Detangling Resource Management Functions from the TCB in Privacy-Preserving Virtualization

  • Min Li
  • Zili Zha
  • Wanyu Zang
  • Meng Yu
  • Peng Liu
  • Kun Bai
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8712)


Recent research has developed virtualization architectures to protect the privacy of guest virtual machines. The key technology is to include an access control matrix in the hypervisor. However, existing approaches have either limited functionalities in the hypervisor or a Trusted Computing Base (TCB) which is too large to secure. In this paper, we propose a new architecture, MyCloud SEP, to separate resource allocation and management from the hypervisor in order to reduce the TCB size while supporting privacy protection. In our design, the hypervisor checks all resource accesses against an access control matrix in the hypervisor. While providing flexibility of plugging-in resource management modules, the size of TCB is significantly reduced compared with commercial hypervisors. Using virtual disk manager as an example, we implement a prototype on x86 architecture. The performance evaluation results also show acceptable overheads.


Cloud Computing Privacy Protection TCB Minimization Decomposition Isolation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
  3. 3.
  4. 4.
    Amazon Inc.: Amazon EC2,
  5. 5.
    Butt, S., Lagar-Cavilla, H.A., Srivastava, A., Ganapathy, V.: Self-service cloud computing. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 253–264. ACM, New York (2012)CrossRefGoogle Scholar
  6. 6.
    Li, M., Zang, W., Bai, K., Yu, M., Liu, P.: Mycloud: Supporting user-configured privacy protection in cloud computing. In: Proceedings of the 29th Annual Computer Security Applications Conference, ACSAC 2013, pp. 59–68. ACM, New York (2013)CrossRefGoogle Scholar
  7. 7.
    Murray, D., Milos, G., Hand, S.: Improving xen security through disaggregation. In: Proceedings of the Fourth ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, pp. 151–160. ACM (2008)Google Scholar
  8. 8.
    Pan, W., Zhang, Y., Yu, M., Jing, J.: Improving virtualization security by splitting hypervisor into smaller components. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 298–313. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  9. 9.
    Zhang, F., Chen, J., Chen, H., Zang, B.: Cloudvisor: Retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In: Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, pp. 203–216. ACM (2011)Google Scholar
  10. 10.
    Williams, D., Jamjoom, H., Weatherspoon, H.: The xen-blanket: virtualize once, run everywhere. In: ACM EuroSys (2012)Google Scholar
  11. 11.
    Ben-Yehuda, M., Day, M., Dubitzky, Z., Factor, M., Har’El, N., Gordon, A., Liguori, A., Wasserman, O., Yassour, B.: The turtles project: Design and implementation of nested virtualization. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, pp. 1–6. USENIX Association (2010)Google Scholar
  12. 12.
    Kauer, B., Verissimo, P., Bessani, A.: Recursive virtual machines for advanced security mechanisms. In: 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops (DSN-W), pp. 117–122. IEEE (2011)Google Scholar
  13. 13.
    Steinberg, U., Kauer, B.: Nova: a microhypervisor-based secure virtualization architecture. In: Proceedings of the 5th European Conference on Computer Systems, EuroSys 2010, pp. 209–222. ACM, New York (2010)Google Scholar
  14. 14.
    Heiser, G., Uhlig, V., LeVasseur, J.: Are virtual-machine monitors microkernels done right? SIGOPS Oper. Syst. Rev. 40(1), 95–99 (2006)CrossRefGoogle Scholar
  15. 15.
    Keller, E., Szefer, J., Rexford, J., Lee, R.: Nohype: virtualized cloud infrastructure without the virtualization. ACM SIGARCH Computer Architecture News 38, 350–361 (2010)CrossRefGoogle Scholar
  16. 16.
    Szefer, J., Keller, E., Lee, R., Rexford, J.: Eliminating the hypervisor attack surface for a more secure cloud. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 401–412. ACM (2011)Google Scholar
