ABSTRACT
Virtual machine monitors (VMMs) have been hailed as the basis for an increasing number of reliable or trusted computing systems. The Xen VMM is a relatively small piece of software -- a hypervisor -- that runs at a lower level than a conventional operating system in order to provide isolation between virtual machines: its size is offered as an argument for its trustworthiness. However, the management of a Xen-based system requires a privileged, full-blown operating system to be included in the trusted computing base (TCB).
In this paper, we introduce our work to disaggregate the management virtual machine in a Xen-based system. We begin by analysing the Xen architecture and explaining why the status quo results in a large TCB. We then describe our implementation, which moves the domain builder, the most important privileged component, into a minimal trusted compartment. We illustrate how this approach may be used to implement "trusted virtualisation" and improve the security of virtual TPM implementations. Finally, we evaluate our approach in terms of the reduction in TCB size, and by performing a security analysis of the disaggregated system.
- R. Aigner. DICE User's Manual. Technical report, Technische Universität Dresden, 2007. http://os.inf.tu-dresden.de/dice/manual.pdf.Google Scholar
- M.J. Anderson, M. Moffie, and C.I. Dalton. Towards Trustworthy Virtualisation Environments: Xen Library OS Security Service Infrastructure. Technical Report HPL-2007-69, Hewlett-Packard Development Company, L.P., April 2007.Google Scholar
- W. Arbaugh, D. Farber, and J. Smith. A secure and reliable bootstrap architecture. Proceedings of the 1997 IEEE Symposium on Security and Privacy, 1997. Google ScholarDigital Library
- P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In Proceedings of the nineteenth ACM symposium on operating systems principles, pages 164--177. ACM Press New York, NY, USA, 2003. Google ScholarDigital Library
- V.R. Basili and B.T. Perricone. Software errors and complexity: an empirical investigation. Commun. ACM, 27(1):42--52, 1984. Google ScholarDigital Library
- M. Ben-Yehuda, J. Mason, O. Krieger, J. Xenidis, L.V. Doorn, A. Mallick, J. Nakajima, and E. Wahlig. Utilizing IOMMUs for Virtualization in Linux and Xen. In Proceedings of the 2006 Ottawa Linux Symposium, 2006.Google Scholar
- S. Berger, R. Cáceres, K.A. Goldman, R. Perez, R. Sailer, and Lvan Doorn. vTPM: virtualizing the trusted platform module. In Proceedings of the 15th USENIX Security Symposium, pages 21--21, Berkeley, CA, USA, 2006. USENIX Association. Google ScholarDigital Library
- A. Birrell and B. Nelson. Implementing remote procedure calls. ACM Transactions on Computer Systems, 2(1):39--59, 1984. Google ScholarDigital Library
- M. Bishop and M. Dilger. Checking for race conditions in file accesses. Computing Systems, 9(2):131--152, Spring 1996.Google Scholar
- P.M. Chen and B.D. Noble. When virtual is better than real. In Proceedings of the 8th Workshop on Hot Topics in Operating Systems, page 133, Washington, DC, USA, 2001. IEEE Computer Society. Google ScholarDigital Library
- T. Dierks and C. Allen. The TLS Protocol Version 1.0. RFC 2246, IETF, Jan. 1999. Google ScholarDigital Library
- L. Duflot, D. Etiemble, and O. Grumelard. Using CPU System Management Mode to Circumvent Operating System Security Functions. In Proceedings of the 7th CanSecWest conference, 2001.Google Scholar
- N. Feske and C. Helmuth. A nitpicker's guide to a minimal-complexity secure GUI. In ACSAC '05: Proceedings of the 21st Annual Computer Security Applications Conference, pages 85--94, Washington, DC, USA, 2005. IEEE Computer Society. Google ScholarDigital Library
- K. Fraser, S. Hand, R. Neugebauer, I. Pratt, A. Warfield, and M. Williamson. Safe hardware access with the Xen virtual machine monitor. In Proceedings of the 1st Workshop on Operating System and Architectural Support for the on demand IT InfraStructure, 2004.Google Scholar
- T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: a virtual machine-based platform for trusted computing. In Proceedings of the 19th ACM Symposium on Operating Systems Principles, pages 193--206. ACM Press New York, NY, USA, 2003. Google ScholarDigital Library
- B. Gleeson, A. Lin, J. Heinanen, G. Armitage, and A. Malis. A Framework for IP Based Virtual Private Networks. RFC 2764, IETF, Feb. 2000. Google ScholarDigital Library
- M. Hohmuth, M. Peter, H. Härtig, and J. Shapiro. Reducing TCB size by using untrusted components: small kernels versus virtual-machine monitors. In Proceedings of the 11th ACM SIGOPS European workshop: beyond the PC. ACM Press New York, NY, USA, 2004. Google ScholarDigital Library
