This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
A Retrospective on the VAX VMM Security Kernel
November 1991 (vol. 17 no. 11)
pp. 1147-1165

The development of a virtual-machine monitor (VMM) security kernel for the VAX architecture is described. The focus is on how the system's hardware, microcode, and software are aimed at meeting A1-level security requirements while maintaining the standard interfaces and applications of the VMS and ULTRIX-32 operating systems. The VAX security kernel supports multiple concurrent virtual machines on a single VAX system, providing isolation and controlled sharing of sensitive data. Rigorous engineering standards were applied during development to comply with the assurance requirements for verification and configuration management. The VAX security kernel has been developed with a heavy emphasis on performance and system management tools. The kernel performs sufficiently well that much of its development was carried out in virtual machines running on the kernel itself, rather than in a conventional time-sharing system.

[1] R. R. Schell, "Computer security: the Achilles heel of the electronic air force?"Air Univ. Rev., vol. XXX, pp. 16-33, Jan.-Feb. 1979.
[2] B. W. Lampson, "A note on the confinement problem,"Commun. ACM, vol. 16, pp. 613-615, Oct. 1973.
[3] M. A. Harrison, W. L. Ruzzo, and J. D. Ullman, "Protection in operating systems,"Commun. ACM, vol. 19, pp. 461-471, Aug. 1976.
[4] S. B. Lipner, "A comment on the confinement problem,"Operating Syst. Rev., vol. 9, pp. 192-196, Nov. 1975 (presented at the 5th Symp. Operating Syst. Principles, Univ. Texas, Austin, 19-21 Nov. 1975).
[5] D. E. Denning, "A lattice model of secure information flow,"Commun. ACM, vol. 19, no. 5, pp. 236-242, 1976.
[6] "Department of defense trusted computer system evaluation criteria," DOD, Washington, DC, DOD 5200.28-STD, Dec. 1985.
[7] S. Blotcky, K. Lynch, and S. Lipner, "SE/VMS: implementing mandatory security in VAX/VMS," inProc. 9th Nat. Comput. Security Conf.(Gaithersburg, MD), 15-18 Sept. 1986, pp. 47-54.
[8] D. E. Bell and L. J. LaPadula, "Computer security model: unified exposition and Multics interpretation," MITRE Corp., Bedford, MA, HQ Electron. Syst. Div., Hanscom AFB, MA, Tech. Rep. ESD-TR-75-306, June 1975.
[9] K. J. Biba, "Integrity considerations for secure computer systems," MITRE Corp., Bedford, MA, HQ Electron. Syst. Div., Hanscom AFB, MA, Tech. Rep. ESD-TR-76-372, Apr. 1977.
[10] "Guide to VMS system security," Digital Equip. Corp., Maynard, MA, Order No. AA-LA40B-TE, June 1989.
[11] J. Whitmoreet al., "Design for Multics security enhancements," Honeywell Inform. Syst., Inc., HQ Electron. Syst. Div., Hanscom AFB, MA, Tech. Rep. ESD-TR-74-176, Dec. 1973.
[12] P. A. Karger, "Computer security research at Digital," inProc. 3rd Seminar on the DoD Comput. Security Initiative Program(Gaithersburg, MD), 18-20 Nov. 1980, pp. E-1-E-6.
[13] T. E. Leonard, Ed.,VAX Architecture Reference Manual. Bedford, MA: Digital, 1987.
[14] S. E. Madnick and J. J. Donovan, "Application and analysis of the virtual machine approach to information system security," inProc. ACM SIGARCH-SIGOPS Workshop on Virtual Comput. Syst.(Cambridge, MA), 26-27 Mar. 1973, pp. 210-224.
[15] R. Rhode, "Secure multilevel virtual computer systems," MITRE Corp., Bedford, MA, HQ Electron. Syst. Div., Hanscom AFB, MA, Tech. Rep. ESD-TR-74-370, Feb. 1975.
