Trusted Virtual Domains – Design, Implementation and Lessons Learned

  • Luigi Catuogno
  • Alexandra Dmitrienko
  • Konrad Eriksson
  • Dirk Kuhlmann
  • Gianluca Ramunno
  • Ahmad-Reza Sadeghi
  • Steffen Schulz
  • Matthias Schunter
  • Marcel Winandy
  • Jing Zhan
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6163)


A Trusted Virtual Domain (TVD) is a coalition of virtual machines and resources (e.g., network, storage) that are distributed over multiple physical platforms and share a common security policy. The concept of TVDs and their usage scenarios have been studied extensively. However, details on certain implementation aspects have not been explored in depth yet, such as secure policy deployment and integration of heterogeneous virtualization and trusted computing technologies. In this paper, we present implementation aspects of the life cycle management of TVDs. We describe the components and protocols necessary to realize the TVD design on a cross-platform architecture and present our prototype implementation for the Xen and L4 microkernel platforms. In particular, we discuss the need for and the realization of intra-TVD access control, a hypervisor abstraction layer for simplified TVD management, necessary components of a TVD policy and revocation issues. We believe that these integration details are essential and helpful inputs for any large-scale real-world deployment of TVD.


trusted virtual domain security virtualization management 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Griffin, J.L., Jaeger, T., Perez, R., Sailer, R., van Doorn, L., Cáceres, R.: Trusted Virtual Domains: Toward secure distributed services. In: Proceedings of the 1st IEEE Workshop on Hot Topics in System Dependability, HotDep 2005 (2005)Google Scholar
  2. 2.
    Bussani, A., Griffin, J.L., Jansen, B., Julisch, K., Karjoth, G., Maruyama, H., Nakamura, M., Perez, R., Schunter, M., Tanner, A., Van Doorn, L., Van Herreweghen, E.A., Waidner, M., Yoshihama, S.: Trusted Virtual Domains: Secure foundations for business and IT services. Technical Report RC23792, IBM Research (2005)Google Scholar
  3. 3.
    Katsuno, Y., Kudo, M., Perez, P., Sailer, R.: Towards Multi-Layer Trusted Virtual Domains. In: The 2nd Workshop on Advances in Trusted Computing (WATC 2006 Fall), Japanese Ministry of Economy, Trade and Industry, METI, Tokyo, Japan (2006)Google Scholar
  4. 4.
    Berger, S., Cáceres, R., Pendarakis, D., Sailer, R., Valdez, E., Perez, R., Schildhauer, W., Srinivasan, D.: TVDc: managing security in the trusted virtual datacenter. SIGOPS Oper. Syst. Rev. 42, 40–47 (2008)CrossRefGoogle Scholar
  5. 5.
    Cabuk, S., Dalton, C.I., Ramasamy, H., Schunter, M.: Towards automated provisioning of secure virtualized networks. In: CCS 2007: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 235–245. ACM, New York (2007)CrossRefGoogle Scholar
  6. 6.
    Sailer, R., Jaeger, T., Valdez, E., Perez, R., Berger, S., Griffin, J.L., van Doorn, L.: Building a MAC-based security architecture for the Xen open-source hypervisor. In: ACSAC 2005: Proceedings of the 21st Annual Computer Security Applications Conference. IEEE Computer Society, Los Alamitos (2005)Google Scholar
  7. 7.
    Goldman, K., Perez, R., Sailer, R.: Linking remote attestation to secure tunnel endpoints. In: STC 2006: Proceedings of the First ACM Workshop on Scalable Trusted Computing, pp. 21–24 (2006)Google Scholar
  8. 8.
    Asokan, N., Ekberg, J.E., Sadeghi, A.R., Stüble, C., Wolf, M.: Enabling fairer digital rights management with trusted computing. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 53–70. Springer, Heidelberg (2007)Google Scholar
