Improving Xen security through disaggregation

Derek Gordon Murray, Grzegorz Milos, Steven Hand
2008 Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments - VEE '08  
Virtual machine monitors (VMMs) have been hailed as the basis for an increasing number of reliable or trusted computing systems. The Xen VMM is a relatively small piece of software -a hypervisor -that runs at a lower level than a conventional operating system in order to provide isolation between virtual machines: its size is offered as an argument for its trustworthiness. However, the management of a Xen-based system requires a privileged, fullblown operating system to be included in the
more » ... d computing base (TCB). In this paper, we introduce our work to disaggregate the management virtual machine in a Xen-based system. We begin by analysing the Xen architecture and explaining why the status quo results in a large TCB. We then describe our implementation, which moves the domain builder, the most important privileged component, into a minimal trusted compartment. We illustrate how this approach may be used to implement "trusted virtualisation" and improve the security of virtual TPM implementations. Finally, we evaluate our approach in terms of the reduction in TCB size, and by performing a security analysis of the disaggregated system.
doi:10.1145/1346256.1346278 dblp:conf/vee/MurrayMH08 fatcat:sm4whtlkmnb3nlfsbiu32owgoy