research-article

NOVA: a microhypervisor-based secure virtualization architecture

Authors:

Bernhard KauerAuthors Info & Claims

EuroSys '10: Proceedings of the 5th European conference on Computer systems

Pages 209 - 222

https://doi.org/10.1145/1755913.1755935

Published: 13 April 2010 Publication History

Abstract

The availability of virtualization features in modern CPUs has reinforced the trend of consolidating multiple guest operating systems on top of a hypervisor in order to improve platform-resource utilization and reduce the total cost of ownership. However, today's virtualization stacks are unduly large and therefore prone to attacks. If an adversary manages to compromise the hypervisor, subverting the security of all hosted operating systems is easy. We show how a thin and simple virtualization layer reduces the attack surface significantly and thereby increases the overall security of the system. We have designed and implemented a virtualization architecture that can host multiple unmodified guest operating systems. Its trusted computing base is at least an order of magnitude smaller than that of existing systems. Furthermore, on recent hardware, our implementation outperforms contemporary full virtualization environments.

References

[1]

K. Adams and O. Agesen. A Comparison of Software and Hardware Techniques for x86 Virtualization. In Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), pages 2--13. ACM, 2006.

Digital Library

[2]

P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the Art of Virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP), pages 164--177. ACM, 2003.

Digital Library

[3]

A. Baumann, P. Barham, P.-E. Dagand, T. Harris, R. Isaacs, S. Peter, T. Roscoe, A. Schüpbach, and A. Singhania. The Multikernel: A New OS Architecture for Scalable Multicore Systems. In Proceedings of the 22nd ACM Symposium on Operating Systems Principles (SOSP), pages 29--44. ACM, 2009.

Digital Library

[4]

F. Bellard. QEMU, A Fast and Portable Dynamic Translator. In Proceedings of the USENIX Annual Technical Conference (ATC), pages 41--46. USENIX Association, 2005.

Digital Library

[5]

R. Bhargava, B. Serebrin, F. Spadini, and S. Manne. Accelerating Two-Dimensional Page Walks for Virtualized Systems. In Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), pages 26--35. ACM, 2008.

Digital Library

[6]

E. Bugnion, S. Devine, and M. Rosenblum. Disco: Running Commodity Operating Systems on Scalable Multiprocessors. In Proceedings of the 16th ACM Symposium on Operating Systems Principles (SOSP), pages 143--156. ACM, 1997.

Digital Library

[7]

X. Chen, T. Garfinkel, E. C. Lewis, P. Subrahmanyam, C. A. Waldspurger, D. Boneh, J. Dwoskin, and D. R. Ports. Overshadow: A Virtualization-Based Approach to Retrofitting Protection in Commodity Operating Systems. In Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), pages 2--13. ACM, 2008.

Digital Library

[8]

V. Chipounov and G. Candea. Reverse Engineering of Binary Device Drivers with RevNIC. In Proceedings of the 5th ACM SIGOPS/EuroSys European Conference on Computer Systems. ACM, 2010.

Digital Library

[9]

C. Clark, K. Fraser, S. Hand, J. G. Hansen, E. Jul, C. Limpach, I. Pratt, and A. Warfield. Live Migration of Virtual Machines. In Proceedings of the 2nd ACM/USENIX Symposium on Networked Systems Design and Implementation (NSDI), pages 273--286. USENIX Association, 2005.

Digital Library

[10]

G. W. Dunlap, S. T. King, S. Cinar, M. A. Basrai, and P. M. Chen. ReVirt: Enabling Intrusion Analysis Through Virtual--Machine Logging and Replay. In Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI), pages 211--224. ACM, 2002.

Digital Library

[11]

R. P. Goldberg. Survey of Virtual Machine Research. Computer, 7(6):34--45, 1974.

Digital Library

[12]

D. Grawrock. The Intel Safer Computing Initiative. Intel Press, 2006.

[13]

H. Härtig, M. Hohmuth, J. Liedtke, J. Wolter, and S. Schönberg. The Performance of Microkernel-based Systems. In Proceedings of the 16th ACM Symposium on Operating Systems Principles (SOSP), pages 66--77. ACM, 1997.

