Securing virtual machine monitors

Paul A. Karger
2009 Proceedings of the 4th International Symposium on Information, Computer, and Communications Security - ASIACCS '09  
It is widely believed that the use of a virtual machine monitor (VMM) is at least as secure, if not more secure than separate systems. A recent Information Week survey [6] reports that 55% of responding business technology professionals believe that a system running in a virtual machine is as safe as physical servers and 20% believe it safer than physical servers. Such views are certainly encouraged by recent papers, such as [2] and [10] . Madnick and Donovan [9] first proposed VMMs for
more » ... ed VMMs for security in 1973 by pointing out that "since virtual machine monitors tend to be shorter, simpler, and easier to debug than conventional multiprogramming operating systems, the VMM is less error-prone." In reality, the security of a single system running in a virtual machine can never be as secure as that single system running in its own dedicated physical hardware. The security of a system in a virtual machine depends on the correct operation of both the operating system and the hypervisor software, while in a dedicated physical computer, it depends only on the correct operation of the operating system. Because there are more lines of code that must be correct, the VMM case always has more opportunity for exploitable flaws. What Madnick and Donovan were actually talking about was not that any one particular virtual machine was more secure, but rather that a small secure virtual machine monitor can improve the security of controlled sharing between different virtual machines, better than can a conventional operating system. The failure of any one virtual machine's operating system then can only compromise data which is accessible to that virtual machine. While many people view virtual machine monitors as something special and different, in realty they are just specialpurpose operating systems. The major difference is that the API to a virtual machine monitor is the instruction set of the virtual machine, while the API to an operating system is a set of system calls to manipulate processes, file systems, perform I/O, etc. To the extent that a particular VMM uses
doi:10.1145/1533057.1533059 dblp:conf/ccs/Karger09 fatcat:ouvsvwvlx5ckvdugtcw24r5ipi