John McDermott
ABSTRACT
Separation kernels are the strongest known form of separation for virtual machines. We agree with NSA's Information Assurance Directorate that while separation kernels are stronger than any other alternative, their construction on modern commodity hardware is no longer justifiable. This is because of orthogonal feature creep in modern platform hardware. We introduce the separation VMM as a response to this situation and explain how we prototyped one.
- Green Hills Software INTEGRITY-178B Separation Kernel, comprising: INTEGRITY-178B Real Time Operating System (RTOS), version IN-ICR750-0101-GH01_REL running on Compact PCI card, version CPN 944-2021-021 with PowerPC, version 750cxe. Science International Applications Corporation (SAIC), September 2008.Google Scholar
- J. Alves-Foss, W. S. Harrison, P. Oman, and C. Taylor. The MILS architecture for high assurance embedded systems. International Journal of Embedded Systems, 2((3/4)), 2006.Google Scholar
- R. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd ed. Wiley Publishing, Inc., 2008. Google ScholarDigital Library
- A. Bensoussan, C. Clingen, and R. Daley. The Multics virtual memory: concepts and design. In Proc. Symposium on Operating Systems Principles (SOSP), 1969. Google ScholarDigital Library
- W. E. Bobert and R. Y. Kain. A practical alternative to heirarchical integrity policies. In Proc. 8th National Computer Security Conference, Gaithersburg, Maryland, US, 1985.Google Scholar
- C. Boettcher, R. DeLong, J. Rushby, and W. Sifre. The MILS component integration approach to secure information sharing. In 27th IEEE/AIAA Digital Avionics Systems Conference, 2008.Google ScholarCross Ref
- D. Brewer and M. Nash. The Chinese wall security policy. In Proc. IEEE Symposium on Research in Security and Privacy, pages 206--214, Oakland, California, US, May 1989.Google ScholarCross Ref
- D. Chisnall. The Definitive Guide to the Xen Hypervisor. Prentice-Hall, 2008. Google ScholarDigital Library
- J. Franklin, S. Chaki, A. Datta, J. McCune, and A. Vasudevan. Parametric verification of address space separation. In Proc. 1st Conference on Principles of Security and Trust (POST), Tallin, EE, March 2012. Google ScholarDigital Library
- J. Franklin, S. Chaki, A. Datta, and A. Seshadri. Scalable parametric verification of secure systems: How to verify reference monitors without worrying about data structure size. In Proc. IEEE Symposium on Security and Privacy, Oakland, California, US, May 2010. Google ScholarDigital Library
- L. Freitas, J. McDermott, and J. Woodcock. Formal methods for security in the Xenon hypervisor. International Journal on Software Tools for Technology Transfer (STTT), 13(5): 463--489, 2011. Google ScholarDigital Library
- L. Hatton. EC-- a measurement based safer subset of ISO C suitable for embedded systems development. Information and Software Technology, 47(3): 181--187, 2005.Google ScholarCross Ref
- C. Heitmeyer, M. Archer, E. Leonard, and J. McLean. Formal specification and verification of data separation in a separation kernel for an embedded system. In Proc. 13 ACM Conf. on Computer and Communications Security, Alexandria, Virginia, US, 2006. Google ScholarDigital Library
- T. Jaeger and J. Tidswell. Practical safety in flexible access control models. ACM Trans. on Information and System Security, 4(2): 158--190, May 2001. Google ScholarDigital Library
- P. Karger and R. Schell. Thirty years later: Lessons from the Multics security evaluation. In In Proc. Annual Computer Security Applications Conference, 2002. Google ScholarDigital Library
- E. Keller, J. Szefer, J. Rexford, and R. Lee. Virtualized cloud infrastructure without the virtualization. In International Symposium on Computer Architecture (ISCA). IEEE Computer Society Press, June 2010. Google ScholarDigital Library
- G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cook, P. Derrin, D. Elkaduwe, K. Englehardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal verification of an OS kernel. In Proc. 22nd ACM Symposium on Operating System Principles, Big Sky, MT, US, October 2009. Google ScholarDigital Library
- C. Lattner. LLVM: An infrastructure for multi-stage optimization. Master's thesis, Computer Science Dept., University of Illinois at Urbana-Champaign, 2002.Google Scholar
- J. McDermott and L. Freitas. A formal security policy model for Xenon. In Proc. Formal Methods in Security Engineering (FMSE '08), October 2008. Google ScholarDigital Library
- J. McDermott, J. Kirby, B. Montrose, T. Johnson, and M. Kang. Re-engineering Xen internals for higher-assurance security. Information Security Technical Report, 13(1): 17--24, 2008. Google ScholarDigital Library
- J. McDermott, B. Montrose, M. Li, J. Kirby, and M. Kang. The Xenon separation VMM: Secure virtualization infrastructure for military clouds. In Military Communications Conference - MILCOM 2012, Orlando, FL, US, October 2012.Google ScholarCross Ref
