Breaking up is hard to do: Security and functionality in a commodity hypervisor

SOSP'11 - Proceedings of the 23rd ACM Symposium on Operating Systems Principles

Volumn , Issue , 2011, Pages 189-202

  Colp, Patrick ^a   Nanavati, Mihir ^a   Zhu, Jun ^b   Aiello, William ^a   Coker, George ^c   Deegan, Tim ^b   Loscocco, Peter ^c   Warfield, Andrew ^a  

^a UNIVERSITY OF BRITISH COLUMBIA   (Canada)

^b Citrix Systems Inc   (United States)

^c NATIONAL SECURITY AGENCY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

CO-LOCATED; CONFIGURABLE; HYPERVISOR; INDIVIDUAL COMPONENTS; LARGE AGGREGATES; LEAST PRIVILEGE; MICRO KERNEL; MULTI TENANTS; SERVICE COMPONENTS; SMALL SIZE; TRUSTED COMPUTING BASE; VIRTUALIZATIONS; WEB-BASED APPLICATIONS;

RETROFITTING; VIRTUAL REALITY;

CLOUD COMPUTING;

EID: 82655165294     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2043556.2043575     Document Type: Conference Paper

References (47)

1. Department of Defense Trusted Computer System Evaluation Criteria. DoD 5200.28-STD. U.S. Department of Defense, Dec. 1985.
2. D. G. Andersen, J. Franklin, M. Kaminsky, A. Phanishayee, L. Tan, and V. Vasudevan. FAWN: A fast array of wimpy nodes. In Proc. 22nd ACM SOSP, pages 1-14, Oct. 2009.
3. M. Baker and M. Sullivan. The recovery box: Using fast recovery to provide high availability in the UNIX environment. In Proc. USENIX Summer Conference, pages 31-43, June 1992.
4. P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In Proc. 19th ACM SOSP, pages 164-177, Oct. 2003.
5. L. A. Barroso and U. Hölzle. The case for energy-proportional computing. IEEE Computer, 40:33-37, December 2007.
6. F. Bellard. QEMU, a fast and portable dynamic translator. In Proc. USENIX ATC, pages 41-46, Apr. 2005.
7. A. Bittau, P. Marchenko, M. Handley, and B. Karp. Wedge: splitting applications into reduced-privilege compartments. In Proc. 5th USENIX NSDI, pages 309-322, Apr. 2008.
8. T. C. Bressoud and F. B. Schneider. Hypervisor-based fault tolerance. In Proc. 15th ACM SOSP, pages 1-11, Dec. 1995.
9. D. Brumley and D. Song. Privtrans: automatically partitioning programs for privilege separation. In Proc. 13th USENIX Security Symposium, pages 57-72, Aug. 2004.
10. G. Candea, S. Kawamoto, Y. Fujiki, G. Friedman, and A. Fox. Microreboot -a technique for cheap recovery. In Proc. 6th USENIX OSDI, pages 31-44, Dec. 2004.
11. X. Chen, T. Garfinkel, E. C. Lewis, P. Subrahmanyam, C. A. Waldspurger, D. Boneh, J. Dwoskin, and D. R. Ports. Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. In Proc. 13th ASPLOS, pages 2-13, Mar. 2008.
12. Citrix Systems, Inc. Citrix XenServer 5.6 Admininistrator's Guide. June 2010.
13. C. Clark, K. Fraser, S. Hand, J. G. Hansen, E. Jul, C. Limpach, I. Pratt, and A. Warfield. Live migration of virtual machines. In Proc. 2nd USENIX NSDI, pages 273-286, May 2005.
14. P. Colp. [xen-devel] [announce] xen ocaml tools. http://lists.xensource. com/archives/html/xen-devel/2009-02/msg00229.html.
15. B. Cully, G. Lefebvre, D. Meyer, M. Feeley, N. Hutchinson, and A. Warfield. Remus: high availability via asynchronous virtual machine replication. In Proc. 5th USENIX NSDI, pages 161-174, Apr. 2008.
16. A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether: malware analysis via hardware virtualization extensions. In Proc. 15th ACM CCS, pages 51-62, Oct. 2008.
17. K. Fraser, S. Hand, R. Neugebauer, I. Pratt, A. Warfield, and M. Williamson. Safe hardware access with the Xen virtual machine monitor. In Proc. 1st OASIS, Oct. 2004.
18. A. Goel, K. Po, K. Farhadi, Z. Li, and E. de Lara. The Taser intrusion recovery system. In Proc. 20th ACM SOSP, pages 163-176, Oct. 2005.
19. D. Gupta, S. Lee, M. Vrable, S. Savage, A. C. Snoeren, G. Varghese, G. M. Voelker, and A. Vahdat. Difference engine: harnessing memory redundancy in virtual machines. In Proc. 8th Usenix OSDI, pages 85-93, Oct. 2008.
20. N. Hardy. The KeyKOS architecture. Operating Systems Review, 19(4):8-25, October 1985.
