We present an operating system independent hypervisor security architecture and its application to control information flow between operating systems sharing a single hardware platform. New computing paradigms -such as Grid computing, On-demand services, or Web Services- increasingly depend on the security of the underlying computing infrastructure. A fundamental security problem today is that almost all available security controls for protecting the computing infrastructure rely on the security expected from the operating system. However, common off-the-shelf operating systems are too large and complex to provide the security guarantees required for critical applications. Hypervisors are becoming a ubiquitous virtualization layer on client and server systems. They are designed to isolate operating systems by running them in isolated run-time environments on a single hardware platform. Thus, a malicious or manipulated OS can be isolated and security breaches can be contained within it. However, since distributed services need resource sharing, operating systems must be allowed to co-operate. Our contribution in this paper is the extension of a full-isolation hypervisor with security mechanisms that enable controlled resource sharing between virtual machines to secure this co-operation. We have successfully implemented our hypervisor security architecture (sHype) into a fully functional multi-platform researchhypervisor (vHype). sHype implements a security reference monitor interface in the hypervisor to enforce information flow constraints between virtual machines.
By: Reiner Sailer; Enriquillo Valdez; Trent Jaeger; Ronald Perez; Leendert van Doorn; John Linwood Griffin; Stefan Berger
Published in: RC23511 in 2005
LIMITED DISTRIBUTION NOTICE:
This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.
Questions about this service can be mailed to firstname.lastname@example.org .