- B. Randell and J. Rushby. Distributed secure systems: Then and now. In 23rd Annual Computer Security Applications Conference (ACSAC), Miami, FL, US, December 2007.Google ScholarCross Ref
- A. Roscoe. CSP and determinism in security modelling. In Proc. IEEE Symposium on Security and Privacy, Oakland, California, US, May 1995. Google ScholarDigital Library
- A. Roscoe, J. Woodcock, and L. Wulf. Non-interference through nondeterminism. In Proc. ESORICS, Brighton, UK, November 1994. Google ScholarDigital Library
- S. Rueda, H. Vijayakumar, and T. Jaeger. Analysis of virtual machine system policies. In Proc. ACM Symposium on Access Control Models and Technologies (SACMAT), Stresa, Italy, June 2009. Google ScholarDigital Library
- J. Rushby. Design and verification of secure systems. Proc. ACM Symposium on Operating System Principles, 15: 12--21, 1981. Google ScholarDigital Library
- R. Sailer, T. Jaeger, E. Valdez, R. Cáceres, R. Perez, S. Berger, J. Griffin, and L. van Doorn. Building a MAC-Based security architecture for the Xen open-source hypervisor. In Proc. 21st Annual Computer Security Applications Conference, Tucson, Arizona, US, December 2005. Google ScholarDigital Library
- T. Shinagawa, H. Eiraku, K. Tanimoto, K. Omote, S. Hasegawa, T. Horie, M. Hirano, K. Kourai, Y. Oyama, E. Kawai, K. Kono, S. Chiba, Y. Shinjo, and K. Kato. BitVisor: a thin hypervisor for enforcing I/O device security. In Proc. 2009 ACM SIGPLAN/SIGOPS Int. Conf. on Virtual Execution Environments, pages 121--130, Washington, DC, US, 2009. Google ScholarDigital Library
- R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau. The Flask security architecture: system support for diverse security policies. In Proceedings of the 8th conference on USENIX Security Symposium - Volume 8, Washington, DC, US, 1999. Google ScholarDigital Library
- U. Steinberg and B. Kauer. NOVA: a microhypervisor-based secure virtualization architecture. In Proc. 5th European conference on Computer Systems, pages 209--222, Paris, FR, 2010. Google ScholarDigital Library
- Systems and N. A. Center. Separation Kernels on Commodity Workstations. Information Assurance Directorate, NSA, March 2010.Google Scholar
- J. Szefer, E. Keller, R. Lee, and J. Rexford. Eliminating the hypervisor attack surface for a more secure cloud. In Proc. Computer and Communications Security, Chicago, IL, US, October 2011. ACM. Google ScholarDigital Library
- C. Takemura and L. Crawford. The Book of Xen. No Starch Press, 2010.Google Scholar
- K. Walker, D. Sterne, M. L. Badger, M. Petkac, D. Shermann, and K. Oostendorp. Confining root programs with domain and type enforcement (DTE). In Proc. 6th USENIX UNIX Security Symposium, San Jose, California, US, July 1996. Google ScholarDigital Library
- Z. Wang and X. Jiang. HyperSafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In Proc. 31st IEEE Symposium on Security & Privacy, Oakland, California, US, May 2010. Google ScholarDigital Library
- A. Watson and T. McCabe. Structured Testing: A Testing Methodology Using the Cyclomatic Complexity Metric, NIST Special Publication 500--235. National Institute of Standards and Technology, 1996.Google Scholar
- J. Woodcock, A. Cavalcanti, M.-C. Godel, and L. Freitas. Operational semantics of Circus. Formal aspects of computing, 2008. in press.Google Scholar
- F. Zhang, J. Chen, H. Chen, and B. Zang. CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In Proc. 23rd ACM Symp. on Operating Systems Principles (SOSP), pages 203--216, Cascais, Portugal, 2011. Google ScholarDigital Library
Index Terms
- Separation virtual machine monitors
Recommendations
Fast Live Cloning of Virtual Machine Based on Xen
HPCC '09: Proceedings of the 2009 11th IEEE International Conference on High Performance Computing and CommunicationsVirtual Machine (VM) cloning is to create a replica of a source virtual machine (parent virtual machine); the replica, also called child virtual machine, owns exactly the same executing status as parent virtual machine. Fast live cloning guarantees that,...
Virtual Machine Migration Method between Different Hypervisor Implementations and Its Evaluation
WAINA '12: Proceedings of the 2012 26th International Conference on Advanced Information Networking and Applications WorkshopsVirtualization technologies are an important building block for cloud services. Each service will run on virtual machines (VMs) deployed over different hyper visors in the future. Therefore, a VM migration method between different hyper visor ...
Paravirtual Remote I/O
ASPLOS'16The traditional "trap and emulate" I/O paravirtualization model conveniently allows for I/O interposition, yet it inherently incurs costly guest-host context switches. The newer "sidecore" model eliminates this overhead by dedicating host (side)cores to ...
Comments