Secure Hypervisor     


Secure Hypervisor - overview


The Secure Hypervisor (sHype) is a hypervisor security architecture developed by IBM Research, in various stages of implementation in several hypervisors. sHype is designed and developed in close collaboration with the IBM Systems and Technology Group. Our main goal is to provide a secure foundation for server platforms, providing functions such as:

  1. Strong isolation, mediated sharing and communication between Virtual Machines.
    These properties are all strictly controlled by a flexible access control enforcement engine. This engine can enforce mandatory policies such as Multi-level Security (MLS), Role-based Access Control (RBAC), and Type Enforcement (TE).
  2. Attestation and integrity guarantees for the hypervisor and its virtual machines.
    We are extending the Trusted Computing Group (TCG) specification to include hypervisor-based server platforms. Our goal here is secure boot or authenticated boot code guarantees for the hypervisor platform, Virtual Machines, and optionally the guest operating systems and applications running on Virtual Machines. To support a large number of Virtual Machines, we have developed a virtual TPM architecture which we have applied to the Xen open-source hypervisor.
  3. Resource control and accurate accounting guarantees.
    All resources are strictly accounted for and may be constrained. Simple resources include memory and CPU cycles. More elaborate resource management is needed to control network bandwidth, e.g., to limit the network bandwidth to a Virtual Machine.
  4. Secure Services.
    sHype provides the base infrastructure for disaggregation of services, such as security policy management or distributed auditing, into smaller and more manageable protected execution environments, thereby enabling their system-wide utilization and potentially enhancing the assurance of these services.

Our work on the secure hypervisor focuses on securing IBM server platforms and we are taking advantage of IBM's high-performance virtualization support because performance is key to the acceptance of sHype.

In the open source community, we have developed a small security extension to Xen (Xen User Guide Chapter), an open-source hypervisor. It allows administrators to define simple policies (currently: Chinese Wall and Type Enforcement) that govern the control and sharing capabilities of Virtual Machines that run simultaneously on a single Xen system. We have also explored implementing these security architecture features in the open-source Research hypervisor rHype, with Linux running inside the Virtual Machines.

Related Publications

  • Reiner Sailer, Trent Jaeger, Enriquillo Valdez, Ramón Cáceres, Ronald Perez, Stefan Berger, John Griffin, Leendert van Doorn: Building a MAC-based Security Architecture for the Xen Opensource Hypervisor. 21st Annual Computer Security Applications Conference (ACSAC), December 5-9, Tucson, Arizona, 2005. (Paper, Slides).
  • Stefan Berger, Ramón Cáceres, Kenneth Goldman, Ronald Perez, Reiner Sailer, Leendert van Doorn: vTPM: Virtualizing the Trusted Platform Module. 15th USENIX Security Symposium, July 2006, Vancouver, Canada (Paper, Draft version as IBM Research Report RC23879).
  • Trent Jaeger, Patrick McDaniel, Luke St. Clair, Ramón Cáceres, Reiner Sailer: Shame on Trust in Distributed Systems. HotSec'06. 1st Usenix Workshop on Hot Topics in Security. July 2006, Vancouver, Canada (Paper, Draft version as IBM Research Report RC23964).
  • Jonathan M McCune, Stefan Berger, Ramón Cáceres, Trent Jaeger, Reiner Sailer: Shamon -- A System for Distributed Mandatory Access Control. 22nd Annual Computer Security Applications Conference (ACSAC), Miami Beach, Florida, December 2006 (Paper).
  • Xen User Guide Chapter for the Xen sHype/Access Control Module (Chapter 10).