Skip to main content

vCerberus: A DRTM system based on virtualization technology

Abstract

This paper presents vCerberus, a novel hypervisor to provide trusted and isolated code execution within virtual domains. vCerberus is considerably tiny, while allowing secure sensitive codes to be executed in an isolated circumstance from the virtual domain, and can be attested by a remote party in an efficient way. These properties will be guaranteed even if the guest operating system is malicious. This protects the secure sensitive codes against the malicious codes in the Guest OS, e.g., the kernel rootkits. We present an approach to dynamically measure and isolate the launch environment on the virtual machines based on the para-virtualization technology and a novel virtualization of trusted platform module (TPM). Our performance experiment result shows that the overhead introduced by vCerberus is minimized; the performance of the launch environment in vCerberus is as competitive as the guest OS running on mainstream hypervisors.

This is a preview of subscription content, access via your institution.

References

  1. [1]

    Seshadri A, Luk M, Qu N, et al. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes[C]// Proc 21st ACM Symposium on Operating Systems Principles (SOSP’07). Stevenson: Association for Computing Machinery, 2007: 335–350.

    Google Scholar 

  2. [2]

    Laadan O, Baratto R A, Phung D B. et al. DejaView: A personal virtual computer recorder[C]//Proc 21st ACM Symposium on Operating Systems Principles (SOSP’07). Stevenson: Association for Computing Machinery, 2007: 279–292.

    Google Scholar 

  3. [3]

    Chen Wenzhi, Yao Yuan, Yang Jianhua et al. Pcanel/V2: A VMM architecture based on intel VT-x[J]. Chinese Journal of Computers, 2009, 32(7): 1311–1319 (Ch).

    Article  Google Scholar 

  4. [4]

    Barham P, Dragovic B, Fraser K, et al. Xen and the art of virtualization[C]//Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP’03). Lake George: Association for Computing Machinery, 2003: 164–177.

    Google Scholar 

  5. [5]

    Trusted Computing Group. TCG architecture overview, Version 1.4 [EB/OL]. [2009-06-15]. http://www.trustedcomputinggroup.org/resources/tcg_architecture_overview_version_14 .

  6. [6]

    Trusted Computing Group. TCG design, implementation, and usage principles (best practices)[EB/OL]. [2008-06-15]. http://www.trustedcomputinggroup.org/resources/tcg_design_implementation_and_usage_principles_best_practices .

  7. [7]

    Intel Corp. Trusted execution technology architectural overview [EB/OL]. [2008-07-23]. http://www.intel.com/technology/security/down/oads/arch-overview.pdf .

  8. [8]

    Intel Corp. Trusted execution technology overview [EB/OL]. [2009-07-23]. http://www.intel.com/technology/security/downloads/TrustedExec_Overview.pdf .

  9. [9]

    AMD Corp. AMD64 architecture programmer’s manual, Volume 2: system programming[EB/OL]. [2009-07-23]. http://www.amd.com/us-en/assets/content_type/white_papers_and_tech_docs/24593.pdf .

  10. [10]

    McCune J M, Parno B J, Perrig A, et al. Flicker: an execution infrastructure for TCB minimization[C]//Proc 3rd ACM European Conference on Computer Systems—EuroSys’08. Glasgow: Association for Computing Machinery, 2008: 315–328.

    Google Scholar 

  11. [11]

    Intel Corp. Intel® 64 and IA-32 architectures software developer’s manual volume 3B: system programming guide [EB/OL]. [2009-07-23]. http://www.intel.com/Assets/PDF/manual/253669.pdf.

  12. [12]

    Swift M M, Bershad B N, Levy H M. Improving the reliability of commodity operating systems[C]// Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP’03). Lake George: Association for Computing Machinery, 2003: 207–222.

    Google Scholar 

  13. [13]

    Challener D. A Practical Guide to Trusted Computing[M]. Upper Saddle River: IBM Press/Pearson plc, 2008.

    Google Scholar 

  14. [14]

    Mayer U F. nbench 2.2.2[EB/OL]. [2009-08-10]. http://www.tux.org/~mayer/linux/bmark.html .

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Wenzhi Chen.

Additional information

Foundation item: Supported by the National Natural Science Foundation of China (60970125) and the Major State Basic Research Development Program of China (2007CB310900)

Biography: CHEN Wenzhi, male, Associate professor, research direction: operating systems, computer security, computer virtualization technology.

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Chen, W., Zhang, Z., Yang, J. et al. vCerberus: A DRTM system based on virtualization technology. Wuhan Univ. J. Nat. Sci. 15, 185–189 (2010). https://doi.org/10.1007/s11859-010-0301-y

Download citation

Key words

  • trusted computing
  • para-virtualization
  • dynamic root of trust for measurement (DRTM)
  • trusted platform module (TPM)

CLC number

  • TP 309