research-article

Separation virtual machine monitors

Authors:

John McDermott,

Bruce Montrose,

Myong KangAuthors Info & Claims

ACSAC '12: Proceedings of the 28th Annual Computer Security Applications Conference

Pages 419 - 428

https://doi.org/10.1145/2420950.2421011

Published: 03 December 2012 Publication History

Abstract

Separation kernels are the strongest known form of separation for virtual machines. We agree with NSA's Information Assurance Directorate that while separation kernels are stronger than any other alternative, their construction on modern commodity hardware is no longer justifiable. This is because of orthogonal feature creep in modern platform hardware. We introduce the separation VMM as a response to this situation and explain how we prototyped one.

References

[1]

Green Hills Software INTEGRITY-178B Separation Kernel, comprising: INTEGRITY-178B Real Time Operating System (RTOS), version IN-ICR750-0101-GH01_REL running on Compact PCI card, version CPN 944-2021-021 with PowerPC, version 750cxe. Science International Applications Corporation (SAIC), September 2008.

[2]

J. Alves-Foss, W. S. Harrison, P. Oman, and C. Taylor. The MILS architecture for high assurance embedded systems. International Journal of Embedded Systems, 2((3/4)), 2006.

[3]

R. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems, 2^nd ed. Wiley Publishing, Inc., 2008.

Digital Library

[4]

A. Bensoussan, C. Clingen, and R. Daley. The Multics virtual memory: concepts and design. In Proc. Symposium on Operating Systems Principles (SOSP), 1969.

Digital Library

[5]

W. E. Bobert and R. Y. Kain. A practical alternative to heirarchical integrity policies. In Proc. 8th National Computer Security Conference, Gaithersburg, Maryland, US, 1985.

[6]

C. Boettcher, R. DeLong, J. Rushby, and W. Sifre. The MILS component integration approach to secure information sharing. In 27th IEEE/AIAA Digital Avionics Systems Conference, 2008.

[7]

D. Brewer and M. Nash. The Chinese wall security policy. In Proc. IEEE Symposium on Research in Security and Privacy, pages 206--214, Oakland, California, US, May 1989.

[8]

D. Chisnall. The Definitive Guide to the Xen Hypervisor. Prentice-Hall, 2008.

Digital Library

[9]

J. Franklin, S. Chaki, A. Datta, J. McCune, and A. Vasudevan. Parametric verification of address space separation. In Proc. 1st Conference on Principles of Security and Trust (POST), Tallin, EE, March 2012.

Digital Library

[10]

J. Franklin, S. Chaki, A. Datta, and A. Seshadri. Scalable parametric verification of secure systems: How to verify reference monitors without worrying about data structure size. In Proc. IEEE Symposium on Security and Privacy, Oakland, California, US, May 2010.

Digital Library

[11]

L. Freitas, J. McDermott, and J. Woodcock. Formal methods for security in the Xenon hypervisor. International Journal on Software Tools for Technology Transfer (STTT), 13(5): 463--489, 2011.

Digital Library

[12]

L. Hatton. EC-- a measurement based safer subset of ISO C suitable for embedded systems development. Information and Software Technology, 47(3): 181--187, 2005.

[13]

C. Heitmeyer, M. Archer, E. Leonard, and J. McLean. Formal specification and verification of data separation in a separation kernel for an embedded system. In Proc. 13 ACM Conf. on Computer and Communications Security, Alexandria, Virginia, US, 2006.

Digital Library

[14]

T. Jaeger and J. Tidswell. Practical safety in flexible access control models. ACM Trans. on Information and System Security, 4(2): 158--190, May 2001.

Digital Library

[15]

P. Karger and R. Schell. Thirty years later: Lessons from the Multics security evaluation. In In Proc. Annual Computer Security Applications Conference, 2002.

Digital Library

[16]

E. Keller, J. Szefer, J. Rexford, and R. Lee. Virtualized cloud infrastructure without the virtualization. In International Symposium on Computer Architecture (ISCA). IEEE Computer Society Press, June 2010.

Digital Library

[17]

G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cook, P. Derrin, D. Elkaduwe, K. Englehardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal verification of an OS kernel. In Proc. 22nd ACM Symposium on Operating System Principles, Big Sky, MT, US, October 2009.

Digital Library

[18]

C. Lattner. LLVM: An infrastructure for multi-stage optimization. Master's thesis, Computer Science Dept., University of Illinois at Urbana-Champaign, 2002.

[19]

J. McDermott and L. Freitas. A formal security policy model for Xenon. In Proc. Formal Methods in Security Engineering (FMSE '08), October 2008.

