Improving Xen Security through Disaggregation

Derek Murray Grzegorz Milos

Steven Hand

Outline

• The myth of the secure hypervisor• Trusted computing bases• Disaggregating Xen• Results• Future work

Xen

• Small hypervisor– 100k lines of code

• Provides isolation between VMs

• “Trusting the virtual machine monitor is akin to trusting a real processor”

OS

XenHardware

VM

Domain Zero

• Full Linux distribution

• User-space tools for VM management

• Privileged hypervisor interface– Map foreign memory– Set foreign VCPU

• Therefore must be trusted

VMDom0

XenHardware

Threat Model

• Malicious software running as Dom0 root– Root exploit on Dom0– Untrusted administrator

• Want to protect security of other VMs– Confidentiality– Integrity

• Solution: disaggregation

Trusted Computing Base

• “The set of components on which a subsystem depends”

• “The totality of protection mechanisms... responsible for enforcing a computer security policy”

• Anything that can directly invoke a privileged operation– And hence undermine security

Call Graph

PD z

PD y

PD x

Current Xen Control Stack

Build VM

Make hypercall

Map memory Set VCPU

Dom0 User

Dom0 Kernel

Hypervisor

Minimise the TCB?

Build VM

Make hypercall

Map memory Set VCPU

Dom0 User

Dom0 Kernel

Hypervisor

Smaller is not always better

Build VM

Make hypercall

Map memory Set VCPU

Dom0 User

DomB

Hypervisor

Implementation

Xen

Dom0DomB

DomU

…

Xend

Results

• Smaller, static TCB– No longer contains Dom0 userspace– Now only VMM, DomB and Dom0

kernel– With an I/O MMU, only VMM and

DomB

• Other VMs protected from Dom0 root

Future Work

• Virtual TPM support• Automated techniques for

disaggregation• Metrics for trustworthiness

Conclusions

• Virtualised TCB can be surprising• Smaller TCB is not always better• Choosing appropriate interfaces is

crucial

Questions