Detangling Resource Management Functions from the TCB in Privacy-Preserving Virtualization

Recent research has developed virtualization architectures to protect the privacy of guest virtual machines. The key technology is to include an access control matrix in the hypervisor. However, existing approaches have either limited functionalities in the hypervisor or a Trusted Computing Base (TCB) which is too large to secure. In this paper, we propose a new architecture, MyCloud SEP, to separate resource allocation and management from the hypervisor in order to reduce the TCB size while supporting privacy protection. In our design, the hypervisor checks all resource accesses against an access control matrix in the hypervisor. While providing flexibility of plugging-in resource management modules, the size of TCB is significantly reduced compared with commercial hypervisors. Using virtual disk manager as an example, we implement a prototype on x86 architecture. The performance evaluation results also show acceptable overheads.

[1]  Muli Ben-Yehuda,et al.  The Turtles Project: Design and Implementation of Nested Virtualization , 2010, OSDI.

[2]  Abhinav Srivastava,et al.  Self-service cloud computing , 2012, CCS '12.

[3]  Steven Hand,et al.  Improving Xen security through disaggregation , 2008, VEE '08.

[4]  HeiserGernot,et al.  Are virtual-machine monitors microkernels done right? , 2006 .

[5]  Haibo Chen,et al.  CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization , 2011, SOSP.

[6]  Nora Cuppens-Boulahia,et al.  Data and Applications Security and Privacy XXVI , 2012, Lecture Notes in Computer Science.

[7]  Hakim Weatherspoon,et al.  The Xen-Blanket: virtualize once, run everywhere , 2012, EuroSys '12.

[8]  Robert H. Deng,et al.  AppShield: Protecting Applications Against Untrusted Operating System , 2013 .

[9]  Peng Liu,et al.  MyCloud: supporting user-configured privacy protection in cloud computing , 2013, ACSAC.

[10]  Jennifer Rexford,et al.  Eliminating the hypervisor attack surface for a more secure cloud , 2011, CCS '11.

[11]  Markus G. Kuhn,et al.  Tamper resistance: a cautionary note , 1996 .

[12]  Emmett Witchel,et al.  InkTag: secure applications on an untrusted operating system , 2013, ASPLOS '13.

[13]  Xiaoxin Chen,et al.  Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems , 2008, ASPLOS.

[14]  Yulong Zhang,et al.  Improving Virtualization Security by Splitting Hypervisor into Smaller Components , 2012, DBSec.

[15]  Kang G. Shin,et al.  Using hypervisor to provide data secrecy for user applications on a per-page basis , 2008, VEE '08.

[16]  Jennifer Rexford,et al.  NoHype: virtualized cloud infrastructure without the virtualization , 2010, ISCA.

[17]  David Lie,et al.  Splitting interfaces: making trust between applications and operating systems configurable , 2006, OSDI '06.

[18]  Alysson Neves Bessani,et al.  Recursive virtual machines for advanced security mechanisms , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops (DSN-W).

[19]  Gernot Heiser,et al.  Are virtual-machine monitors microkernels done right? , 2006, OPSR.

[20]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[21]  Udo Steinberg,et al.  NOVA: a microhypervisor-based secure virtualization architecture , 2010, EuroSys '10.