What are the checklist items when secure auditing hypercalls?
a. What are the hypercall instructions, and their input/output registers and side effects?
b. What are the privileges available when executing the hypercalls?
c. Are there any opportunities for transiting to other privilege level during runtime? If there is then under what conditions and requirements?
d. How to check through all the software boundary between the two different privilege level – and ensuring that reasonable checks are done before passing information from one side to another?
e. Any dependencies/races conditions on usage at runtime between different/same instructions by multiple CPU cores?
https://xenbits.xen.org/docs/4.8-testing/misc/pvh.html https://www.researchgate.net/post/Problem_with_hypercall_KVM_Xen
https://xenbits.xen.org/docs/4.8-testing/misc/pvh.html
https://reviews.freebsd.org/D8100?id=20886
http://wwwi10.lrr.in.tum.de/~weidendo/lehre/VT-WS15/lab3-loesung.pdf
Project Zero: Pandavirtualization: Exploiting the Xen hypervisor
https://googleprojectzero.blogspot.com/2017/04/pandavirtualization-exploiting-xen.html
Below are security strengthening of KVM as done by Google:
https://www.linux-kvm.org/images/f/f6/01×02-KVMHardening.pdf
https://www.theregister.co.uk/2017/01/30/google_cloud_kicked_qemu_to_the_kerb_to_harden_kvm/
Security checklist in general for Google:
https://cloud.google.com/security/infrastructure/design/
KVM in general: https://lwn.net/Articles/619376/