WEN Yan,LIU Bo,WANG Huai-min

DOI: https://doi.org/10.3969/j.issn.1007-130x.2008.04.001

2008-01-01

Abstract:Isolation is a mechanism that has been applied to allow untrusted code to run while isolating their effects from the rest of the system.But the current isolation technologies cannot achieve both the strong isolation(i.e.,operating system isolation) and the functionality of isolated applications(accomplished via reproducing the computing environment and committing changes within the isolated environment).In this paper,we propose a safe virtual execution environment(SVEE) based on the local virtualization technology and implement it on Windows.Via systematic virtualization,SVEE fulfills strong isolation,thus completely isolates the effects of untrusted code execution within SVEE from the underlying host operating system.The key feature of SVEE is that it provides the capability to reproduce the computing environment of the host operating system,therefore it can reproduce the behavior of applications,as if it were running natively within the host operating system.This is accomplished via the local virtualization technology.Moreover,SVEE provides a convenient way to compare the changes within SVEE and the host operating system.Using these comparison results for reference,SVEE will select a proper method to commit these changes.

Yan Wen,Jinjing Zhao,Huaimin Wang

DOI: https://doi.org/10.1007/978-3-540-77048-0_31

2007-01-01

Abstract:In this paper, we present a new approach called Secure Virtual Execution Environment (SVEE) which enables users to "try out" untrusted software without the fear of damaging the system in any manner. A key feature of SVEE is-that it implements the OS isolation by executing untrusted code in a hosted virtual machine. Another key feature is that SVEE faithfully reproduces the behavior of applications, as if they were running natively on the underlying host OS. SVEE also provides a convenient way to compare the changes within SVEE and host OS. Referring to these comparison results, users can make a decision to commit these changes or not. With these powerful characteristics, SVEE supports a wide range of tasks, including the study of malicious code, controlled execution of untrusted software and so on. This paper focuses on the execution model of SVEE and the security evaluation for this model.

LI Xiao-Qing,ZHAO Xiao-Dong,ZENG Qing-Kai

DOI: https://doi.org/10.3724/sp.j.1001.2012.04131

2012-01-01

Journal of Software

Abstract:A one-way isolation execution model based on hardware virtualization is proposed.In this model, the security application based on self-requirements can be divided into two parts: host process and security sensitive module (SSM).Isolated execution manager named SSMVisor, as the core component of isolation execution model, provides a one-way isolation execution environment for SSMs, not only to ensure security, but also to allow SSMs to call outside functions.As security application's trusted computing base (TCB) only includes SSMs and SSMVisor, without operating system and the security unrelated module of the applications, the size of security application's TCB is reduced effectively.A prototype system is not only compatible with the original operating system, but also light-weight.Experimental results show that the performance overhead of prototype system is very low, about 6.5%.

Xiaoguang Wang,Yong Qi,Zhi Wang,Yue Chen,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2017.2675991

2019-01-01

Abstract:The OS kernel is critical to the security of a computer system. Many systems have been proposed to improve its security. A fundamental weakness of those systems is that page tables, the data structures that control the memory protection, are not isolated from the vulnerable kernel, and thus subject to tampering. To address that, researchers have relied on virtualization for reliable kernel memory protection. Unfortunately, such memory protection requires to monitor every update to the guest's page tables. This fundamentally conflicts with the recent advances in the hardware virtualization support. In this paper, we propose SecPod, an extensible framework for virtualization-based security systems that can provide both strong isolation and the compatibility with modern hardware. SecPod has two key techniques: paging delegation delegates and audits the kernel's paging operations to a secure space; execution trapping intercepts the (compromised) kernel's attempts to subvert SecPod by misusing privileged instructions. We have implemented a prototype of SecPod based on KVM. Our experiments show that SecPod is both effective and efficient.

