Building a Hypervisor on a Formally Verifiable Protection Layer

Virtualization promises significant benefits in security, efficiency, dependability, and cost. Achieving these benefits depends upon the reliability of the underlying hyper visor. Hyper visors provide complete control of the virtualized resources (protection), a reasonably accurate view of these resources (fidelity), and performance. To facilitate formal verification of protection, we present an architecture, aligned with the hardware virtualization barrier, that separates hyper visor protection from the other goals. The hyper visor is constructed on a minimal trusted computing base or "min visor" whose main responsibility is protection. Each real guest is paired with an untrusted fidelity guest that builds on the protection layer to provide a fully virtualized environment. This allows verification of protection without considering much of the functionality of a traditional hyper visor. We have coded such a protection layer, developed a simple hyper visor on it, and begun formally verifying its protection properties at the machine code level. The current paper is a progress report.

[1]  David R. O'Hallaron,et al.  Computer Systems: A Programmer's Perspective , 1991 .

[2]  J. Strother Moore,et al.  An approach to systems verification , 1989, Journal of Automated Reasoning.

[3]  Gerwin Klein,et al.  Towards verified virtual memory in L4 , 2004 .

[4]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[5]  Panagiotis Manolios,et al.  Computer-aided reasoning : ACL2 case studies , 2000 .

[6]  Michael Dahlin,et al.  Toward the Verification of a Simple Hypervisor , 2011, ACL2.

[7]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[8]  Jim Woodcock,et al.  Non-interference through Determinism , 1994, J. Comput. Secur..

[9]  John P. McDermott,et al.  A formal security policy for xenon , 2008, FMSE '08.

[10]  S. Gribble,et al.  Scale and performance in the Denali isolation kernel , 2002, OSDI '02.

[11]  Arvind Seshadri,et al.  Attacking , Repairing , and Verifying SecVisor : A Retrospective on the Security of a Hypervisor , 2008 .

[12]  Rafal Wojtczuk,et al.  Adventures with a certain Xen vulnerability (in the PVFB backend) , 2008 .

[13]  K. Thompson Reflections on trusting trust , 1984, CACM.

[14]  Myong H. Kang,et al.  Re-engineering Xen internals for higher-assurance security , 2008, Inf. Secur. Tech. Rep..

[15]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[16]  Thomas Santen,et al.  Verifying the Microsoft Hyper-V Hypervisor with VCC , 2009, FM.

[17]  Robert P. Goldberg,et al.  Formal requirements for virtualizable third generation architectures , 1973, SOSP 1973.