Digital Library

[14]

J. N. Herder, H. Bos, B. Gras, P. Homburg, and A. S. Tanenbaum. Construction of a Highly Dependable Operating System. In Proceedings of the 6th European Dependable Computing Conference (EDCC), pages 3--12. IEEE Computer Society, 2006.

Digital Library

[15]

Intel 64 and IA-32 Architectures Software Developer's Manual Volume 3B: System Programming Guide. Intel Corporation, 2008. SKU #253669.

[16]

S. T. King, G. W. Dunlap, and P. M. Chen. Debugging Operating Systems with Time-Traveling Virtual Machines. In Proceedings of the USENIX Annual Technical Conference (ATC), pages 1--15. USENIX Association, 2005.

Digital Library

[17]

A. Kivity, Y. Kamay, D. Laor, U. Lublin, and A. Liguori. KVM: The Linux Virtual Machine Monitor. In Proceedings of the Linux Symposium, pages 225--230, 2007.

[18]

D. N. Kleidermacher. Towards a High Assurance Multi-level Secure PC for Intelligence Communities. In Proceedings of the IEEE Conference on Technologies for Homeland Security, pages 609--614. IEEE Computer Society, 2008.

[19]

G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal Verification of an OS Kernel. In Proceedings of the 22nd ACM Symposium on Operating Systems Principles (SOSP), pages 207--220. ACM, 2009.

Digital Library

[20]

K. Kortchinsky. Cloudburst -- Hacking 3D and Breaking out of VMware. In Black Hat USA, 2009.

[21]

A. Lackorzynski and A. Warg. Taming Subsystems: Capabilities as Universal Resource Access Control in L4. In Proceedings of the 2nd Workshop on Isolation and Integration in Embedded Systems (IIES), pages 25--30. ACM, 2009.

Digital Library

[22]

D. Leinenbach and T. Santen. Verifying the Microsoft Hyper-V Hypervisor with VCC. In Proceedings of the 16th International Symposium on Formal Methods, pages 806--809. Springer, 2009.

Digital Library

[23]

J. LeVasseur, V. Uhlig, J. Stöß, and S. Götz. Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines. In Proceedings of the 6th Symposium on Operating Systems Design and Implementation (OSDI), pages 17--30. USENIX Association, 2004.

Digital Library

[24]

J. Liedtke. On Micro-Kernel Construction. In Proceedings of the 15th ACM Symposium on Operating Systems Principles (SOSP), pages 237--250. ACM, 1995.

Digital Library

[25]

J. Liedtke. Improving IPC by Kernel Design. In Proceedings of the 14th ACM Symposium on Operating Systems Principles (SOSP), pages 175--188. ACM, 1993.

Digital Library

[26]

Microsoft Hyper-V. http://www.microsoft.com/hyperv/.

[27]

D. G. Murray, G. Milos, and S. Hand. Improving Xen Security through Disaggregation. In Proceedings of the 4th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), pages 151--160. ACM, 2008.

Digital Library

[28]

T. Ormandy. An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments. In CanSecWest, 2007.

[29]

M. Peter, H. Schild, A. Lackorzynski, and A. Warg. Virtual Machines Jailed: Virtualization in Systems with Small Trusted Computing Bases. In Proceedings of the 1st EuroSys Workshop on Virtualization Technology for Dependable Systems (VTDS), pages 18--23. ACM, 2009.

Digital Library

[30]

L. Ryzhyk, P. Chubb, I. Kuz, E. Le Sueur, and G. Heiser. Automatic Device Driver Synthesis with Termite. In Proceedings of the 22nd ACM Symposium on Operating Systems Principles (SOSP), pages 73--86. ACM, 2009.

Digital Library

[31]

A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP), pages 335--350. ACM, 2007.

Digital Library

[32]

J. S. Shapiro, J. M. Smith, and D. J. Farber. EROS: A Fast Capability System. In Proceedings of the 17th ACM Symposium on Operating Systems Principles (SOSP), pages 170--185. ACM, 1999.