Digital Library

[20]

J. McDermott, J. Kirby, B. Montrose, T. Johnson, and M. Kang. Re-engineering Xen internals for higher-assurance security. Information Security Technical Report, 13(1): 17--24, 2008.

Digital Library

[21]

J. McDermott, B. Montrose, M. Li, J. Kirby, and M. Kang. The Xenon separation VMM: Secure virtualization infrastructure for military clouds. In Military Communications Conference - MILCOM 2012, Orlando, FL, US, October 2012.

[22]

B. Randell and J. Rushby. Distributed secure systems: Then and now. In 23rd Annual Computer Security Applications Conference (ACSAC), Miami, FL, US, December 2007.

[23]

A. Roscoe. CSP and determinism in security modelling. In Proc. IEEE Symposium on Security and Privacy, Oakland, California, US, May 1995.

Digital Library

[24]

A. Roscoe, J. Woodcock, and L. Wulf. Non-interference through nondeterminism. In Proc. ESORICS, Brighton, UK, November 1994.

Digital Library

[25]

S. Rueda, H. Vijayakumar, and T. Jaeger. Analysis of virtual machine system policies. In Proc. ACM Symposium on Access Control Models and Technologies (SACMAT), Stresa, Italy, June 2009.

Digital Library

[26]

J. Rushby. Design and verification of secure systems. Proc. ACM Symposium on Operating System Principles, 15: 12--21, 1981.

Digital Library

[27]

R. Sailer, T. Jaeger, E. Valdez, R. Cáceres, R. Perez, S. Berger, J. Griffin, and L. van Doorn. Building a MAC-Based security architecture for the Xen open-source hypervisor. In Proc. 21st Annual Computer Security Applications Conference, Tucson, Arizona, US, December 2005.

Digital Library

[28]

T. Shinagawa, H. Eiraku, K. Tanimoto, K. Omote, S. Hasegawa, T. Horie, M. Hirano, K. Kourai, Y. Oyama, E. Kawai, K. Kono, S. Chiba, Y. Shinjo, and K. Kato. BitVisor: a thin hypervisor for enforcing I/O device security. In Proc. 2009 ACM SIGPLAN/SIGOPS Int. Conf. on Virtual Execution Environments, pages 121--130, Washington, DC, US, 2009.

Digital Library

[29]

R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau. The Flask security architecture: system support for diverse security policies. In Proceedings of the 8th conference on USENIX Security Symposium - Volume 8, Washington, DC, US, 1999.

Digital Library

[30]

U. Steinberg and B. Kauer. NOVA: a microhypervisor-based secure virtualization architecture. In Proc. 5th European conference on Computer Systems, pages 209--222, Paris, FR, 2010.

Digital Library

[31]

Systems and N. A. Center. Separation Kernels on Commodity Workstations. Information Assurance Directorate, NSA, March 2010.

[32]

J. Szefer, E. Keller, R. Lee, and J. Rexford. Eliminating the hypervisor attack surface for a more secure cloud. In Proc. Computer and Communications Security, Chicago, IL, US, October 2011. ACM.

Digital Library

[33]

C. Takemura and L. Crawford. The Book of Xen. No Starch Press, 2010.

[34]

K. Walker, D. Sterne, M. L. Badger, M. Petkac, D. Shermann, and K. Oostendorp. Confining root programs with domain and type enforcement (DTE). In Proc. 6th USENIX UNIX Security Symposium, San Jose, California, US, July 1996.

Digital Library

[35]

Z. Wang and X. Jiang. HyperSafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In Proc. 31st IEEE Symposium on Security & Privacy, Oakland, California, US, May 2010.

Digital Library

[36]

A. Watson and T. McCabe. Structured Testing: A Testing Methodology Using the Cyclomatic Complexity Metric, NIST Special Publication 500--235. National Institute of Standards and Technology, 1996.

[37]

J. Woodcock, A. Cavalcanti, M.-C. Godel, and L. Freitas. Operational semantics of Circus. Formal aspects of computing, 2008. in press.

[38]

F. Zhang, J. Chen, H. Chen, and B. Zang. CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In Proc. 23rd ACM Symp. on Operating Systems Principles (SOSP), pages 203--216, Cascais, Portugal, 2011.

