Issue No.04 - Fourth Quarter (2012 vol.5)
pp: 472-483
Chunxiao Li , Princeton University, Princeton
Anand Raghunathan , Purdue University, West Lafayette
Niraj K. Jha , Princeton University, Princeton
Virtualization is a rapidly evolving technology that can be used to provide a range of benefits to computing systems, including improved resource utilization, software portability, and reliability. Virtualization also has the potential to enhance security by providing isolated execution environments for different applications that require different levels of security. For security-critical applications, it is highly desirable to have a small trusted computing base (TCB), since it minimizes the surface of attacks that could jeopardize the security of the entire system. In traditional virtualization architectures, the TCB for an application includes not only the hardware and the virtual machine monitor (VMM), but also the whole management operating system (OS) that contains the device drivers and virtual machine (VM) management functionality. For many applications, it is not acceptable to trust this management OS, due to its large code base and abundance of vulnerabilities. For example, consider the "computing-as-a-service” scenario where remote users execute a guest OS and applications inside a VM on a remote computing platform. It would be preferable for many users to utilize such a computing service without being forced to trust the management OS on the remote platform. In this paper, we address the problem of providing a secure execution environment on a virtualized computing platform under the assumption of an untrusted management OS. We propose a secure virtualization architecture that provides a secure runtime environment, network interface, and secondary storage for a guest VM. The proposed architecture significantly reduces the TCB of security-critical guest VMs, leading to improved security in an untrusted management environment. We have implemented a prototype of the proposed approach using the Xen virtualization system, and demonstrated how it can be used to facilitate secure remote computing services. We evaluate the performance penalties incurred by the proposed architecture, and demonstrate that the penalties are minimal.
Virtual machine monitors, Computer security, Cloud computing, Driver circuits, Memory management, computing-as-a-service, Virtual machine, trusted computing base, memory protection, cloud computing
Chunxiao Li, Anand Raghunathan, Niraj K. Jha, "A Trusted Virtual Machine in an Untrusted Management Environment", IEEE Transactions on Services Computing, vol.5, no. 4, pp. 472-483, Fourth Quarter 2012, doi:10.1109/TSC.2011.30
[1] T. Garfinkel and M. Rosenblum, "When Virtual Is Harder Than Real: Security Challenges in Virtual Machine Based Computing Environments," Proc. Conf. Hot Topics in Operating Systems, pp. 20-25, June 2005.
[2] J. Halderman, S. Schoen, N. Heninger, W. Clarkson, W. Paul, J. Calandrino, A. Feldman, J. Appelbaum, E. Felten, and E. Foundation, "Lest We Remember: Cold Boot Attacks on Encryption Keys," Proc. Usenix Security Symp., pp. 45-60, July 2008.
[3] P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield, "Xen and the Art of Virtualization," Proc. ACM Symp. Operating Systems Principles, no. 5, pp. 164-177, Oct. 2003.
[4] VMware Player,, 2012.
[5] EC2, V1.pdf , 2012.
[6] R. Caceres, C. Carter, C. Narayanaswami, and M.T. Raghunath, "Reincarnating PCs with Portable SoulPads," Proc. ACM MobiSys, pp. 65-78, 2005.
[7] C. Li, A. Raghunathan, and N.K. Jha, "Secure Virtual Machine Execution under an Untrusted Management OS," Proc. Int'l Conf. Cloud Computing, pp. 172-180, July 2010.
[8] M. Price and A. Partners, "The Paradox of Security in Virtual Environments," Computer, vol. 41, no. 11, pp. 22-28, Nov. 2008.
[9] X. Jiang, X. Wang, and D. Xu, "Stealthy Malware Detection through VMM-Based 'Out-of-the-Box' Semantic View Reconstruction," Proc. ACM Conf. Computer and Comm. Security, pp. 128-138, Oct. 2007.
[10] B. Payne, M. Carbone, M. Sharif, and W. Lee, "Lares: An Architecture for Secure Active Monitoring Using Virtualization," Proc. IEEE Symp. Security and Privacy, pp. 233-247, May 2008.
[11] N.L. PetroniJr. and M. Hicks, "Automated Detection of Persistent Kernel Control-Flow attacks," Proc. ACM Conf. Computer and Comm. Security, pp. 109-115, Oct. 2007.
[12] R. Riley, X. Jiang, and D. Xu, "Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing," Proc. Int'l Symp. Recent Advances in Intrusion Detection, pp. 1-20, Sept. 2008.
[13] A. Srivastava and J. Giffin, "Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections," Proc. Int'l Symp. Recent Advances in Intrusion Detection, pp. 39-58, Sept. 2008.
[14] T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh, "Terra: A Virtual Machine-Based Platform for Trusted Computing," Proc. ACM Symp. Operating Systems Principles, pp. 193-206, Oct. 2003.
[15] X. Chen, T. Garfinkel, E.C. Lewis, P. Subrahmanyam, C.A. Waldspurger, D. Boneh, J. Dwoskin, and D.R. Ports, "OverShadow: A Virtualization-Based Approach to Retrofitting Protection in Commodity Operating Systems," Proc. Int'l Conf. Architectural Support for Programming Languages and Operating Systems, pp. 2-13, Mar. 2008.
[16] J. Yang and K.G. Shin, "Using Hypervisor to Provide Data Secrecy for User Applications on a Per-Page Basis," Proc. ACM Int'l Conf. Virtual Execution Environments, pp. 71-80, Mar. 2008.
[17] S. King and P. Chen, "SubvVirt: Implementing Malware with Virtual Machines," Proc. IEEE Symp. Security and Privacy, pp. 314-327, May 2006.
[18] R. Sailer, E. Valdez, T. Jaeger, R. Perez, L. van Doorn, J. Griffin, and S. Berger, "sHype: Secure Hypervisor Approach to Trusted Virtualized Systems," IBM Research Report RC23511, 2005.
[19] P. Karger and D. Safford, "I/O for Virtual Machine Monitors: Security and Performance Issues," IEEE Security and Privacy, vol. 6, no. 5, pp. 16-23, Sept./Oct. 2008.
[20] D. Murray, G. Milos, and S. Hand, "Improving Xen Security through Disaggregation," Proc. ACM Int'l Conf. Virtual Execution Environments, pp. 151-160, Mar. 2008.
[21] M. Ben-Yehuda, J. Mason, O. Krieger, J. Xenidis, L. van Doorn, A. Mallick, J. Nakajima, and E. Wahlig, "Utilizing IOMMUs for Virtualization in Linux and Xen," Proc. Ottawa Linux Symp., 2006.
[22] Intel VT-D, technology.htm, 2012.
[23] Xen Owning Trilogy, , 2012.
[24] Trusted Platform Module (TPM) Specifications, TPM/, 2012.
[25] The Transport Layer Security (TLS) Protocol Version 1.2,, 2012.
[26] NFS,, 2012.
[27] D. Chisnall, The Definitive Guide to the Xen Hypervisor. Prentice Hall, 2008.
[28] C. Clark, K. Fraser, S. Hand, J.G. Hansen, E. Jul, C. Limpach, I. Pratt, and A. Warfield, "Live Migration of Virtual Machines," Proc. Symp. Networked Systems Design and Implementation, pp. 273-286, May 2005.
[29] Nbench, , 2012.
[30] BYTEmark, , 2012.
[31] OSDB, http:/, 2012.
[32] Dbench, http:/, 2012.