research-article

Improving Xen security through disaggregation

Authors:
Derek Gordon Murray

University of Cambridge, Cambridge, United Kingdom

University of Cambridge, Cambridge, United Kingdom
View Profile

,
Grzegorz Milos

University of Cambridge, Cambridge, United Kingdom

University of Cambridge, Cambridge, United Kingdom
View Profile

,
Steven Hand

University of Cambridge, Cambridge, United Kingdom

University of Cambridge, Cambridge, United Kingdom
View Profile

VEE '08: Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environmentsMarch 2008Pages 151–160https://doi.org/10.1145/1346256.1346278

Published:05 March 2008Publication History

VEE '08: Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments

Pages 151–160

ABSTRACT

Virtual machine monitors (VMMs) have been hailed as the basis for an increasing number of reliable or trusted computing systems. The Xen VMM is a relatively small piece of software -- a hypervisor -- that runs at a lower level than a conventional operating system in order to provide isolation between virtual machines: its size is offered as an argument for its trustworthiness. However, the management of a Xen-based system requires a privileged, full-blown operating system to be included in the trusted computing base (TCB).

In this paper, we introduce our work to disaggregate the management virtual machine in a Xen-based system. We begin by analysing the Xen architecture and explaining why the status quo results in a large TCB. We then describe our implementation, which moves the domain builder, the most important privileged component, into a minimal trusted compartment. We illustrate how this approach may be used to implement "trusted virtualisation" and improve the security of virtual TPM implementations. Finally, we evaluate our approach in terms of the reduction in TCB size, and by performing a security analysis of the disaggregated system.

References

R. Aigner. DICE User's Manual. Technical report, Technische Universität Dresden, 2007. http://os.inf.tu-dresden.de/dice/manual.pdf.Google Scholar
M.J. Anderson, M. Moffie, and C.I. Dalton. Towards Trustworthy Virtualisation Environments: Xen Library OS Security Service Infrastructure. Technical Report HPL-2007-69, Hewlett-Packard Development Company, L.P., April 2007.Google Scholar
W. Arbaugh, D. Farber, and J. Smith. A secure and reliable bootstrap architecture. Proceedings of the 1997 IEEE Symposium on Security and Privacy, 1997. Google ScholarDigital Library
P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In Proceedings of the nineteenth ACM symposium on operating systems principles, pages 164--177. ACM Press New York, NY, USA, 2003. Google ScholarDigital Library
V.R. Basili and B.T. Perricone. Software errors and complexity: an empirical investigation. Commun. ACM, 27(1):42--52, 1984. Google ScholarDigital Library
M. Ben-Yehuda, J. Mason, O. Krieger, J. Xenidis, L.V. Doorn, A. Mallick, J. Nakajima, and E. Wahlig. Utilizing IOMMUs for Virtualization in Linux and Xen. In Proceedings of the 2006 Ottawa Linux Symposium, 2006.Google Scholar
S. Berger, R. Cáceres, K.A. Goldman, R. Perez, R. Sailer, and Lvan Doorn. vTPM: virtualizing the trusted platform module. In Proceedings of the 15th USENIX Security Symposium, pages 21--21, Berkeley, CA, USA, 2006. USENIX Association. Google ScholarDigital Library
A. Birrell and B. Nelson. Implementing remote procedure calls. ACM Transactions on Computer Systems, 2(1):39--59, 1984. Google ScholarDigital Library
M. Bishop and M. Dilger. Checking for race conditions in file accesses. Computing Systems, 9(2):131--152, Spring 1996.Google Scholar
P.M. Chen and B.D. Noble. When virtual is better than real. In Proceedings of the 8th Workshop on Hot Topics in Operating Systems, page 133, Washington, DC, USA, 2001. IEEE Computer Society. Google ScholarDigital Library
T. Dierks and C. Allen. The TLS Protocol Version 1.0. RFC 2246, IETF, Jan. 1999. Google ScholarDigital Library
L. Duflot, D. Etiemble, and O. Grumelard. Using CPU System Management Mode to Circumvent Operating System Security Functions. In Proceedings of the 7th CanSecWest conference, 2001.Google Scholar
N. Feske and C. Helmuth. A nitpicker's guide to a minimal-complexity secure GUI. In ACSAC '05: Proceedings of the 21st Annual Computer Security Applications Conference, pages 85--94, Washington, DC, USA, 2005. IEEE Computer Society. Google ScholarDigital Library
K. Fraser, S. Hand, R. Neugebauer, I. Pratt, A. Warfield, and M. Williamson. Safe hardware access with the Xen virtual machine monitor. In Proceedings of the 1st Workshop on Operating System and Architectural Support for the on demand IT InfraStructure, 2004.Google Scholar
T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: a virtual machine-based platform for trusted computing. In Proceedings of the 19th ACM Symposium on Operating Systems Principles, pages 193--206. ACM Press New York, NY, USA, 2003. Google ScholarDigital Library
B. Gleeson, A. Lin, J. Heinanen, G. Armitage, and A. Malis. A Framework for IP Based Virtual Private Networks. RFC 2764, IETF, Feb. 2000. Google ScholarDigital Library
M. Hohmuth, M. Peter, H. Härtig, and J. Shapiro. Reducing TCB size by using untrusted components: small kernels versus virtual-machine monitors. In Proceedings of the 11th ACM SIGOPS European workshop: beyond the PC. ACM Press New York, NY, USA, 2004. Google ScholarDigital Library
B. Kauer. OSLO: Improving the Security of Trusted Computing. In Proceedings of the 16th USENIX Security Symposium. USENIX Association, 2007. Google ScholarDigital Library
S. Kent and K. Seo. Security Architecture for the Internet Protocol. RFC 4301, IETF, Dec. 2005. Google ScholarDigital Library
D. Kuhlmann, R. Landfermann, H. Ramasamy, M. Schunter, G. Ramunno, and D. Vernizzi. An Open Trusted Computing Architecture: Secure virtual machines enabling user-defined policy enforcement. Technical report, OpenTC consortium, 2006. https://secure.opentc.net/otc_HighLevelOverview/OTC_Architecture_High_level_overview.pdf.Google Scholar
J. Liedtke. On micro-kernel construction. ACM SIGOPS Operating Systems Review, 29(5):237--250, 1995. Google ScholarDigital Library
Microsoft Corporation. BitLocker Drive Encryption, 2007. http://technet.microsoft.com/en-us/windowsvista/aa905065.aspx.Google Scholar
National Institute of Standards and Technology. An Introduction to Computer Security: the NIST Handbook. Technical Report 800-12, National Institute of Standards and Technology, October 1995. Google ScholarDigital Library
T.J. Ostrand and E.J. Weyuker. The distribution of faults in a large industrial software system. SIGSOFT Softw. Eng. Notes, 27(4):55--64, 2002. Google ScholarDigital Library
N. Provos, M. Friedl, and P. Honeyman. Preventing privilege escalation. In Proceedings of the 12th USENIX Security Symposium, pages 16--16, Berkeley, CA, USA, 2003. USENIX Association. Google ScholarDigital Library
D. Reed, I. Pratt, P. Menage, S. Early, and N. Stratford. Xenoservers: Accountable execution of untrusted programs. In Proceedings of the 7th Workshop on Hot Topics in Operating Systems, page 136, Washington, DC, USA, 1999. IEEE Computer Society. Google ScholarDigital Library
L. Reuther, V. Uhlig, and R. Aigner. Component Interfaces in a Microkernel-based System. In Proceedings of the 3rd Workshop on System Design Automation (SDA), March 2000.Google Scholar
R. Sailer, X. Zhang, T. Jaeger, and Lvan Doorn. Design and Implementation of a TCG-based Integrity Measurement Architecture. In Proceedings of the 13th USENIX Security Symposium, pages 223--238, 2004. Google ScholarDigital Library
U. Shankar, K. Talwar, J.S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In Proceedings of the 10th USENIX Security Symposium, Berkeley, CA, USA, 2001. USENIX Association. Google ScholarDigital Library
L. Singaravelu, C. Pu, H. Hartig, and C. Helmuth. Reducing TCB complexity for security-sensitive applications: Three case studies. In Proceedings of EuroSys 2006, 2006. Google ScholarDigital Library
A. Tanenbaum, J. Herder, and H. Bos. Can we make operating systems reliable and secure? Computer, 39(5):44--51, 2006. Google ScholarDigital Library
(Unattributed). dm-crypt -- a device-mapper crypto target, 2007. http://www.saout.de/misc/dm-crypt/.Google Scholar
(Unattributed). TPM Main Part 1 Design Principles. Technical report, Trusted Computing Group, 2007. https://www.trustedcomputinggroup.org/specs/TPM/mainP1DPrev103.zip.Google Scholar
D.A. Wheeler. SLOCCount, 2007. http://www.dwheeler.com/sloccount/.Google Scholar
XenSource. XenApi -- Xen Wiki, 2007. http://wiki.xensource.com/xenwiki/XenApi.Google Scholar
X. Zhang, S. McIntosh, P. Rohatgi, and J. Griffin. XenSocket: A high-throughput interdomain transport for VMs. In Proceedings of Middleware 2007, Secaucus, NJ, USA, 2007. Springer-Verlag New York, Inc. Google ScholarDigital Library

