Breaking up is hard to do: security and functionality in a commodity hypervisor

Cloud computing uses virtualization to lease small slices of large-scale datacenter facilities to individual paying customers. These multi-tenant environments, on which numerous large and popular web-based applications run today, are founded on the belief that the virtualization platform is sufficiently secure to prevent breaches of isolation between different users who are co-located on the same host. Hypervisors are believed to be trustworthy in this role because of their small size and narrow interfaces. We observe that despite the modest footprint of the hypervisor itself, these platforms have a large aggregate trusted computing base (TCB) that includes a monolithic control VM with numerous interfaces exposed to VMs. We present Xoar, a modified version of Xen that retrofits the modularity and isolation principles used in micro-kernels onto a mature virtualization platform. Xoar breaks the control VM into single-purpose components called service VMs. We show that this componentized abstraction brings a number of benefits: sharing of service components by guests is configurable and auditable, making exposure to risk explicit, and access to the hypervisor is restricted to the least privilege required for each component. Microrebooting components at configurable frequencies reduces the temporal attack surface of individual components. Our approach incurs little performance overhead, and does not require functionality to be sacrificed or components to be rewritten from scratch.

[1]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[2]  Mark Handley,et al.  Wedge: Splitting Applications into Reduced-Privilege Compartments , 2008, NSDI.

[3]  Richard Sharp,et al.  Using functional programming within an industrial product group: perspectives and perceptions , 2010, ICFP '10.

[4]  David Brumley,et al.  Privtrans: Automatically Partitioning Programs for Privilege Separation , 2004, USENIX Security Symposium.

[5]  Andrew Warfield,et al.  Live migration of virtual machines , 2005, NSDI.

[6]  Stefan Berger,et al.  Building a MAC-based security architecture for the Xen open-source hypervisor , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[7]  Samuel Thibault,et al.  Improving performance by embedding HPC applications in lightweight Xen domains , 2008, HPCVirt '08.

[8]  Dutch T. Meyer,et al.  Remus: High Availability via Asynchronous Virtual Machine Replication. (Best Paper) , 2008, NSDI.

[9]  Fred B. Schneider,et al.  Hypervisor-based fault tolerance , 1996, TOCS.

[10]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[11]  Xiaoxin Chen,et al.  Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems , 2008, ASPLOS.

[12]  Luiz André Barroso,et al.  The Case for Energy-Proportional Computing , 2007, Computer.

[13]  Steven Hand,et al.  Improving Xen security through disaggregation , 2008, VEE '08.

[14]  Toby Velte,et al.  Microsoft Virtualization with Hyper-V , 2009 .

[15]  Jennifer Rexford,et al.  NoHype: virtualized cloud infrastructure without the virtualization , 2010, ISCA.

[16]  Eyal de Lara,et al.  The taser intrusion recovery system , 2005, SOSP '05.

[17]  Mehul A. Shah,et al.  Analyzing the energy efficiency of a database server , 2010, SIGMOD Conference.

[18]  George Varghese,et al.  Difference engine , 2010, OSDI.

[19]  Shigeru Chiba,et al.  BitVisor: a thin hypervisor for enforcing i/o device security , 2009, VEE '09.

[20]  Herbert Bos,et al.  Can we make operating systems reliable and secure? , 2006, Computer.

[21]  J. Shapiro,et al.  EROS: a fast capability system , 2000, OPSR.

[22]  Norman Hardy,et al.  KeyKOS architecture , 1985, OPSR.

[23]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[24]  A. Kivity,et al.  kvm : the Linux Virtual Machine Monitor , 2007 .

[25]  P. S. Tasker,et al.  DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA , 1985 .

[26]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX Annual Technical Conference, FREENIX Track.

[27]  Mike Hibler,et al.  The Flask Security Architecture: System Support for Diverse Security Policies , 1999, USENIX Security Symposium.

[28]  Hermann Härtig,et al.  Reducing TCB size by using untrusted components: small kernels versus virtual-machine monitors , 2004, EW 11.

[29]  George Candea,et al.  Microreboot - A Technique for Cheap Recovery , 2004, OSDI.

[30]  Xuxian Jiang,et al.  Countering kernel rootkits with lightweight hook protection , 2009, CCS.

[31]  David Lie,et al.  Hypervisor Support for Identifying Covertly Executing Binaries , 2008, USENIX Security Symposium.

[32]  Mary Baker,et al.  The Recovery Box: Using Fast Recovery to Provide High Availability in the UNIX Environment , 1992, USENIX Summer.

[33]  Udo Steinberg,et al.  NOVA: a microhypervisor-based secure virtualization architecture , 2010, EuroSys '10.

[34]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[35]  Amar Phanishayee,et al.  FAWN: a fast array of wimpy nodes , 2009, SOSP '09.

[36]  Andrew Warfield,et al.  Safe Hardware Access with the Xen Virtual Machine Monitor , 2007 .

[37]  Michael Le,et al.  ReHype: enabling VM survival across hypervisor failures , 2011, VEE '11.

[38]  J. Rutkowska Qubes OS Architecture , 2010 .

[39]  John M. Boone,et al.  INTEGRITY-ORIENTED CONTROL OBJECTIVES: PROPOSED REVISIONS TO THE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA (TCSEC), DoD 5200.28-STD , 1991 .

[40]  Steven Hand,et al.  Satori: Enlightened Page Sharing , 2009, USENIX Annual Technical Conference.

[41]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[42]  Douglas Kilpatrick,et al.  Privman: A Library for Partitioning Applications , 2003, USENIX Annual Technical Conference, FREENIX Track.