Digital Library

[33]

J. S. Shapiro, M. S. Doerrie, E. Northup, S. Sridhar, and M. Miller. Towards a Verified, General-Purpose Operating System Kernel. In Proceedings of the 1st NICTA Workshop on Operating System Verification, pages 1--18. National ICT Australia, 2004.

[34]

T. Shinagawa, H. Eiraku, K. Tanimoto, K. Omote, S. Hasegawa, T. Horie, M. Hirano, K. Kourai, Y. Ohyama, E. Kawai, K. Kono, S. Chiba, Y. Shinjo, and K. Kato. BitVisor: A Thin Hypervisor for Enforcing I/O Device Security. In Proceedings of the 5th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE). ACM, 2009.

Digital Library

[35]

L. Singaravelu, C. Pu, H. Härtig, and C. Helmuth. Reducing TCB Complexity for Security-Sensitive Applications: Three Case Studies. In Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems, pages 161--174. ACM, 2006.

Digital Library

[36]

R. Ta-Min, L. Litty, and D. Lie. Splitting Interfaces: Making Trust Between Applications and Operating Systems Configurable. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation (OSDI), pages 279--292. USENIX Association, 2006.

Digital Library

[37]

R. Uhlig, G. Neiger, D. Rodgers, A. L. Santoni, F. C. M. Martins, A. V. Anderson, S. M. Bennett, A. Kagi, F. H. Leung, and L. Smith. Intel Virtualization Technology. Computer, 38 (5):48--56, 2005.

Digital Library

[38]

VMware ESX Server Virtual Infrastructure Node Evaluator's Guide. http://www.vmware.com/pdf/esx_vin_eval.pdf.

[39]

VMware ESXi. http://www.vmware.com/esx/.

[40]

R. Wojtczuk. Subverting the Xen Hypervisor. In Black Hat USA, 2008.

Cited By

Chiang YChang WLi STu J(2024)Securing a Multiprocessor KVM Hypervisor with RustProceedings of the 2024 ACM Symposium on Cloud Computing10.1145/3698038.3698562(650-667)Online publication date: 20-Nov-2024
https://dl.acm.org/doi/10.1145/3698038.3698562
Han XGao YParmer GWood T(2024)Byways: High-Performance, Isolated Network Functions for Multi-Tenant Cloud ServersProceedings of the 2024 ACM Symposium on Cloud Computing10.1145/3698038.3698547(811-829)Online publication date: 20-Nov-2024
https://dl.acm.org/doi/10.1145/3698038.3698547
Xu SZhou QZhang ZJia XLiu DHuang HDu HSong Z(2024)ConMonitor: Lightweight Container Protection with Virtualization and VM FunctionsProceedings of the 2024 ACM Symposium on Cloud Computing10.1145/3698038.3698520(755-773)Online publication date: 20-Nov-2024
https://dl.acm.org/doi/10.1145/3698038.3698520
Show More Cited By

Index Terms

NOVA: a microhypervisor-based secure virtualization architecture
1. General and reference
  1. Cross-computing tools and techniques
    1. Performance
2. Software and its engineering
  1. Software creation and management
    1. Designing software
  2. Software organization and properties
    1. Contextual software domains
      1. Operating systems
    2. Extra-functional properties
      1. Software performance

Recommendations

Architectural support of multiple hypervisors over single platform for enhancing cloud computing security
CF '12: Proceedings of the 9th conference on Computing Frontiers

This paper presents MultiHype, a novel architecture that supports multiple hypervisors (or virtual machine monitors) on a single physical platform by leveraging many-core based cloud-on-chip architecture. A MultiHype platform consists of a control plane ...
SRVM: Hypervisor Support for Live Migration with Passthrough SR-IOV Network Devices
VEE '16

Single-Root I/O Virtualization (SR-IOV) is a specification that allows a single PCI Express (PCIe) device (ysical function or PF) to be used as multiple PCIe devices (virtual functions or VF). In a virtualization system, each VF can be directly assigned ...
SRVM: Hypervisor Support for Live Migration with Passthrough SR-IOV Network Devices
VEE '16: Proceedings of the12th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments

Single-Root I/O Virtualization (SR-IOV) is a specification that allows a single PCI Express (PCIe) device (ysical function or PF) to be used as multiple PCIe devices (virtual functions or VF). In a virtualization system, each VF can be directly assigned ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

