Building a MAC-based Security Architecture for the Xen Opensource Hypervisor

Reiner Sailer
IBM T. J. Watson Research Center

Trent Jaeger
IBM T. J. Watson Research Center

Enriquillo Valdez
IBM T. J. Watson Research Center

Ramon Caceres
IBM T. J. Watson Research Center

Ronald Perez
IBM T. J. Watson Research Center

We present the sHype hypervisor security architecture and
examine in detail its mandatory access control architecture.
While existing hypervisor security approaches aimed at high
assurance have proven useful for high-security environments
which prioritize security over performance and code-reuse,
our approach aims at commercial security where near-zero
performance overhead, non-intrusive implementation, and
usability are most important. We provide the rationale behind
the sHype concepts and describe its tailored implementation
for the Xen open-source hypervisor.
We anticipate that the availability of better isolation
through new hardware support in commodity systems together
with the broad availability of virtualization software
will increase the demand for Virtual Machine Monitor
(VMM) systems running mutually distrusted coalitions
of Virtual Machines (VM). Because the VMM systems can
provide reliable isolation, some controlled sharing responsibilities
of operating systems will be moved to the VMM.
Notably, this paper argues that it is not necessary to aim
for the highest levels of assurance when designing secure
VMMs for commodity hardware—when absolute isolation
is required (e.g., the prevention of covert timing channels),
a multi-system approach using separate hardware is recommended.

Keywords: Hypervisor, Security Architecture, MAC, Reference Monitor

Read Paper Read Paper (in PDF)