21. M. Hohmuth, M. Peter, H. Härtig, and J. S. Shapiro. Reducing TCB size by using untrusted components: small kernels versus virtual-machine monitors. In Proc. 11th ACM SIGOPS EW, Sept. 2004.
22. K. Kappel, A. Velte, and T. Velte. Microsoft Virtualization with Hyper-V. McGraw-Hill, 1st edition, 2010.
23. E. Keller, J. Szefer, J. Rexford, and R. B. Lee. NoHype: virtualized cloud infrastructure without the virtualization. In Proc. 37th ACM ISCA, pages 350-361, June 2010.
24. D. Kilpatrick. Privman: A library for partitioning applications. In Proc. USENIX ATC, pages 273-284, June 2003.
25. A. Kivity, Y. Kamay, D. Laor, U. Lublin, and A. Liguori. kvm: the Linux virtual machine monitor. In Proc. Linux Symposium, pages 225-230, July 2007.
26. G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: formal verification of an OS kernel. In Proc. 22nd ACM SOSP, pages 207-220, Oct. 2009.
27. G. Kroah-Hartman. udev: A userspace implementation of devfs. In Proc. Linux Symposium, pages 263-271, July 2003.
28. P. Kutch. PCI-SIG SR-IOV primer: An introduction to SR-IOV technology. Application note 321211-002, Intel Corporation, Jan. 2011.
29. M. Le and Y. Tamir. ReHype: Enabling VM survival across hypervisor failures. In Proc. 7th ACM VEE, pages 63-74, Mar. 2011.
30. L. Litty, H. A. Lagar-Cavilla, and D. Lie. Hypervisor support for identifying covertly executing binaries. In Proc. 17th USENIX Security Symposium, pages 243-258, July 2008.
31. P. Loscocco and S. Smalley. Integrating flexible support for security policies into the Linux operating system. In Proc. USENIX ATC, pages 29-42, June 2001.
32. G. Milos, D. G. Murray, S. Hand, and M. A. Fetterman. Satori: Enlightened page sharing. In Proc. USENIX ATC, pages 1-14, June 2009.
33. D. G. Murray, G. Milos, and S. Hand. Improving Xen security through disaggregation. In Proc. 4th ACM VEE, pages 151-160, Mar. 2008.
34. N. Provos, M. Friedl, and P. Honeyman. Preventing privilege escalation. In Proc. 12th USENIX Security Symposium, pages 231-242, Aug. 2003.
35. J. Rutkowska and R. Wojtczuk. Qubes OS Architecture. Version 0.3. Jan. 2010. http://qubes-os.org/.
36. R. Sailer, T. Jaeger, E. Valdez, R. Cáceres, R. Perez, S. Berger, J. L. Griffin, and L. van Doorn. Building a MAC-based security architecture for the Xen open-source hypervisor. In Proc. 21st ACSAC, pages 276-285, Dec. 2005.
37. D. Scott, R. Sharp, T. Gazagnaire, and A. Madhavapeddy. Using functional frogramming within an industrial product group: perspectives and perceptions. In Proc. 15th ICFP, pages 87-92, Sept. 2010.
38. A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In Proc. 21st ACM SOSP, pages 335-350, Oct. 2007.
39. J. S. Shapiro, J. M. Smith, and D. J. Farber. EROS: a fast capability system. In Proc. 17th ACM SOSP, pages 170-185, Dec. 1999.
40. T. Shinagawa, H. Eiraku, K. Tanimoto, K. Omote, S. Hasegawa, T. Horie, M. Hirano, K. Kourai, Y. Oyama, E. Kawai, K. Kono, S. Chiba, Y. Shinjo, and K. Kato. BitVisor: a thin hypervisor for enforcing I/O device security. In Proc. 5th ACM VEE, pages 121-130, Mar. 2009.
41. R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau. The Flask security architecture: System support for diverse security policies. In Proc. 8th USENIX Security Symposium, pages 123-139, Aug. 1999.
42. U. Steinberg and B. Kauer. NOVA: a microhypervisor-based secure virtualization architecture. In Proc. 5th EuroSys, pages 209-222, Apr. 2010.
43. A. S. Tanenbaum, J. N. Herder, and H. Bos. Can we make operating systems reliable and secure? IEEE Computer, 39(5):44-51, May 2006. (Pubitemid 43786510)
44. S. Thibault and T. Deegan. Improving performance by embedding HPC applications in lightweight Xen domains. In Proc. 2nd HPCVIRT, Mar. 2008.
45. D. Tsirogiannis, S. Harizopoulos, and M. A. Shah. Analyzing the energy efficiency of a database server. In Proc. ACM SIGMOD, pages 231-242, June 2010.
46. Z. Wang, X. Jiang, W. Cui, and P. Ning. Countering kernel rootkits with lightweight hook protection. In Proc. 16th ACM CCS, pages 545-554, Nov. 2009.
47. J. Wilkes, J. Mogul, and J. Suermondt. Utilification. In Proc. 11th ACM SIGOPS EW, Sept. 2004.