陈文智,姚远,杨建华,何钦铭

DOI: https://doi.org/10.3724/sp.j.1016.2009.01311

2009-01-01

Chinese Journal of Computers

Abstract:With the rapidly development of personal computer hardware,to construct multiple isolated computing domains through virtualization technology has already become a future direction of PC. To avoid the difficulties caused by implementing VMM on traditional IA-32 architecture through software virtualization technology,the authors designed and implemented a VMM based on Intel VT-x technology — Pcanel/V2. Pcanel/V2 utilizes the latest hardware virtualization technology to configure a controllable virtual execution environment and run multiple operating systems directly without any modification of source code. While the accesses to hardware resources by the guest operating system are monitored,various sensitive situations which occur in the guest operating system can also be handled correspondingly by Pcanel/V2. Concurrent execution of Linux and VxWorks on Pcanel/V2 has been realized and corresponding evaluation results show that Pcanel/V2 architecture simplifies the complexity of the design process while increasing the overall performance by approximately 10% compared to software virtual technology.

Hailei Sun,Tianyu Wo

DOI: https://doi.org/10.1109/ccis.2011.6045094

2011-01-01

Abstract:Application virtualization has been a trend for the architecture of Software as a Service (SaaS), which isolates applications from OS and from other applications. This paper provides a solution of virtual execution environment for windows applications, which intercepts a select subset of system calls at the user-level, incorporates the resources requested by the applications which are stored in different places through copy-on-write scheme and renaming mechanisms and implements three modules, including virtual registry, file visit virtualization and system objects virtualization in order to isolate applications from OS and from other application partially. Using the environment, the applications could be run in the host system without installation and without any changes. Experimental results demonstrate that the overhead of our solution is limited and acceptable.

Yue-hua Dai,Xiaoguang Wang,Yi Shi,Jianbao Ren,Yong Qi

DOI: https://doi.org/10.1109/iccchina.2012.6356995

2012-01-01

Abstract:The use of virtualization in cloud computing is becoming more and more popular. Cloud service providers leverage virtualization technology to multiplex hardware resource, consolidate servers, and provide a rounded executing environment to remote cloud users. However, the current executing environment the cloud provides is not trustable. For a user's computing environment faces threats from other malicious cloud users who aim at attacking the whole underlying virtualization software (virtual machine monitor, VMM, or hypervisor). In this paper, we make an analysis of the potential threat to a commodity hyper-visor, and propose architecture for safe executing environment on hardware-sharing platform. The main ideas of our architecture are: removal of interaction between hypervisor and executing environment; attestation of the initial environment state to remote user. To prove the effectiveness of our architecture, we build a prototype system which can create multiple secure isolated executing environment on current multi-core x86 hardware. The final evaluation shows that with current commodity virtualization techniques, we can provide a safe executing environment for remote cloud users with no performance overhead.

Zihan Yang,Zeyu Mi,Yubin Xia

DOI: https://doi.org/10.1109/sose.2019.00044

2019-01-01

Abstract:The prevalence of Cloud Computing has appealed many users to put their business into low-cost and flexible cloud servers instead of bare-metal machines. Most virtual machines in the cloud run commodity operating system(e.g., linux), and the complexity of such operating systems makes them more bug-prone and easier to be compromised. To mitigate the security threats, previous works attempt to mediate and filter system calls, transform all unpopular paths into popular paths, or implement a nested kernel along with the untrusted outter kernel to enforce certain security policies. However, such solutions only enforce read-only protection or assume that popular paths in the kernel to contain almost no bug, which is not always the case in the real world. To overcome their shortcomings and combine their advantages as much as possible, we propose a hardware-assisted isolation mechanism that isolates untrusted part of the kernel. To achieve isolation, we prepare multiple restricted Extended Page Table (EPT) during boot time, each of which has certain critical data unmapped from it so that the code executing in the isolated environment could not access sensitive data. We leverage the VMFUNC instruction already available in recent Intel processors to directly switch to another pre-defined EPT inside guest virtual machine without trapping into the underlying hypervisor, which is faster than the traditional trap-and-emulate procedure. The semantic gap is minimized and real-time check is achieved by allowing EPT violations to be converted to Virtualization Exception (VE), which could be handled inside guest kernel in non-root mode. Our preliminary evaluation shows that with hardware virtualization feature, we are able to run the untrusted code in an isolated environment with negligible overhead.

