Architectural support for hypervisor-secure virtualization

Jakub Szefer, Ruby B. Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

118 Scopus citations

Abstract

Virtualization has become a standard part of many computer systems. A key part of virtualization is the all-powerful hypervisor which manages the physical platform and can access all of its resources, including memory assigned to the guest virtual machines (VMs). Continuing releases of bug reports and exploits in the virtualization software show that defending the hypervisor against attacks is very difficult. In this work, we present hypervisor-secure virtualization - a new research direction with the goal of protecting the guest VMs from an untrusted hypervisor. We also present the HyperWall architecture which achieves hypervisor-secure virtualization, using hardware to provide the protections. HyperWall allows a hypervisor to freely manage the memory, processor cores and other resources of a platform. Yet once VMs are created, our new Confidentiality and Integrity Protection (CIP) tables protect the memory of the guest VMs from accesses by the hypervisor or by DMA, depending on the customer's specification. If a hypervisor does become compromised, e.g. by an attack from a malicious VM, it cannot be used in turn to attack other VMs. The protections are enabled through minimal modifications to the microprocessor and memory management units. Whereas much of the previous work concentrates on protecting the hypervisor from attacks by guest VMs, we tackle the problem of protecting the guest VMs from the hypervisor.

Original languageEnglish (US)
Title of host publicationASPLOS XVII - 17th International Conference on Architectural Support for Programming Languages and Operating Systems
Pages437-449
Number of pages13
DOIs
StatePublished - 2012
Event17th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2012 - London, United Kingdom
Duration: Mar 3 2012Mar 7 2012

Publication series

NameInternational Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS

Other

Other17th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2012
Country/TerritoryUnited Kingdom
CityLondon
Period3/3/123/7/12

All Science Journal Classification (ASJC) codes

  • Software
  • Information Systems
  • Hardware and Architecture

Keywords

  • attestation
  • cloud computing
  • computer architecture
  • confidentiality
  • hardware security
  • hypervisor
  • integrity
  • security
  • trust evidence
  • virtualization

Fingerprint

Dive into the research topics of 'Architectural support for hypervisor-secure virtualization'. Together they form a unique fingerprint.

Cite this