Index Terms

Improving Xen security through disaggregation
1. Security and privacy
  1. Systems security
    1. Information flow control
    2. Operating systems security

Recommendations

Xen and Co.: Communication-Aware CPU Management in Consolidated Xen-Based Hosting Platforms

Recent advances in software and architectural support for server virtualization have created interest in using this technology in the design of consolidated hosting platforms. Since virtualization enables easier and faster application migration as well ...
Read More
Improving machine virtualisation with 'hotplug memory'

Machine virtualisation is a key technology for server consolidation and on-demand server provisioning. To support this trend, it is essential to improve the performance of virtualisation software and enable the efficient running of many virtual ...
Read More
BitVisor: a thin hypervisor for enforcing i/o device security
VEE '09: Proceedings of the 2009 ACM SIGPLAN/SIGOPS international conference on Virtual execution environments

Virtual machine monitors (VMMs), including hypervisors, are a popular platform for implementing various security functionalities. However, traditional VMMs require numerous components for providing virtual hardware devices and for sharing and protecting ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
VEE '08: Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
March 2008
190 pages
ISBN:9781595937964
DOI:10.1145/1346256
General Chair:
David Gregg
Trinity College Dublin, Ireland
,
Program Chairs:
Vikram Adve
University of Illinois at Urbana-Champaign, USA
,
Brian Bershad
Google, USA
Copyright © 2008 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 5 March 2008
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
disaggregation
trusted computing base
virtual machines
Qualifiers
- research-article
Conference

Acceptance Rates
VEE '08 Paper Acceptance Rate18of57submissions,32%Overall Acceptance Rate80of235submissions,34%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 168
  Total Citations
  View Citations
- 1,933
  Total Downloads
- Downloads (Last 12 months)24
- Downloads (Last 6 weeks)3
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Improving Xen security through disaggregation

VEE '08: Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments

ABSTRACT

References

Cited By

Index Terms

Recommendations

Xen and Co.: Communication-Aware CPU Management in Consolidated Xen-Based Hosting Platforms

Improving machine virtualisation with 'hotplug memory'

BitVisor: a thin hypervisor for enforcing i/o device security