  17. 17.
    McCune, J.M., Parno, B.J., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: an execution infrastructure for tcb minimization. SIGOPS Oper. Syst. Rev. 42(4), 315–328 (2008)CrossRefGoogle Scholar
  18. 18.
    Chen, X., Garfinkel, T., Lewis, E.C., Subrahmanyam, P., Waldspurger, C.A., Boneh, D., Dwoskin, J., Ports, D.R.K.: Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems. In. In: ASPLOS (May 2008)Google Scholar
  19. 19.
    Yang, J., Shin, K.G.: Using hypervisor to provide data secrecy for user applications on a per-page basis. In: Proceedings of the Fourth ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE 2008, pp. 71–80. ACM, New York (2008)CrossRefGoogle Scholar
  20. 20.
    Hofmann, O.S., Kim, S., Dunn, A.M., Lee, M.Z., Witchel, E.: Inktag: secure applications on an untrusted operating system. In: Proceedings of the Eighteenth International Conference on Architectural Support for Programming Languages and Operating System, ASPLOS 2013, pp. 265–278. ACM, New York (2013)CrossRefGoogle Scholar
  21. 21.
    Ta-Min, R., Litty, L., Lie, D.: Splitting interfaces: making trust between applications and operating system configurable. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation, OSDI 2006, pp. 279–292. USENIX Association, Berkeley (2006)Google Scholar
  22. 22.
    Cheng, Y., Ding, X., Deng, R.H.: Appshield: Protecting applications against untrusted operating system. In: Singaport Management University Technical Report. smu-sis-13-101 (2013)Google Scholar
  23. 23.
  24. 24.
  25. 25.
    CVE-2007-4993: Xen guest root escape to dom0 via pygrubGoogle Scholar
  26. 26.
    CVE-2010-0431: Qemu-kvm in redhat enterprise virtualization (rhev) 2.2 and kvm 83, does not properly validate guest qxl driver pointers, which allows guest os users to gain privileges via unspecified vectorsGoogle Scholar
  27. 27.
    CVE-2009-1758: The hypervisor callback function in xen, as applied to the linux kernel 2.6.30-rc4 allows guest user applications to cause a denial of service of the guest os by triggering a segmentation fault in certain address rangesGoogle Scholar
  28. 28.
    Elhage, N.: Virtunoid: Breaking out of kvm (2011)Google Scholar
  29. 29.
    Kortchinsky, K.: Cloudburst: Hacking 3d (and breaking out of vmware). In: Black Hat Conference (2009)Google Scholar
  30. 30.
    Wojtczuk, R., Rutkowska, J.: Xen 0wning trilogy. In: Black Hat Conference (2008)Google Scholar
  31. 31.
    Secunia: Vulnerability report: Vmware esx server 3.x,
  32. 32.
    Secunia: Xen multiple vulnerability report,
  33. 33.
    CVE-2009-2277: Cross-site scripting (xss) vulnerability in webaccess in vmware allows attackers to inject arbitrary web script via vectors related to context dataGoogle Scholar
  34. 34.
    CVE-2009-1244: Vulnerability in the virtual machine display function in vmware workstation allows guest os users to execute arbitrary code on host osGoogle Scholar
  35. 35.
    Anderson, R., Kuhn, M.: Tamper resistance-a cautionary note. In: Proceedings of the Second Usenix Workshop on Electronic Commerce, vol. 2, pp. 1–11 (1996)Google Scholar
  36. 36.
    Intel Coperation: Intel trusted execution technology (2011)Google Scholar
  37. 37.
    Intel Coperation: Intel trusted platform module (2003)Google Scholar
  38. 38.
    Wojtczuk, R., Rutkowska, J.: Attacking smm memory via intel cpu cache poisoning. Invisible Things Lab (2009)Google Scholar
  39. 39.
  40. 40.
    Intel Coperation: Serial ATA Advanced Host Controller Interface (2012)Google Scholar
  41. 41.
    Intel Corporation: Intel® Virtualization Technology Specification for Directed I/O Specification,

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Min Li
    • 1
  • Zili Zha
    • 1
  • Wanyu Zang
    • 1
  • Meng Yu
    • 1
  • Peng Liu
    • 2
  • Kun Bai
    • 3
  1. 1.Virginia Commonwealth UniversityUSA
  2. 2.Pennsylvania State UniversityUniversity ParkUSA
  3. 3.IBM T.J. Watson Research CenterUSA

Personalised recommendations