Remote Service of System Calls in Microkernel Hypervisor
��������� ������������ ��������� ������� � ������������ �����������

K. Mallachiev, N. Pakulin
2015 Proceedings of the Institute for System Programming of RAS  
This paper presents further development of Sevigator hypervisor-based security system. Original design of Sevigator confines users' applications in a separate virtual machine that has no network interfaces. For trusted applications Sevigator intercepts networkrelated system calls and routes them to the dedicated virtual machine that services those calls. This design allows Sevigator protect networking from malicious applications including highlevel intruders residing in the kernel. Modern
more » ... ernel-based hypervisors opened the door to redesign of Sevigator. Those hypervisors are small operating systems by nature, where management of virtual machines as well as most of hardware operations are isolated in processes with low priority level. Compromising such a process does not result in compromising the whole hypervisor. In this paper we present an experimental design of Sevigator based on NOVA hypervisor where system calls of trusted applications are serviced by a dedicated process in the hypervisor rather than a separate VM. The experiment shows about 25% performance gain due to reduced number of context switches.
doi:10.15514/ispras-2015-27(3)-18 fatcat:tyeuu57ofjdytigzioe6v24vb4