[16] B. D. Goldet al., "A security retrofit of VM/370," inAFIPS Conf. Proc., vol. 48,1979 Nat. Comput. Conf.(Montvale, NJ), 1979, pp. 335-344.
[17] B. D. Gold, R. R. Linde, and P. F. Cudney, "KVM/370 in retrospect," inProc. 1984 Symp. Security and Privacy(Oakland, CA), 29 Apr.- 2 May 1984, pp. 13-23.
[18] M. Gasser,Building a Secure Computer System. New York: Van Nostrand Reinhold, 1988.
[19] G. J. Popek and R. P. Goldberg, "Formal requirements for virtualizable third generation architectures,"Commun. ACM, vol. 17, pp. 412-421, July 1974.
[20] P. A. Karger, T. E. Leonard, and A. H. Mason, "Computer with virtual machine mode and multiple protection rings," U.S. Patent No. 4787031, 22 Nov. 1988.
[21] J. S. Hall and P. T. Robinson, "Virtualizing the VAX architecture,"Comput. Architecture News, vol. 19, pp. 380-389, May 1991 (presented at the 18th Int. Symp. Comput. Architecture Conf., Toronto, ON, Can., 27-30 May 1991).
[22] R. P. Goldberg, "Architectural principles for virtual computer systems," Ph.D. thesis, Div. Eng. and Appl. Phys., Harvard Univ., Cambridge, MA, Feb. 1973 (published as ESD-TR-73-105, HQ Electron. Syst. Div., Hanscom AFB, MA).
[23] G. J. Popek and C. S. Kline, "The PDP-11 virtual machine architecture: a case study,"Operating Syst. Rev., vol. 9, pp. 97-105, Nov. 1975 (presented at the 5th Symp. Operating Syst. Principles, Univ. Texas, Austin).
[24] M. D. Vahey, "A virtualizer efficiency device for virtual machines," M.S. thesis, UCLA, 1975.
[25] "A proposed interpretation of the TCSEC for virtual machine architectures," Trusted Inform. Syst., Inc., Glenwood, MD, Tech. Rep. draft, 31 Mar. 1989.
[26] T. A. Berson and G. L. Barksdale, Jr., "KSOS--development methodology for a secure operating system," inAFIPS Conf. Proc., vol. 48, 1979 Nat. Comput. Conf., (Montvale, NJ), 1979, pp. 365-371.
[27] S. E. Madnick and J. J. Donovan,Operating Systems. New York: McGraw-Hill, 1974.
[28] P.R. Halmos,Naive Set Theory. New York: Van Nostrand Reinhold, 1960.
[29] Dijkstra, E. W., "The Structure of the "THE Multiprogramming System", ACM Symposium on Operating Systems,Communications of the ACM, Vol. 11, No. 5, May 1968, pp.341-346.
[30] P. A. Janson, "Using type extension to organize virtual memory mechanisms," Ph.D. thesis, Dept. Elect. Eng. and Comput. Science, MIT, Cambridge (published as Tech. Rep. MIT/LCS/TR-167, Lab. Comput. Sci., MIT, Sept. 1976).
[31] D. P. Reed, "Processor multiplexing in a layered operating system," S.M. thesis, Dept. Elect. Eng. and Comput. Science, MIT, Cambridge (published as Tech. Rep. MIT/LCS/TR-164, Lab. Comput. Sci., MIT, July 1976).
[32] L. A. Cox, Jr. and R. R. Schell, "The structure of a security kernel for a Z8000 multiprocessor," inProc. 1981 Symp. on Security and Privacy(Oakland, CA), 27-29 Apr. 1981, pp. 124-129.
[33] D. P. Reed and R. K. Kanodia, "Synchronization with eventcounts and sequences,"Commun. ACM, vol. 22, pp. 115-123, Feb. 1979.
