A Two-Step Execution Mechanism for Thin Secure Hypervisors

2009 Third International Conference on Emerging Security Information, Systems and Technologies Pub Date : 2009-06-18 DOI:10.1109/SECURWARE.2009.27

Manabu Hirano, Takahiro Shinagawa, H. Eiraku, Shoichi Hasegawa, Kazumasa Omote, Kouichi Tanimoto, Takashi Horie, Seiji Mune, Kazuhiko Kato, T. Okuda, Eiji Kawai, S. Yamaguchi

{"title":"A Two-Step Execution Mechanism for Thin Secure Hypervisors","authors":"Manabu Hirano, Takahiro Shinagawa, H. Eiraku, Shoichi Hasegawa, Kazumasa Omote, Kouichi Tanimoto, Takashi Horie, Seiji Mune, Kazuhiko Kato, T. Okuda, Eiji Kawai, S. Yamaguchi","doi":"10.1109/SECURWARE.2009.27","DOIUrl":null,"url":null,"abstract":"Virtual Machine Monitors (VMMs), also called hypervisors, can be used to construct a trusted computing base (TCB) enhancing the security of existing operating systems. The complexity of a VMM-based TCB causes the high risk of security vulnerabilities. Therefore, this paper proposes a two-step execution mechanism to reduce the complexity of a VMM-based TCB. We propose a method to separate a conventional VMM-based TCB into the following two parts: (1) A thin hypervisor with security services and (2) A special guest OS for security preprocessing. A special guest OS performing security tasks can be executed in advance. After shutting down the special guest OS, a hypervisor obtains preprocessing security data and next boots a target guest OS to be protected. Thus, the proposed two-step execution mechanism can reduce run-time codes of a hypervisor. This paper shows a design, a prototype implementation and measurement results of lines of code using BitVisor, a VMM-based TCB we have developed.","PeriodicalId":382947,"journal":{"name":"2009 Third International Conference on Emerging Security Information, Systems and Technologies","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2009-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"9","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2009 Third International Conference on Emerging Security Information, Systems and Technologies","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SECURWARE.2009.27","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 9

Abstract

Virtual Machine Monitors (VMMs), also called hypervisors, can be used to construct a trusted computing base (TCB) enhancing the security of existing operating systems. The complexity of a VMM-based TCB causes the high risk of security vulnerabilities. Therefore, this paper proposes a two-step execution mechanism to reduce the complexity of a VMM-based TCB. We propose a method to separate a conventional VMM-based TCB into the following two parts: (1) A thin hypervisor with security services and (2) A special guest OS for security preprocessing. A special guest OS performing security tasks can be executed in advance. After shutting down the special guest OS, a hypervisor obtains preprocessing security data and next boots a target guest OS to be protected. Thus, the proposed two-step execution mechanism can reduce run-time codes of a hypervisor. This paper shows a design, a prototype implementation and measurement results of lines of code using BitVisor, a VMM-based TCB we have developed.

查看原文本刊更多论文

瘦安全管理程序的两步执行机制

虚拟机监视器(vmm)，也称为管理程序，可用于构建可信计算基础(TCB)，以增强现有操作系统的安全性。基于虚拟机的TCB的复杂性导致存在较高的安全漏洞风险。因此，本文提出了一种两步执行机制来降低基于虚拟机的TCB的复杂性。我们提出了一种方法，将传统的基于vm的TCB分为以下两部分:(1)具有安全服务的瘦管理程序和(2)用于安全预处理的特殊客户机操作系统。可以提前执行执行安全任务的特殊来宾操作系统。关闭特殊来宾操作系统后，虚拟化环境获取预处理安全数据，然后启动需要保护的目标来宾操作系统。因此，建议的两步执行机制可以减少管理程序的运行时代码。本文展示了利用我们开发的基于虚拟机的TCB BitVisor的设计、原型实现和代码行测试结果。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2009 Third International Conference on Emerging Security Information, Systems and Technologies

自引率

0.00%

发文量