  9. 9.
    Armknecht, F., Gasmi, Y., Sadeghi, A.R., Stewin, P., Unger, M., Ramunno, G., Vernizzi, D.: An efficient implementation of trusted channels based on OpenSSL. In: STC 2008: Proceedings of the 3rd ACM Workshop on Scalable Trusted Computing, pp. 41–50. ACM, New York (2008)CrossRefGoogle Scholar
  10. 10.
    Berger, S., Caceres, R., Goldman, K.A., Perez, R., Sailer, R., van Doorn, L.: vTPM: Virtualizing the Trusted Platform Module. In: Proceedings of the 15th USENIX Security Symposium, USENIX, pp. 305–320 (2006)Google Scholar
  11. 11.
    Scarlata, V., Rozas, C., Wiseman, M., Grawrock, D., Vishik, C.: TPM virtualization: Building a general framework. In: Pohlmann, N., Reimer, H. (eds.) Trusted Computing, pp. 43–56. Vieweg-Verlag (2007)Google Scholar
  12. 12.
    England, P., Loeser, J.: Para-virtualized TPM sharing. In: Lipp, P., Sadeghi, A.-R., Koch, K.-M. (eds.) Trust 2008. LNCS, vol. 4968, pp. 119–132. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  13. 13.
    Sadeghi, A.R., Stüble, C., Winandy, M.: Property-based TPM virtualization. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 1–16. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    EMSCB Project Consortium: The European Multilaterally Secure Computing Base (EMSCB) project (2004),
  15. 15.
    The OpenTC Project Consortium: The Open Trusted Computing (OpenTC) project (2005),
  16. 16.
    Kuhlmann, D., Landfermann, R., Ramasamy, H.V., Schunter, M., Ramunno, G., Vernizzi, D.: An open trusted computing architecture – secure virtual machines enabling user-defined policy enforcement. Technical Report RZ 3655 (#99675), IBM Research (2006)Google Scholar
  17. 17.
    Nick, L., Petroni, J., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: Proceedings of the 13th USENIX Security Symposium, pp. 179–194 (2004)Google Scholar
  18. 18.
    Loscocco, P.A., Wilson, P.W., Pendergrass, J.A., McDonell, C.D.: Linux kernel integrity measurement using contextual inspection. In: STC 2007: Proceedings of the 2007 ACM Workshop on Scalable Trusted Computing, pp. 21–29. ACM, New York (2007)CrossRefGoogle Scholar
  19. 19.
    Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the 2003 Network and Distributed System Symposium (2003)Google Scholar
  20. 20.
    Payne, B.D., Carbone, M.D., Lee, W.: Secure and flexible monitoring of virtual machines. In: Proceedings of the 2007 Annual Computer Security Applications Conference, ACSAC 2007 (2007)Google Scholar
  21. 21.
    Löhr, H., Sadeghi, A.R., Vishik, C., Winandy, M.: Trusted privacy domains – challenges for trusted computing in privacy-protecting information sharing. In: Bao, F., Li, H., Wang, G. (eds.) ISPEC 2009. LNCS, vol. 5451, pp. 396–407. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  22. 22.
    Trusted Computing Group: TPM Main Specification, Version 1.2 rev. 103 (2007)Google Scholar
  23. 23.
    Catuogno, L., Manulis, M., Löhr, H., Sadeghi, A.R., Winandy, M.: Transparent mobile storage protection in trusted virtual domains. In: 23rd Large Installation System Administration Conference (LISA 2009). USENIX Association (2009)Google Scholar
  24. 24.
    Backes, M., Cachin, C., Oprea, A.: Lazy revocation in cryptographic file systems. In: 3rd International IEEE Security in Storage Workshop (SISW 2005), San Francisco, California, USA, December 13, pp. 1–11 (2005)Google Scholar
  25. 25.
    Backes, M., Cachin, C., Oprea, A.: Secure key-updating for lazy revocation. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 327–346. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  26. 26.
    Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Pratt, I., Warfield, A., Barham, P., Neugebauer, R.: Xen and the art of virtualization. In: Proceedings of the ACM Symposium on Operating Systems Principles, pp. 164–177 (2003)Google Scholar
  27. 27.
    Hohmuth, M.: The Fiasco kernel: Requirements definition. Technical report, Dresden University of Technology (1998)Google Scholar
  28. 28.
    Libvirt project: libvirt virtualization API (2008),
  29. 29.
    Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: SOSP (2007)Google Scholar
  30. 30.
    Qumranet Inc.: Whitepaper: Kernel-based virtualiztion machine (2006),
  31. 31.
    Bellard, F.: QEMU, open source processor emulator (2008)Google Scholar
  32. 32.
    Sun Microsystems: Virtualbox (2008)Google Scholar
  33. 33.
    IEEE Computer Society: 802.11Q: Virtual Bridged Local Area Networks (2003)Google Scholar
  34. 34.
    Jaeger, T., Butler, K., King, D.H., Hallyn, S., Latten, J., Zhang, X.: Leveraging IPsec for mandatory access control across systems. In: Proceedings of the Second International Conference on Security and Privacy in Communication Networks (2006)Google Scholar
  35. 35., Inc.: Amazon web services: Overview of security processes. Whitepaper (2008),
  36. 36.
    Manulis, M.: Security-Focused Survey on Group Key Exchange Protocols. Technical Report 2006/03, Horst-Görtz Institute, Network and Data Security Group (2006)Google Scholar
  37. 37.
    Distributed Management Task Force: Common Information Model (CIM) Standards (2009),
  38. 38.
    Winer, D.: XML-RPC Specification (1999)Google Scholar
  39. 39.
    Object Management Group: OMG IDL Syntax and Semantics (2002)Google Scholar
  40. 40.
    Organization for the Advancement of Structured Information Standards (OASIS): eXtensible Access Control Markup Language (XACML) v2.0 (2005),
  41. 41.
    Gasmi, Y., Husseiki, R., Sadeghi, A.R., Stewin, P., Stüble, C., Unger, M., Winandy, M.: Flexible and secure enterprise rights management based on trusted virtual domains. In: STC 2008: Proceedings of the 3rd ACM Workshop on Scalable Trusted Computing. ACM, New York (2008)Google Scholar
  42. 42.
    Cabuk, S., Dalton, C.I., Eriksson, K., Kuhlmann, D., Ramasamy, H.G.V., Ramunno, G., Sadeghi, A.R., Schunter, M., Stüble, C.: Towards automated security policy enforcement in multi-tenant virtual data centers. In: Journal of Computer Science, Special Issue on EU’s ICT Security Research. IOS Press, Amsterdam (2009)Google Scholar
  43. 43.
    Berger, S., Cáceres, R., Goldman, K., Pendarakis, D., Perez, R., Rao, J.R., Rom, E., Sailer, R., Schildhauer, W., Srinivasan, D., Tal, S., Valdez, E.: Security for the cloud infrastructure: Trusted virtual data center implementation. IBM Journal of Research and Development 53, 6:1–6:12 (2009)Google Scholar
  44. 44.
    Faden, G.: Solaris Trusted Extensions: Architectural Overview (2006),
  45. 45.
    Schuba, C.: Security Advantages of Solaris Zones Software (2008),

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Luigi Catuogno
    • 1
  • Alexandra Dmitrienko
    • 1
  • Konrad Eriksson
    • 2
  • Dirk Kuhlmann
    • 3
  • Gianluca Ramunno
    • 4
  • Ahmad-Reza Sadeghi
    • 1
  • Steffen Schulz
    • 1
  • Matthias Schunter
    • 2
  • Marcel Winandy
    • 1
  • Jing Zhan
    • 1
    • 5
  1. 1.Horst Görtz Institute for IT SecurityRuhr-University BochumGermany
  2. 2.IBM ResearchZurichSwitzerland
  3. 3.Hewlett Packard LaboratoriesBristolEngland
  4. 4.Dip. di Automatica e InformaticaPolitecnico di TorinoItaly
  5. 5.Department of Computer ScienceWuhan UniversityWuhanChina

Personalised recommendations