We present the sHype hypervisor security architecture and examine in detail its mandatory access control architecture. While existing hypervisor security approaches aimed at high assurance have proven useful for high-security environments which prioritize security over performance and code-reuse, our approach aims at commercial security where near-zero performance overhead, non-intrusive implementation, and usability are most important. We provide the rationale behind the sHype concepts and describe its tailored implementation for the Xen open-source hypervisor.
We anticipate that the availability of better isolation through new hardware support in commodity systems together with the broad availability of virtualization software will increase the demand for Virtual Machine Monitor (VMM) systems running mutually distrusted coalitions of Virtual Machines (VM). Because the VMM systems can provide reliable isolation, some controlled sharing responsibilities of operating systems will be moved to the VMM. Notably, this paper argues that it is not necessary to aim for the highest levels of assurance when designing secure VMMs for commodity hardware—when absolute isolation is required (e.g., the prevention of covert timing channels), a multi-system approach using separate hardware is recommended.
By: Reiner Sailer; Trent Jaeger; Enriquillo Valdez; Ronald Perez; Stefan Berger; John Linwood Griffin; Leendert van Doorn
Published in: RC23629 in 2005
LIMITED DISTRIBUTION NOTICE:
This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.
Questions about this service can be mailed to reports@us.ibm.com .