Towards Thwarting Unauthorized Network Accesses with a Feather-Weight Hypervisor

In the cloud computing environment, most of applications rely on the network access to achieve their functionalities. Untrusted or vulnerable cloud applications will incur unauthorized network accesses which may bring on the user information leakage or other threats. In this paper, we propose a novel feather-weight hardware-assisted hypervisor, namely NFVisor (Network Filter Hypervisor), to thwart such unauthorized network accesses. Compared to previous host-based approaches, NFVisor offers two distinct advantages: preinstalled commodity OS compatibility and non-by passable manipulation of network accesses. Unlike typical hypervisors, deploying NFVisor does not require OS reinstallation. By intercepting the low-level interactions between the OS and the hardware, NFVisor can manipulate the network accesses at the hypervisor layer instead of the OS layer, which is subvertable for the privileged malware. Our functionality evaluation shows NFVisor can impede unauthorized network connections effectively while the performance evaluation shows desktop-oriented workloads achieve 94.12% of native speed on average.