- B. Kauer. OSLO: Improving the Security of Trusted Computing. In Proceedings of the 16th USENIX Security Symposium. USENIX Association, 2007. Google ScholarDigital Library
- S. Kent and K. Seo. Security Architecture for the Internet Protocol. RFC 4301, IETF, Dec. 2005. Google ScholarDigital Library
- D. Kuhlmann, R. Landfermann, H. Ramasamy, M. Schunter, G. Ramunno, and D. Vernizzi. An Open Trusted Computing Architecture: Secure virtual machines enabling user-defined policy enforcement. Technical report, OpenTC consortium, 2006. https://secure.opentc.net/otc_HighLevelOverview/OTC_Architecture_High_level_overview.pdf.Google Scholar
- J. Liedtke. On micro-kernel construction. ACM SIGOPS Operating Systems Review, 29(5):237--250, 1995. Google ScholarDigital Library
- Microsoft Corporation. BitLocker Drive Encryption, 2007. http://technet.microsoft.com/en-us/windowsvista/aa905065.aspx.Google Scholar
- National Institute of Standards and Technology. An Introduction to Computer Security: the NIST Handbook. Technical Report 800-12, National Institute of Standards and Technology, October 1995. Google ScholarDigital Library
- T.J. Ostrand and E.J. Weyuker. The distribution of faults in a large industrial software system. SIGSOFT Softw. Eng. Notes, 27(4):55--64, 2002. Google ScholarDigital Library
- N. Provos, M. Friedl, and P. Honeyman. Preventing privilege escalation. In Proceedings of the 12th USENIX Security Symposium, pages 16--16, Berkeley, CA, USA, 2003. USENIX Association. Google ScholarDigital Library
- D. Reed, I. Pratt, P. Menage, S. Early, and N. Stratford. Xenoservers: Accountable execution of untrusted programs. In Proceedings of the 7th Workshop on Hot Topics in Operating Systems, page 136, Washington, DC, USA, 1999. IEEE Computer Society. Google ScholarDigital Library
- L. Reuther, V. Uhlig, and R. Aigner. Component Interfaces in a Microkernel-based System. In Proceedings of the 3rd Workshop on System Design Automation (SDA), March 2000.Google Scholar
- R. Sailer, X. Zhang, T. Jaeger, and Lvan Doorn. Design and Implementation of a TCG-based Integrity Measurement Architecture. In Proceedings of the 13th USENIX Security Symposium, pages 223--238, 2004. Google ScholarDigital Library
- U. Shankar, K. Talwar, J.S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In Proceedings of the 10th USENIX Security Symposium, Berkeley, CA, USA, 2001. USENIX Association. Google ScholarDigital Library
- L. Singaravelu, C. Pu, H. Hartig, and C. Helmuth. Reducing TCB complexity for security-sensitive applications: Three case studies. In Proceedings of EuroSys 2006, 2006. Google ScholarDigital Library
- A. Tanenbaum, J. Herder, and H. Bos. Can we make operating systems reliable and secure? Computer, 39(5):44--51, 2006. Google ScholarDigital Library
- (Unattributed). dm-crypt -- a device-mapper crypto target, 2007. http://www.saout.de/misc/dm-crypt/.Google Scholar
- (Unattributed). TPM Main Part 1 Design Principles. Technical report, Trusted Computing Group, 2007. https://www.trustedcomputinggroup.org/specs/TPM/mainP1DPrev103.zip.Google Scholar
- D.A. Wheeler. SLOCCount, 2007. http://www.dwheeler.com/sloccount/.Google Scholar
- XenSource. XenApi -- Xen Wiki, 2007. http://wiki.xensource.com/xenwiki/XenApi.Google Scholar
- X. Zhang, S. McIntosh, P. Rohatgi, and J. Griffin. XenSocket: A high-throughput interdomain transport for VMs. In Proceedings of Middleware 2007, Secaucus, NJ, USA, 2007. Springer-Verlag New York, Inc. Google ScholarDigital Library
Index Terms
- Improving Xen security through disaggregation
Recommendations
Xen and Co.: Communication-Aware CPU Management in Consolidated Xen-Based Hosting Platforms
Recent advances in software and architectural support for server virtualization have created interest in using this technology in the design of consolidated hosting platforms. Since virtualization enables easier and faster application migration as well ...
Improving machine virtualisation with 'hotplug memory'
Machine virtualisation is a key technology for server consolidation and on-demand server provisioning. To support this trend, it is essential to improve the performance of virtualisation software and enable the efficient running of many virtual ...
BitVisor: a thin hypervisor for enforcing i/o device security
VEE '09: Proceedings of the 2009 ACM SIGPLAN/SIGOPS international conference on Virtual execution environmentsVirtual machine monitors (VMMs), including hypervisors, are a popular platform for implementing various security functionalities. However, traditional VMMs require numerous components for providing virtual hardware devices and for sharing and protecting ...
Comments