EuroSys '10: Proceedings of the 5th European conference on Computer systems

April 2010

388 pages

ISBN:9781605585772

DOI:10.1145/1755913

General Chair:
Christine Morin
INRIA Rennes, France
,
Program Chair:
Gilles Muller
INRIA/LIP6, France

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 April 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

EuroSys '10

Sponsor:

SIGOPS

EuroSys '10: Fifth EuroSys Conference 2010

April 13 - 16, 2010

Paris, France

Acceptance Rates

Overall Acceptance Rate 241 of 1,308 submissions, 18%

Upcoming Conference

EuroSys '25

Sponsor:
sigops

Twentieth European Conference on Computer Systems

March 30 - April 3, 2025

Rotterdam , Netherlands

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

237
Total Citations
View Citations
2,321
Total Downloads

Downloads (Last 12 months)111
Downloads (Last 6 weeks)25

Reflects downloads up to 09 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Chiang YChang WLi STu J(2024)Securing a Multiprocessor KVM Hypervisor with RustProceedings of the 2024 ACM Symposium on Cloud Computing10.1145/3698038.3698562(650-667)Online publication date: 20-Nov-2024
https://dl.acm.org/doi/10.1145/3698038.3698562
Han XGao YParmer GWood T(2024)Byways: High-Performance, Isolated Network Functions for Multi-Tenant Cloud ServersProceedings of the 2024 ACM Symposium on Cloud Computing10.1145/3698038.3698547(811-829)Online publication date: 20-Nov-2024
https://dl.acm.org/doi/10.1145/3698038.3698547
Xu SZhou QZhang ZJia XLiu DHuang HDu HSong Z(2024)ConMonitor: Lightweight Container Protection with Virtualization and VM FunctionsProceedings of the 2024 ACM Symposium on Cloud Computing10.1145/3698038.3698520(755-773)Online publication date: 20-Nov-2024
https://dl.acm.org/doi/10.1145/3698038.3698520
Mergendahl SFickas SNorris BSkowyra RLuo BLiao XXu JKirda ELie D(2024)Manipulative Interference AttacksProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690246(4569-4583)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690246
Asmussen NHaas SLackorzyński ARoitzsch M(2024) Core-Local Reasoning and Predictable Cross-Core Communication with M 3 2024 IEEE 30th Real-Time and Embedded Technology and Applications Symposium (RTAS)10.1109/RTAS61025.2024.00024(199-211)Online publication date: 13-May-2024
https://doi.org/10.1109/RTAS61025.2024.00024
Eisoldt JMiemietz T(2024)Trustworthy Execution of O-RAN Applications by strong Separation and minimal Trusted Computing Base2024 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN)10.1109/NFV-SDN61811.2024.10807504(214-216)Online publication date: 5-Nov-2024
https://doi.org/10.1109/NFV-SDN61811.2024.10807504
Chen JZhou QZhang WJiang NXie YJia X(2024)vASP: Full VM Life-cycle Protection Based on Active Security Processor Architecture2024 IEEE 24th International Symposium on Cluster, Cloud and Internet Computing (CCGrid)10.1109/CCGrid59990.2024.00028(168-177)Online publication date: 6-May-2024
https://doi.org/10.1109/CCGrid59990.2024.00028
de Bonfils Lavernelle JBonnefoi PGonzalvo BSauveron D(2024)Assessment of spatial isolation in JailhouseComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2024.110402245:COnline publication date: 1-May-2024
https://dl.acm.org/doi/10.1016/j.comnet.2024.110402
Sudvarg MSun ZLi AGill CZhang N(2024)Priority-based concurrency and shared resource access mechanisms for nested intercomponent requests in CAmkESReal-Time Systems10.1007/s11241-024-09419-360:1(76-107)Online publication date: 15-Apr-2024
https://doi.org/10.1007/s11241-024-09419-3
Gandhi VBanerjee SAgrawal AAhmad ALee SPeinado MCalandrino JTroncoso C(2023)Rethinking system audit architectures for high event coverage and synchronous log availabilityProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620260(391-408)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620260
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents