WIXLIB

hardware. The lowermost box shows the size of the mostprivileged component that must be fully trusted.500000QemuVMMLines of Source v.L4HypervisorHypervisorKVM KVM-L4 ESXi Hyper-VFigure 1: Comparison of the TCB size of virtual environments.NOVA consists of the microhypervisor (9 KLOC), a thin userlevel environment (7 KLOC), and the VMM (20 KLOC). For Xen,KVM, and KVM-L4 we assume that all unnecessary functionalityhas been removed from the Linux kernel, so that it is devoidof unused device drivers, file systems, and network support. Weestimate that such a kernel can be shrunk to 200 KLOC. KVM addsapproximately 20 KLOC to Linux. By removing support for nonx86 architectures, QEMU can be reduced to 140 KLOC.The Xen [2] hypervisor has a size of approximately 100thousand lines of source code (KLOC) and executes inthe most privileged processor mode. Xen uses a privileged“domain zero”, which hosts Linux as a service OS. Dom0implements management functions and host device driverswith direct access to the platform hardware. QEMU [4]runs as a user application on top of Linux and providesvirtual devices and an instruction emulator. Although Dom0runs in a separate virtual machine, it contributes to thetrusted computing base of all guest VMs that depend on itsfunctionality. In our architecture privileged domains do notexist. KVM [17] adds support for hardware virtualization toLinux and turns the Linux kernel with its device drivers intoa hypervisor. KVM also relies on QEMU for implementingvirtual devices and instruction emulation. Unlike Xen, KVMcan run QEMU and management applications directly ontop of the Linux hypervisor in user mode, which obviatesthe need for a special domain. Because it is integratedwith the kernel and its drivers, Linux is part of the trustedcomputing base of KVM and increases the attack surfaceaccordingly. KVM-L4 [29] is a port of KVM to L4Linux,which runs as a paravirtualized Linux kernel on top of an L4microkernel. When used as a virtual environment, the trustedcomputing base of KVM-L4 is even larger than that ofKVM. However, KVM-L4 was designed to provide a smallTCB for L4 applications running side-by-side with virtualmachines while reusing a legacy VMM for virtualization. InNOVA, the trusted computing base is extremely small bothfor virtual machines and for applications that run directly ontop of the microhypervisor.Commercial virtualization solutions have also aimed fora reduction in TCB size, but are still an order of magnitudelarger than our system. VMware ESXi [39] is based ona 200 KLOC hypervisor [38] that supports managementprocesses running in user mode. In contrast to our approach,ESXi implements device drivers and VMM functionalityinside the hypervisor. Microsoft Hyper-V [26] uses a Xenlike architecture with a hypervisor of at least 100 KLOC [22]and a privileged parent domain that runs Windows Server2008. It implements instruction and device emulation andprovides drivers for even the most exotic host devices, at thecost of inflating the TCB size. For ESXi and Hyper-V, wecannot conduct a more detailed analysis because the sourcecode is not publicly available.A different idea for shrinking the trusted computing baseis splitting applications [35] to separate security-criticalparts from the rest of the program at the source-code level.The critical code is executed in a secure domain while theremaining code runs in an untrusted legacy OS. ProxOS [36]partitions application interfaces by routing security-relevantsystem calls to trusted VMs.Virtual machines can provide additional security to anoperating system or its applications. SecVisor [31] uses asmall hypervisor to defend against kernel code injection.Bitvisor [34] is a hypervisor that intercepts device I/O toimplement OS-transparent data encryption and intrusiondetection. Overshadow [7] protects the confidentiality andintegrity of guest applications in the presence of a compromised guest kernel by presenting the kernel with anencrypted view on application data. In contrast to thesesystems, the goal of our work is not to retrofit guest operating systems with additional protection mechanisms, but toimprove the security of the virtualization layer itself.Virtualization can also be used to replay [10], debug [16],and live-migrate [9] operating systems. These concepts areorthogonal to our architecture and can be implemented ontop of the NOVA microhypervisor in the user-level VMM.However, they are outside the scope of this paper.4. NOVA OS Virtualization ArchitectureIn this section, we present the design of our architecture,which adheres to the following two construction principles:1. Fine-grained functional decomposition of the virtualization layer into a microhypervisor, root partition manager,multiple virtual-machine monitors, device drivers, andother system services.2. Enforcement of the principle of least privilege among allof these components.We show that the systematic application of these principlesresults in a minimized trusted computing base for user applications and VMs running on top of the microhypervisor.