Digital Library

Cited By

Farrukh AWest R(2023)FlyOS: rethinking integrated modular avionics for autonomous multicoptersReal-Time Systems10.1007/s11241-023-09399-w59:2(256-301)Online publication date: 23-May-2023
https://doi.org/10.1007/s11241-023-09399-w
Zhao YYang ZMa D(2017)A survey on formal specification and verification of separation kernelsFrontiers of Computer Science: Selected Publications from Chinese Universities10.5555/3128671.312868111:4(585-607)Online publication date: 1-Aug-2017
https://dl.acm.org/doi/10.5555/3128671.3128681
Zhao YYang ZMa D(2017)A survey on formal specification and verification of separation kernelsFrontiers of Computer Science10.1007/s11704-016-4226-211:4(585-607)Online publication date: 11-Jan-2017
https://doi.org/10.1007/s11704-016-4226-2
Show More Cited By

Index Terms

Separation virtual machine monitors
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Fast Live Cloning of Virtual Machine Based on Xen
HPCC '09: Proceedings of the 2009 11th IEEE International Conference on High Performance Computing and Communications

Virtual Machine (VM) cloning is to create a replica of a source virtual machine (parent virtual machine); the replica, also called child virtual machine, owns exactly the same executing status as parent virtual machine. Fast live cloning guarantees that,...
Virtual Machine Migration Method between Different Hypervisor Implementations and Its Evaluation
WAINA '12: Proceedings of the 2012 26th International Conference on Advanced Information Networking and Applications Workshops

Virtualization technologies are an important building block for cloud services. Each service will run on virtual machines (VMs) deployed over different hyper visors in the future. Therefore, a VM migration method between different hyper visor ...
Paravirtual Remote I/O
ASPLOS'16

The traditional "trap and emulate" I/O paravirtualization model conveniently allows for I/O interposition, yet it inherently incurs costly guest-host context switches. The newer "sidecore" model eliminates this overhead by dedicating host (side)cores to ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '12: Proceedings of the 28th Annual Computer Security Applications Conference

December 2012

464 pages

ISBN:9781450313124

DOI:10.1145/2420950

Conference Chair:
Robert H'obbes' Zakon
Zakon Group LLC

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 December 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ACSAC '12

Sponsor:

ACSA

ACSAC '12: Annual Computer Security Applications Conference

December 3 - 7, 2012

Florida, Orlando, USA

Acceptance Rates

ACSAC '12 Paper Acceptance Rate 44 of 231 submissions, 19%;

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
314
Total Downloads

Downloads (Last 12 months)7
Downloads (Last 6 weeks)0

Reflects downloads up to 07 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Farrukh AWest R(2023)FlyOS: rethinking integrated modular avionics for autonomous multicoptersReal-Time Systems10.1007/s11241-023-09399-w59:2(256-301)Online publication date: 23-May-2023
https://doi.org/10.1007/s11241-023-09399-w
Zhao YYang ZMa D(2017)A survey on formal specification and verification of separation kernelsFrontiers of Computer Science: Selected Publications from Chinese Universities10.5555/3128671.312868111:4(585-607)Online publication date: 1-Aug-2017
https://dl.acm.org/doi/10.5555/3128671.3128681
Zhao YYang ZMa D(2017)A survey on formal specification and verification of separation kernelsFrontiers of Computer Science10.1007/s11704-016-4226-211:4(585-607)Online publication date: 11-Jan-2017
https://doi.org/10.1007/s11704-016-4226-2
Nguyen TGondree MKhosalim JIrvine C(2015)Re-thinking Kernelized MLS Database Architectures in the Context of Cloud-Scale Data StoresEngineering Secure Software and Systems10.1007/978-3-319-15618-7_7(86-101)Online publication date: 2015
https://doi.org/10.1007/978-3-319-15618-7_7
Shropshire J(2014)Analysis of Monolithic and Microkernel ArchitecturesProceedings of the 2014 47th Hawaii International Conference on System Sciences10.1109/HICSS.2014.615(5008-5017)Online publication date: 6-Jan-2014
https://dl.acm.org/doi/10.1109/HICSS.2014.615
Dam MGuanciale RKhakpour NNemati HSchwarz OSadeghi AGligor VYung M(2013)Formal verification of information flow security for a simple arm-based separation kernelProceedings of the 2013 ACM SIGSAC conference on Computer & communications security10.1145/2508859.2516702(223-234)Online publication date: 4-Nov-2013
https://dl.acm.org/doi/10.1145/2508859.2516702
Payne CSonnek JHarp S(2013)XEBHRAProceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop10.1145/2459976.2460005(1-4)Online publication date: 8-Jan-2013
https://dl.acm.org/doi/10.1145/2459976.2460005
Hanspach MKeller J(2013)In Guards We TrustProceedings of the 2013 International Conference on Social Computing10.1109/SocialCom.2013.87(578-585)Online publication date: 8-Sep-2013
https://dl.acm.org/doi/10.1109/SocialCom.2013.87

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents