred-citation:
  type: article
  title: "Hypervisor Dissociative Execution: Programming Guests for Monitoring, Management, and Security"
  authors:
  - family-names: "Fasano"
    given-names: "Andrew"
  - family-names: "Estrada"
    given-names: "Zak"
  - family-names: "Leek"
    given-names: "Tim"
  - family-names: "Robertson"
    given-names: "William"
  year: '2024'
  publisher:
    name: Association for Computing Machinery
  journal: "Annual Computer Security Applications Conference (ACSAC)"
keywords: ["hypervisor", "guest monitoring", "security", "virtualization"]
license: "MIT"
publisher: ""

GitHub Events

Total
  • Watch event: 1
  • Push event: 1
Last Year
  • Watch event: 1
  • Push event: 1