We do not use paravirtualization in our system, becausewe neither want to depend on the availability of source codefor the guest operating systems nor make the extra effort ofporting operating systems to a paravirtualization interface.Depending on the OS, the porting effort might be necessaryfor each new release. That said, the NOVA design does notinherently prevent the application of paravirtualization techniques. If desired, explicit hypercalls from an enlightenedguest OS to the VMM are possible. We also chose not to usebinary translation, because it is a rather complex technique.Instead our architecture relies on hardware support for fullvirtualization, such as Intel VT or AMD-V, both of whichhave been available in processors for several years now.Figure 2 depicts the key components of our stVMMApplicationsVMMVMMVMMRoot Partition ManagerDriversuserkernelMicrohypervisorFigure 2: NOVA consists of the microhypervisor and a userlevel environment that contains the root partition manager, virtualmachine monitors, device drivers, and special-purpose applicationsthat have been written for or ported to the hypercall interface.The hypervisor is the only component that runs in themost privileged processor mode (host mode, ring 0). According to our first design principle, the hypervisor shouldbe as small as possible, because it belongs to the trustedcomputing base of every other component in the system.Therefore, we implemented policies and all functionalitythat is neither security- nor performance-critical outsidethe hypervisor. The resulting microhypervisor comprisesapproximately 9000 lines of source code and provides onlysimple mechanisms for communication, resource delegation, interrupt control, and exception handling. Section 5describes these mechanisms in detail. The microhypervisordrives the interrupt controllers of the platform and a scheduling timer. It also controls the memory-management unit(MMU) and the IOMMU — if the platform provides one.User applications run in host mode, ring 3, virtual machinesin guest mode. A virtual machine can host a legacy operatingsystem with its applications or a virtual appliance. A virtualappliance is a prepackaged software image that consists of asmall kernel and few special-purpose applications. Securevirtual appliances, such as a microkernel with an onlinebanking application, benefit from a small trusted computingbase for virtual machines. Each user application or virtualmachine has its own address space. Applications such asthe VMM manage these address spaces using the hypercallinterface. The VMM exposes an interface to its guest operating system that resembles real hardware. Because of theneed to emulate virtual devices and sensitive instructions,this interface is as wide and complex as the x86 architecture,with its legacy devices and many obscure corner cases.Apart from the VMM, the user environment on top ofthe microhypervisor contains applications that provide additional OS functionality such as device drivers, file systems,and network stacks to the rest of system. We have writtenNOVA-specific drivers for most legacy devices (keyboard,interrupt controllers, timers, serial port, VGA) and standardized driver interfaces (PCI, AHCI). For vendor-specifichardware devices, we hope to benefit from external work thatgenerates driver code [8, 30] or wraps existing drivers witha software adaptation layer. On platforms with an IOMMU,NOVA facilitates secure reuse of existing device drivers bydirectly assigning hardware devices to driver VMs [23].4.1Attacker ModelBefore we outline possible attacks on a virtual environmentand illustrate how our architecture mitigates the impact ofthese attacks, we describe the attacker model. We assumethat an attacker cannot tamper with the hardware, and thatfirmware such as CPU microcode, platform BIOS, andcode running in system management mode is trustworthy.Furthermore, we assume that an attacker is unable to violate the integrity of the booting process. This means, thatcode and data of the virtualization layer cannot be alteredduring booting, or that trusted-computing techniques suchas authenticated booting and remote attestation can be usedto detect all modifications [12]. However, an attacker canlocally or remotely modify the software that runs on top ofthe microhypervisor. He can run malicious guest operatingsystems in virtual machines, install hostile device driversthat perform DMA to arbitrary memory locations, or use aflawed user-level VMM implementation.4.2Attacks on Virtual EnvironmentsFor attacks that originate from inside a virtual machine,we make no distinction between a malicious guest kerneland user applications that may first have to compromisetheir kernel through an exploit. In both cases, the goal ofthe attacker is to escape the virtual machine and to takeover the host. The complexity of the interface between avirtual machine and the host defines the attack surface thatcan be leveraged by a malicious guest operating system toattack the virtualization layer. Because we implemented thevirtualization functionality outside the microhypervisor inthe VMM, our architecture splits the interface in two parts:1) The microhypervisor provides a simple message-passinginterface that transfers guest state from the virtual machineto the VMM and back. 2) The VMM emulates the complexx86 interface and uses the message-passing interface tocontrol execution of its associated virtual machine.

