Improving Virtualization Security by Splitting Hypervisor into Smaller Components

  • Wuqiong Pan
  • Yulong Zhang
  • Meng Yu
  • Jiwu Jing
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7371)


In cloud computing, the security of infrastructure is determined by hypervisor (or Virtual Machine Monitor, VMM) designs. Unfortunately, in recent years, many attacks have been developed to compromise the hypervisor, taking over all virtual machines running above the hypervisor. Due to the functions a hypervisor provides, it is very hard to reduce its size. Including a big hypervisor in the Trusted Computing Base (TCB) is not acceptable for a secure system design. Several secure, small, and innovative hypervisor designs, e.g., TrustVisor, CloudVisor, etc., have been proposed to solve the problem. However, these designs either have reduced functionalities or pose strong restrictions to the virtual machines. In this paper, we propose an innovative hypervisor design that splits hypervisor’s functions into a small enough component in the TCB, and other components to provide full functionalities. Our design can significantly reduce the TCB size without sacrificing functionalities. Our experiments also show acceptable costs of our design.


VMM Hypervisor Cloud computing TCB 


  1. 1.
    “Xen hypervisor project”,
  2. 2.
    Neiger, G., Santoni, A., Leung, F., Rodgers, D., Uhlig, R.: Intel virtualization technology: Hardware support for efficient processor virtualization. Intel Technology Journal 10(3), 167–177 (2006)CrossRefGoogle Scholar
  3. 3.
    AMD. Secure virtual machine architecture reference manualGoogle Scholar
  4. 4.
    Keller, E., Szefer, J., Rexford, J., Lee, R.: Nohype: virtualized cloud infrastructure without the virtualization. In: Proceedings of the 37th Annual International Symposium on Computer Architecture, pp. 350–361. ACM (2010)Google Scholar
  5. 5.
    Szefer, J., Keller, E., Lee, R., Rexford, J.: Eliminating the hypervisor attack surface for a more secure cloud. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 401–412. ACM (2011)Google Scholar
  6. 6.
    Kortchinsky, K.: Hacking 3d (and breaking out of vmware). BlackHat USA (2009)Google Scholar
  7. 7.
    Cve-2007-4993: Xen guest root can escape to domain 0 through pygrub (2007),
  8. 8.
    Cve-2007-5497: Vulnerability in xenserver could result in privilege escalation and arbitrary code executionr (2007),
  9. 9.
    Wojtczuk, R.: Subverting the xen hypervisor. BlackHat USA (2008)Google Scholar
  10. 10.
    Cve-2008-2100: Vmware buffer overflows in vix api let local users execute arbitrary code in host os (2008),
  11. 11.
    Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud! exploring information leakage in third-party compute clouds. Computer and Communications Security (2009)Google Scholar
  12. 12.
    Chen, X., Garfinkel, T., Lewis, E., Subrahmanyam, P., Waldspurger, C., Boneh, D., Dwoskin, J., Ports, D.: Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. In: ACM SIGARCH Computer Architecture News, vol. 36, pp. 2–13. ACM (2008)Google Scholar
  13. 13.
    Chhabra, S., Rogers, B., Solihin, Y., Prvulovic, X., Chen, M., Garfinkel, T., Lewis, E., Subrahmanyam, P., Waldspurger, C., Boneh, D., Dwoskin, J., Ports, D.: Secureme: a hardware-software approach to full system security. In: Proceedings of the International Conference on Supercomputing, pp. 108–119. ACM (2011)Google Scholar
  14. 14.
    Zhang, X., Azab, A., Ning, P.: Sice: A hardware-level strongly isolated computing environment for x86 multi-core platforms. In: 18th ACM Conference on Computer and Communications Security (2011)Google Scholar
  15. 15.
    Champagne, D., Lee, R.: Scalable architectural support for trusted software. In: 2010 IEEE 16th International Symposium on High Performance Computer Architecture (HPCA), pp. 1–12. IEEE (2010)Google Scholar
  16. 16.
    Zhang, F., Chen, J., Chen, H., Zang, B.: Cloudvisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In: Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, pp. 203–216. ACM (2011)Google Scholar
  17. 17.
    Ben-Yehuda, M., Day, M., Dubitzky, Z., Factor, M., Har’El, N., Gordon, A., Liguori, A., Wasserman, O., Yassour, B.: The turtles project: Design and implementation of nested virtualization. In: 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI), Vancouver, British Columbia, Canada, pp. 423–436 (October 2010)Google Scholar
  18. 18.
    Goldberg, R.: Architecture of virtual machines. In: Proceedings of the Workshop on Virtual Computer Systems, pp. 74–112. ACM (1973)Google Scholar
  19. 19.
    Lie, D., Thekkath, C., Mitchell, M., Lincoln, P., Boneh, D., Mitchell, J., Horowitz, M.: Architectural support for copy and tamper resistant software. ACM SIGPLAN Notices 35(11), 168–177 (2000)CrossRefGoogle Scholar
  20. 20.
    Lie, D., Thekkath, C., Horowitz, M.: Implementing an untrusted operating system on trusted hardware. ACM SIGOPS Operating Systems Review 37(5), 178–192 (2003)CrossRefGoogle Scholar
  21. 21.
    Suh, G., Clarke, D., Gassend, B., Van Dijk, M., Devadas, S.: Aegis: architecture for tamper-evident and tamper-resistant processing. In: Proceedings of the 17th Annual International Conference on Supercomputing, pp. 160–171. ACM (2003)Google Scholar
  22. 22.
    Chhabra, S., Rogers, B., Solihin, Y., Prvulovic, M.: Making secure processors os-and performance-friendly. ACM Transactions on Architecture and Code Optimization (TACO) 5(4), 16 (2009)Google Scholar
  23. 23.
    Huang, A.: Hacking the Xbox: an introduction to reverse engineering. No Starch Pr. (2003)Google Scholar
  24. 24.
    Amazon elastic compute cloud,
  25. 25.
    Eucalyptus cloud computing software,
  26. 26.
    Flexiscale cloud computing services,
  27. 27.
  28. 28.
    Rackspace hosting,
  29. 29.
    Xen users’ manual v3.3,
  30. 30.
    Witteman, M., Oostdijk, M.: Secure application programming in the presence of side channel attacks. In: RSA Conference, vol. 2008 (2008)Google Scholar
  31. 31.
    Tpm main specification,
  32. 32.
    Specjbb2005 (java server benchmark),
  33. 33.
    Yang, J., Shin, K.: Using hypervisor to provide data secrecy for user applications on a per-page basis. In: Proceedings of the Fourth ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, pp. 71–80. ACM (2008)Google Scholar
  34. 34.
    Azab, A., Ning, P., Wang, Z., Jiang, X., Zhang, X., Skalsky, N.: Hypersentry: Enabling stealthy in-context measurement of hypervisor integrity. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 38–49. ACM (2010)Google Scholar
  35. 35.
    Wang, Z., Jiang, X.: Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In: 2010 IEEE Symposium on Security and Privacy, pp. 380–395. IEEE (2010)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2012

Authors and Affiliations

  • Wuqiong Pan
    • 1
    • 2
  • Yulong Zhang
    • 2
  • Meng Yu
    • 2
  • Jiwu Jing
    • 1
  1. 1.State Key Laboratory of Information SecurityInstitute of Information Engineering, Chinese Academy of SciencesBeijingChina
  2. 2.Department of Computer ScienceVirginia Commonwealth UniversityRichmondUSA

Personalised recommendations