ABSTRACT
Virtual machine monitors (VMMs), including hypervisors, are a popular platform for implementing various security functionalities. However, traditional VMMs require numerous components for providing virtual hardware devices and for sharing and protecting system resources among virtual machines (VMs), enlarging the code size of and reducing the reliability of the VMMs.
This paper introduces a hypervisor architecture, called parapass-through, designed to minimize the code size of hypervisors by allowing most of the I/O access from the guest operating system (OS) to pass-through the hypervisor, while the minimum access necessary to implement security functionalities is completely mediated by the hypervisor. This architecture uses device drivers of the guest OS to handle devices, thereby reducing the size of components in the hypervisor to provide virtual devices. This architecture also allows to run only single VM on it, eliminating the components for sharing and protecting system resources among VMs.
We implemented a hypervisor called BitVisor and a parapass-through driver for enforcing storage encryption of ATA devices based on the parapass-through architecture. The experimental result reveals that the hypervisor and ATA driver require approximately 20 kilo lines of code (KLOC) and 1.4 KLOC respectively.
- Mohit Aron and Peter Druschel. Soft timers: efficient microsecond software timer support for network processing. In Proc. of the 17th ACM Symposium on Operating Systems Principles, pages 232--246, December 1999. Google ScholarDigital Library
- Kurniadi Asrigo, Lionel Litty, and David Lie. Using vmm-based sensors to monitor honeypots. In Proc. of the 2nd International Conference on Virtual Execution Environments, pages 13--23, June 2006. Google ScholarDigital Library
- Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. Xen and the art of virtualization. In Proc. of the 19th ACM Symposium on Operating Systems Principles, pages 164--177, October 2003. Google ScholarDigital Library
- Peter M. Chen and Brian D. Noble. When virtual is better than real. In Proc. of the 8th Workshop on Hot Topics in Operating Systems (HotOS-VIII), pages 133--138, May 2001. Google ScholarDigital Library
- Xiaoxin Chen, Tal Garfinkel, E. Christopher Lewis, Pratap Subrahmanyam, Carl A. Waldspurger, Dan Boneh, Jeffrey Dwoskin, and Dan R.K. Ports. Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems. In Proc. of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems, pages 2--13, March 2008. Google ScholarDigital Library
- Andy Chou, Junfeng Yang, Benjamin Chelf, and Dawson Engler. An empirical study of operating systems errors. In Proc. of the 18th ACM Symposium on Operating Systems Principles, pages 73--88, October 2001. Google ScholarDigital Library
- Advanced Micro Devices. AMD64 architecture programmer's manual volume 2: System programming rev 3--14, September 2007.Google Scholar
- Vinod Ganapathy, Matthew J. Renzelmann, Arini Balakrishnan, Michael M. Swift, and Somesh Jha. The design and implementation of microdrivers. In Proc. of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems, pages 168--178, March 2008. Google ScholarDigital Library
- Tal Garfinkel, Ben Pfaff, Jim Chow, Mendel Rosenblum, and Dan Boneh. Terra: A virtual machine-based platform for trusted computing. In Proc. of the 19th ACM Symposium on Operating Systems Principles, pages 193--206, October 2003. Google ScholarDigital Library
- Ian Goldberg, David Wagner, Randi Thomas, and Eric A. Brewer. A secure environment for untrusted helper applications. In Proc. of the 6th USENIX Security Symposium, July 1996. Google ScholarDigital Library
- R. Goldberg. Architectural Principles for Virtual Computer Systems. PhD thesis, Harvard University, February 1973.Google Scholar
- IEEE. IEEE standard for cryptographic protection of data on blockoriented storage devices, April 2008. IEEE Std 1619-2007.Google Scholar
- Stephen T. Jones, Andrea C. Arpaci-Dusseau, and Remzi H. Arpaci-Dusseau. Vmm-based hidden process detection and identification using lycosid. In Proc. of the 4th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, pages 91--100, March 2008. Google ScholarDigital Library
- Kenichi Kourai and Shigeru Chiba. HyperSpector: Virtual distributed monitoring environments for secure intrusion detection. In Proc. of the 1st ACM/USENIX International Conference on Virtual Execution Environments, pages 197--207, June 2005. Google ScholarDigital Library
