Architecting Dependable and Secure Systems Using Virtualization

  • Bernhard Jansen
  • HariGovind V. Ramasamy
  • Matthias Schunter
  • Axel Tanner
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5135)


We outline ways of leveraging virtualization for enhancing system dependability and security, and describe the practical realization of some of these enhancements using the Xen open-source virtual machine monitor (VMM). Using combinatorial modeling, we perform reliability analysis of multiple design choices when a single physical server is used to host multiple virtual servers. The analysis shows that unless certain conditions (e.g., regarding the number of virtual servers) are met, virtualization could decrease the reliability of a single physical server. The analysis also shows that improving the reliability of the VMM is crucial to improving the reliability of a virtualized physical node. Motivated by this observation, we show how the enhancements we have implemented can be combined to produce a more reliable Xen VMM architecture, called R-Xen. The Xen VMM consists of a hypervisor core and a privileged virtual machine (VM) called Dom0. Dom0, being much bulkier than the hypervisor core, is the weak link for Xen reliability. Consequently, R-Xen focuses on improving the reliability of Dom0 through replication in which Dom0 replicas mutually monitor each other for intrusion and faults. R-Xen converts more severe Dom0 replica faults into fail-stop behavior, and rejuvenates a failed replica. The approach is transparent and does not require any modifications to regular Xen VMs (user domains).