[34] K. F. Seiden and J. P. Melanson, "The auditing facility for a VMM security kernel," inProc. 1990 IEEE Symp. Res. in Security and Privacy(Oakland, CA), 7-9 May 1990, pp. 262-277.
[35] "VMS analyze/disk-structure utility manual," Digital Equip. Corp., Maynard, MA, Order No. AA-LA39A-TE, Apr. 1988.
[36] J. Nagle, "Update on the kernelized security operating system (KSOS)," inProc. 3rd Seminar on the DoD Comput. Security Initiative Program(Gaithersburg, MD), 18-20 Nov. 1980, pp. Q-1-Q-7.
[37] L. J. Fraim, "SCOMP: A solution to the multilevel security problem,"Computer, vol. 16, pp. 26-34, July 1983.
[38] W. R. Shockley, T. F. Tao, and M. F. Thompson, "An overview of the GEMSOS class A1 technology and application experience," inProc. 11th Nat. Comput. Security Conf., 17-20 Oct. 1988, pp. 238-245.
[39] J. Scheid, S. Anderson, R. Martin, and S. Holtzberg, "The Ina Jo specification language reference manual--release 1," System Development Corp., Santa Monica, CA, TM 6021/001/02, 1986.
[40] R. A. Kemmerer, "A practical approach to identifying storage and timing channels," inProc. 1982 Symp. Security and Privacy(Oakland, CA), 26-28 Apr. 1982, pp. 66-73.
[41] M. Schaefer, B. Gold, R. Linde, and J. Scheid, "Program confinement in KVM/370," inProc. 1977 ACM Ann. Conf.(Seattle, WA), 16-19 Oct. 1977, pp. 404-410.
[42] P. A. Karger and J. C. Wray, "Storage channels in disk arm optimization," inProc. 1991 IEEE Comput. Soc. Symp. on Res. in Security and Privacy(Oakland, CA), 20-22 May 1991, pp. 52-61.
[43] J. C. Wray, "An analysis of covert timing channels," inProc. 1991 IEEE Comput. Soc. Symp. on Res. in Security and Privacy(Oakland, CA), 20-22 May 1991, pp. 2-7.
[44] W.-M. Hu, "Reducing timing channels with fuzzy time," inProc. 1991 IEEE Comput. Soc. Symp. on Res. in Security and Privacy(Oakland, CA), 20-22 May 1991, pp. 8-20.
[45] P. A. Karger, "Preliminary design of a VAX-11 virtual machine monitor security kernel," Digital Equip. Corp., Hudson, MA, Tech. Rep. DEC TR-126, 13 Jan. 1982.
[46] "VAX-11/730 central processing unit technical description," Digital Equip. Corp., Maynard, MA, EK-KA730-TD-001, May 1982.
[47] S. N. Mishra, "The VAX 8800 microarchitecture,"Digital Tech. J., pp. 20-33, Feb. 1987.
[48] S. Hill, "Secret service vets Unix,"Comput. Weekly, p. 1, 26 Apr. 1990.
[49] Computers at Risk: Safe Computing in the Information Age. Washington, DC: Nat. Acad. Press, 1991.
[50] "Minutes of the first workshop on covert channel analysis,"Cipher: Newsletter IEEE Comput. Soc. Tech. Committee on Security and Privacy, July 1990.

Index Terms:
VAX VMM; security kernel; virtual-machine monitor; microcode; A1-level security requirements; standard interfaces; ULTRIX-32 operating systems; multiple concurrent virtual machines; isolation; controlled sharing; sensitive data; configuration management; system management tools; DEC computers; security of data; supervisory programs; virtual machines
Citation:
P.A. Karger, M.E. Zurko, D.W. Bonin, A.H. Mason, C.E. Kahn, "A Retrospective on the VAX VMM Security Kernel," IEEE Transactions on Software Engineering, vol. 17, no. 11, pp. 1147-1165, Nov. 1991, doi:10.1109/32.106971
Usage of this product signifies your acceptance of the Terms of Use.