- Jiuxing Liu, Wei Huang, Bulent Abali, and Dhabaleswar K. Panda. High performance vmm--bypass i/o in virtual machines. In Proc. of the 2006 USENIX Annual Technical Conference, pages 29--42, May/June 2006. Google ScholarDigital Library
- David E. Lowell, Yasushi Saito, and Eileen J. Samberg. Devirtualizable virtual machines enabling general, single-node, online maintenance. In Proc. of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems, pages 211--233, October 2004. Google ScholarDigital Library
- Larry McVoy and Carl Staelin. lmbench: Portable tools for performance analysis. In Proc. of the 1996 USENIX Annual Technical Conference, January 1996. Google ScholarDigital Library
- R. Meushaw and D. Simard. Nettop: Commercial technology in high assurance applications, 2000.Google Scholar
- Junichi Murakami. A hypervisor IPS based on hardware assisted virtualization technology. In Black Hat USA 2008, August 2008.Google Scholar
- Derek G. Murray, Grzegorz Milos, and Steven Hand. Improving xen security through disaggregation. In Proc. of the 4th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, pages 151--160, March 2008. Google ScholarDigital Library
- Gil Neiger, Amy Santoni, Felix Leung, Dion Rodgers, and Rich Uhlig. Intel virtualization technology: Hardware support for efficient processor virtualization. Intel Technology Journal, 10(03):167--177, August 2006.Google ScholarCross Ref
- Mahendra Ramachandran, Ned Smith, Matthew Wood, Sharad Garg, Jim Stanley, Eswar Eduri, Rinat Rappoport, Arie Chobotaro, Carl Klotz, and Lori Janz. New client virtualization usage models using intel virtualization technology. Intel Technology Journal, 10(03):205--216, August 2006.Google ScholarCross Ref
- John Scott Robin. Analysis of the intel pentium's ability to support a secure virtual machine monitor. In Proc. of the 9th USENIX Security Symposium, August 2000. Google ScholarDigital Library
- Jerome H. Saltzer and Michael D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278--1308, September 1975.Google ScholarCross Ref
- Arvind Seshadri, Mark Luk, Ning Qu, and Adrian Perrig. SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In Proc. of the 21st ACM Symposium on Operating Systems Principles, pages 335--350, October 2007. Google ScholarDigital Library
- Jeffrey Shafer, David Carr, Aravind Menon, Scott Rixner, Alan L. Cox, Willy Zwaenepoel, and Paul Willmann. Concurrent direct network access for virtual machine monitors. In Proc. of the IEEE 13th International Symposium on High Performance Computer Architecture, pages 306--317, February 2007. Google ScholarDigital Library
- Lenin Singaravelu, Calton Pu, Hermann Härtig, and Christian Helmuth. Reducing TCB complexity for security-sensitive applications: Three case studies. In Proc. of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems, pages 161--174, April 2006. Google ScholarDigital Library
- VMWare. Vmware esx server virtual infrastructure node evaluator's guide, November 2005. http://www.vmware.com/pdf/esx_vin_eval.pdf.Google Scholar
- David A. Wheeler. Counting source lines of code (sloc). http://www.dwheeler.com/sloc/.Google Scholar
- Jisoo Yang and Kang G. Shin. Using hypervisor to provide data secrecy for user applications on a per-page basis. In Proc. of the 4th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, pages 71--80, March 2008. Google ScholarDigital Library
Index Terms
- BitVisor: a thin hypervisor for enforcing i/o device security
Recommendations
Xen and the art of virtualization
SOSP '03Numerous systems have been designed which use virtualization to subdivide the ample resources of a modern computer. Some require specialized hardware, or cannot support commodity operating systems. Some target 100% binary compatibility at the expense of ...
Securing virtual machine monitors: what is needed?
ASIACCS '09: Proceedings of the 4th International Symposium on Information, Computer, and Communications SecurityIt is widely believed that the use of a virtual machine monitor (VMM) is at least as secure, if not more secure than separate systems. A recent Information Week survey [6] reports that 55% of responding business technology professionals believe that a ...
Xen and the art of virtualization
SOSP '03: Proceedings of the nineteenth ACM symposium on Operating systems principlesNumerous systems have been designed which use virtualization to subdivide the ample resources of a modern computer. Some require specialized hardware, or cannot support commodity operating systems. Some target 100% binary compatibility at the expense of ...
Comments