Virtual Machine Intrusion Detection System Call Kernel Module Physical Node 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Barham, P.T., Dragovic, B., Fraser, K., Hand, S., Harris, T.L., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the Art of Virtualization. In: Proc. 19th ACM Symposium on Operating Systems Principles (SOSP 2003), October 2003, pp. 164–177 (2003)Google Scholar
  2. 2.
    Garfinkel, T., Rosenblum, M.: When Virtual is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments. In: Proc. 10th Workshop on Hot Topics in Operating Systems (HotOS-X) (May 2005)Google Scholar
  3. 3.
    Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: Proc. Network and Distributed Systems Security Symposium (NDSS 2003) (February 2003)Google Scholar
  4. 4.
    Bressoud, T.C., Schneider, F.B.: Hypervisor-Based Fault Tolerance. ACM Trans. Comput. Syst. 14(1), 80–107 (1996)CrossRefGoogle Scholar
  5. 5.
  6. 6.
    Douceur, J.R., Howell, J.: Replicated Virtual Machines. Technical Report MSR TR-2005-119, Microsoft Research (September 2005)Google Scholar
  7. 7.
    Dunlap, G.W., King, S.T., Cinar, S., Basrai, M.A., Chen, P.M.: ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay. SIGOPS Operating System Review 36(SI), 211–224 (2002)CrossRefGoogle Scholar
  8. 8.
    Joshi, A., King, S.T., Dunlap, G.W., Chen, P.M.: Detecting Past and Present Intrusions through Vulnerability-Specific Predicates. In: Proc. 20th ACM Symposium on Operating Systems Principles (SOSP 2005), pp. 91–104 (2005)Google Scholar
  9. 9.
    King, S.T., Chen, P.M.: Backtracking Intrusions. In: Proc. 19th ACM Symposium on Operating Systems Principles (SOSP 2003), October 2003, pp. 223–236 (2003)Google Scholar
  10. 10.
    King, S.T., Mao, Z.M., Lucchetti, D.G., Chen, P.M.: Enriching Intrusion Alerts through Multi-Host Causality. In: Proc. Network and Distributed System Security Symposium (NDSS 2005) (2005)Google Scholar
  11. 11.
    King, S.T., Dunlap, G.W., Chen, P.M.: Debugging Operating Systems with Time-Traveling Virtual Machines. In: Proc. 2005 Annual USENIX Technical Conference, April 2005, pp. 1–15 (2005)Google Scholar
  12. 12.
    Zhang, X., van Doorn, L., Jaeger, T., Perez, R., Sailer, R.: Secure coprocessor-based intrusion detection. In: Proc. 10th ACM SIGOPS European workshop, pp. 239–242 (2002)Google Scholar
  13. 13.
    Nick, L., Petroni, J., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot - A Coprocessor-based Kernel Runtime Integrity Monitor. In: Proc. 13th USENIX Security Symposium, p. 13 (2004)Google Scholar
  14. 14.
    Laureano, M., Maziero, C., Jamhour, E.: Intrusion Detection in Virtual Machine Environments. In: Proc. 30th EUROMICRO Conference (EUROMICRO 2004), pp. 520–525 (2004)Google Scholar
  15. 15.
    Dike, J.: A User-Mode Port of the Linux Kernel. In: Proc. 4th Annual Linux Showcase & Conference, p. 7 (2000)Google Scholar
  16. 16.
    Litty, L.: Hypervisor-Based Intrusion Detection. Master’s thesis, University of Toronto (2005)Google Scholar
  17. 17.
    Jiang, X., X.W., Xu, D.: Stealthy Malware Detection through VMM-based Out-of-the-Box Semantic View Reconstruction. In: Proc. 14th ACM conference on Computer and Communications Security (CCS 2007), pp. 128–138 (2007)Google Scholar
  18. 18.
    Beck, D., Vo, B., Verbowski, C.: Detecting Stealth Software with Strider GhostBuster. In: Proc. International Conference on Dependable Systems and Networks (DSN 2005), pp. 368–377 (2005)Google Scholar
  19. 19.
    Clark, C., Fraser, K., Hand, S., Hansen, J.G., Jul, E., Limpach, C., Pratt, I., Warfield, A.: Live Migration of Virtual Machines. In: Proc. 2nd Symposium on Networked Systems Design and Implementation (NSDI 2005), May 2005, pp. 273–286 (2005)Google Scholar
  20. 20.
    Agbaria, A., Friedman, R.: Virtual Machine Based Heterogeneous Checkpointing. Software: Practice and Experience 32(1), 1–19 (2002)zbMATHGoogle Scholar
  21. 21.
  22. 22.
    Reiser, H.P., Kapitza, R.: Hypervisor-Based Efficient Proactive Recovery. In: Proc. 26th IEEE International Symposium on Reliable Distributed Systems (SRDS 2007), pp. 83–92 (2007)Google Scholar
  23. 23.
    Debar, H., Davei, M., Wespi, A.: A Revised Taxonomy of Intrusion-Detection Systems. Annales des Telecommunications 55(7-8), 83–100 (2000)Google Scholar
  24. 24.
    Chen, P.M., Noble, B.D.: When Virtual is Better than Real. In: Proc. 8th Workshop on Hot Topics in Operating Systems (HotOS-VIII), May 2001, pp. 133–138 (2001)Google Scholar
  25. 25.
    Kotsovinos, E., Moreton, T., Pratt, I., Ross, R., Fraser, K., Hand, S., Harris, T.: Global-scale Service Deployment in the XenoServer Platform. In: Proc. 1st USENIX Workshop on Real, Large Distributed Systems (WORLDS 2004) (December 2004)Google Scholar
  26. 26.
  27. 27.
    stealth: Adore-ng v0.42,
  28. 28.
    Johnson, B.W.: Design and Analysis of Fault-Tolerant Digital Systems. Addison-Wesley, Reading (1989)Google Scholar
  29. 29.
    Reiser, H.P., Hauck, F.J., Kapitza, R., Schröder-Preikschat, W.: Hypervisor-Based Redundant Execution on a Single Physical Host. In: Proc. 6th European Dependable Computing Conference (EDCC 2006), p. S.2 (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Bernhard Jansen
    • 1
  • HariGovind V. Ramasamy
    • 2
  • Matthias Schunter
    • 1
  • Axel Tanner
    • 1
  1. 1.IBM Zurich Research LaboratoryRüschlikonSwitzerland
  2. 2.IBM T.J. Watson Research Center, HawthorneNew YorkUSA

Personalised recommendations