Guest AttacksBy exploiting a bug in the x86 interface, a VM can take control of or crash its associated virtual-machine monitor. Weachieve an additional level of isolation by using a dedicatedVMM for each virtual machine. Because a compromisedvirtual-machine monitor only impairs its associated VM, theintegrity, confidentiality, and availability of the hypervisorand other VMs remains unaffected. A vulnerability in thex86 interface will be common across all instances of aparticular VMM. However, each guest operating system thatexploits the bug can only compromise its own VMM andvirtual machines that do not trigger the bug or use a differentVMM implementation will remain unaffected. In the eventof a compromised virtual-machine monitor, the hypervisorcontinues to preserve the isolation between virtual machines.To attack the hypervisor, a virtual machine would have toexploit a flaw in the message-passing interface that transfersstate to the VMM and back. Given the low complexity of thatinterface and the fact that VMs cannot perform hypercalls, asuccessful attack is unlikely. In other architectures where allor parts of the virtualization functionality are implementedin the hypervisor, a successful attack on the x86 interfacewould compromise the whole virtual environment. In ourarchitecture the impact is limited to the affected virtualmachine monitor. A virtual machine cannot attack any otherpart of the system directly, because it can only communicatewith its associated virtual-machine monitor.VMM AttacksIf a virtual machine has taken over its VMM, the attacksurface increases, because the VMM can use the hypercallinterface and exploit any flaw in it. However, from theperspective of the hypervisor, the VMM is an ordinaryuntrusted user application with no special privileges.Virtual-machine monitors cannot attack each other directly, because each instance runs in its own address spaceand direct communication channels between VMMs do notexist. Instead an attacker would need to attack the hypervisoror another service that is shared by multiple VMMs, e.g., adevice driver. Device drivers use a dedicated communicationchannel for each VMM. When a malicious VMM performsa denial-of-service attack by submitting too many requests,the driver can throttle the communication or shut the channelto the virtual-machine monitor down.Device-Driver AttacksThe primary security concern with regard to device driversis their use of DMA. If the platform does not includean IOMMU, then any driver that performs DMA must betrusted, because it has access to the entire memory of thesystem. On newer platforms that provide an IOMMU, thehypervisor restricts the usage of DMA for drivers to regionsof memory that have been explicitly delegated to the driver.Each device driver that handles requests from multiple VMsis responsible for separating their concerns. A compromisedor malicious driver can only affect the availability of itsdevice and the integrity and confidentiality of all memoryregions delegated to it. Therefore, if a VMM delegatesthe entire guest-physical memory of its virtual machine toa driver, then the driver can manipulate the entire guest.However, if the VMM delegates only the guest’s DMAbuffers, then the driver can only corrupt the data or transferit to the buffers of another guest. Using the IOMMU, thehypervisor blocks DMA transfers to its own memory regionand restricts the interrupt vectors available to drivers. Inother architectures where drivers are part of the hypervisor,an insecure device driver can undermine the security of theentire system.Remote AttacksRemote attackers can access the virtual environment througha device such as a network card. By sending malformedpackets, both local and remote attackers can potentiallycompromise or crash a device driver and then proceed witha device-driver attack. In our architecture the impact of theexploit is limited to the driver, whereas in architectures within-kernel drivers the whole system is at risk. Because wetreat the inside of a virtual machine as a black box, wemake no attempt to prevent remote exploits that target aguest operating system inside a VM. If such protection isdesired, then a VMM can take action to harden the kernelinside its VM, e.g., by making regions of guest-physicalmemory corresponding to kernel code read-only. However,such implementations are beyond the scope of this paper.5. MicrohypervisorThe microhypervisor implements a capability-based hypercall interface organized around five different types of kernelobjects: protection domains, execution contexts, schedulingcontexts, portals, and semaphores.For each newly created kernel object, the hypervisorinstalls a capability that refers to that object in the capabilityspace of the creator protection domain. Capabilities areopaque and immutable to the user; they cannot be inspected,modified, or addressed directly. Instead, applications accessa capability via a capability selector. The capability selectoris an integral number (similar to a Unix file descriptor) thatserves as an index into the domain’s capability space. Theuse of capabilities leads to fine-grained access control andsupports our design principle of least privilege among allcomponents. Initially, the creator protection domain holdsthe only capability to the object. Depending on its ownpolicy, it can then delegate copies of the capability with thesame or reduced permissions to other domains that requireaccess to the object. Because the hypercall interface uses capabilities for all operations, each protection domain can onlyaccess kernel objects for which it holds the correspondingcapabilities. In the following paragraphs we briefly describeeach kernel object. The remainder of this section details themechanisms provided by the microhypervisor.

Protection Domain: The kernel object that implementsspatial isolation is the protection domain. A protectiondomain acts as resource container and abstracts from thedifferences between a user application and a virtual machine.Each protection domain consists of three spaces: The memory space manages the page table, the I/O space managesthe I/O permission bitmap, and the capability space controlsaccess to kernel objects.Execution Context: Activities in a protection domain arecalled execution contexts. Execution contexts abstract fromthe differences between threads and virtual CPUs. They canexecute program code, manipulate data, and use portals tosend messages to other execution contexts. Each executioncontext has its own CPU/FPU register state.Scheduling Context: In addition to the spatial isolationimplemented by protection domains, the hypervisor enforcestemporal separation. Scheduling contexts couple a timequantum with a priority and ensure that no execution contextcan monopolize the CPU. The priority of a schedulingcontext reflects its importance. The time quantum facilitatesround-robin scheduling among scheduling contexts withequal importance.Portal: Communication between protection domains isgoverned by portals. Each portal represents a dedicated entrypoint into the protection domain in which the portal wascreated. The creator can subsequently grant other protectiondomains access to the portal in order to establish a crossdomain communication channel.Semaphore: Semaphores facilitate synchronization between execution context on the same or on differentprocessors. The hypervisor uses semaphores to signal theoccurrence of hardware interrupts to user applications.5.1SchedulingThe microhypervisor implements a preemptive prioritydriven round-robin scheduler with one runqueue per CPU.The scheduling contexts influence how the microhypervisormakes dispatch decisions. When invoked, the schedulerselects the highest-priority scheduling context from therunqueue and dispatches the execution context attached toit. The scheduler is oblivious as to whether an executioncontext is a thread or a virtual CPU. Once dispatched, theexecution context can run until the time quantum of itsscheduling context is depleted or until it is preempted bythe release of a higher-priority scheduling context.5.2CommunicationWe now describe the simple hypervisor message-passinginterface that the components of our system use to communicate with each other. Depending on the purpose ofthe communication, the message payload differs. Figure 3illustrates the communication between a virtual machine andits user-level virtual-machine monitor as an example. Duringthe creation of a virtual machine, the VMM installs for eachtype of VM exit a capability to one of its portals in thecapability space of the new VM. In case of a multiprocessorVM, every virtual CPU has its own set of VM-exit portalsand a dedicated handler execution context in the )Figure 3: Communication between a virtual CPU (vCPU) in a VMand the corresponding handler execution context (EC) in the VMM.a) Upon a VM exit, the hypervisor delivers a message on behalfof the virtual CPU through an event-specific portal PX that leadsto th

The availability of virtualization features in modern CPUs has reinforced the trend of consolidating multiple guest operating systems on top of a hypervisor in order to im-prove platform-resource utilization and reduce the total cost of ownership. However, today's virtualization stacks are unduly large and therefore prone to attacks. If an adver-sary manages to compromise the hypervisor .