Yan Wen,Huaimin Wang

2007-01-01

Abstract:This paper proposes a Secure Virtual Execution Environment called Pollux for untrusted code. Pollux achieves both the OS isolation and the functionality benefits provided by the isolated untrusted applications. It accomplishes the OS isolation by introducing a hosted virtual machine as the untrusted code container. The key feature of Pollux is its capability of reproducing the host execution environment, thus the behavior of isolated applications recurs as if they were running natively within the host OS. This characteristic is accomplished by the novel local-booted technology, which means the virtual machine boots not from a newly installed OS image but just from the preinstalled host OS. Thus, Pollux provides security against potential malicious code without negating the functionality benefits of benign programs. This paper focuses on the architecture of Pollux and outlines the implementation framework.

Kejiang Ye,Xiaohong Jiang,Deshi Ye,Dawei Huang

DOI: https://doi.org/10.1109/hpcc.2010.95

2010-01-01

Abstract:Virtualization brings many benefits such as improving system utilization and reducing cost through server consolidation. However, it also introduces isolation problem when running multiple virtual machine workloads in one physical platform. Additionally, with the advent of multi-core technology, more and more cores are built into one die in today's data center that will share and compete for the resource like cache. It's worthy to study the isolation of server consolidation in modern multi-core platform. However, to our knowledge there are few work done on the isolation property especially the fault isolation property when one of the virtual machine workloads is attacked in server consolidation. In this paper, we study the isolation property from performance perspective and provide two optimization methods to improve the isolation property. We first define the isolation property and quantify the performance isolation in consolidation and propose a VM-level optimization method. Then we study the fault isolation by introducing a misbehavior virtual machine in server consolidation scenario and propose a core-level cache-aware optimization method to improve the fault isolation. Experimental results show that our two optimization methods can effectively improve the performance isolation and fault isolation with 29.39% and 19.52% respectively. What's more, Oprofile/Xenoprof toolkits are used to find out the factors affecting isolation property from the hardware events level.

Wenzhi Chen,Zhipeng Zhang,Jianhua Yang,Qinming He

DOI: https://doi.org/10.1007/s11859-010-0301-y

2010-01-01

Wuhan University Journal of Natural Sciences

Abstract:This paper presents vCerberus, a novel hypervisor to provide trusted and isolated code execution within virtual domains. vCerberus is considerably tiny, while allowing secure sensitive codes to be executed in an isolated circumstance from the virtual domain, and can be attested by a remote party in an efficient way. These properties will be guaranteed even if the guest operating system is malicious. This protects the secure sensitive codes against the malicious codes in the Guest OS, e.g., the kernel rootkits. We present an approach to dynamically measure and isolate the launch environment on the virtual machines based on the para-virtualization technology and a novel virtualization of trusted platform module (TPM). Our performance experiment result shows that the overhead introduced by vCerberus is minimized; the performance of the launch environment in vCerberus is as competitive as the guest OS running on mainstream hypervisors.

Wen-Zhi Chen,Zhi-Peng Zhang,Jian-Hua Yang,Qin-Ming He

DOI: https://doi.org/10.1109/ISME.2010.172

2010-01-01

Abstract:Cerberus is a tiny x86 virtual machine monitor. It allows security sensitive codes to be executed in an isolated circumstance. The codes could attest their integrity to a remote party by a two-step attestation provided by Cerberus. Cerberus does not require the security sensitive applications to be modified or recompiled to run on it. These applications are packaged with the operating systems as virtual appliances (VA). The on-disk VA files are read-only to simplify the attestation process. Any storage file is sealed to the corresponding secure domain. Cerberus leveraged the nested paging technology to isolate the memory regions efficiently. And it also introduced a novel secure display sharing technology. It can guarantee the security property even when the attackers get control of everything but the core hardware infrastructures. Our performance experiment results show that the overhead introduced by Cerberus is less than 5%.

Yan Wen,Jinjing Zhao,Huaimin Wang

DOI: https://doi.org/10.1109/ISIP.2008.28

2008-01-01

Abstract:Isolation execution is an effective mechanism that has been applied to protect the computers against the unknown attacks from the Internet. However, previous isolation solutions cannot achieve both the OS isolation and the reusage of existing software environment. In this paper, we present a new isolated execution approach called Aquarius for accessing the Internet safely. Besides fulfilling the OS isolation based on a hosted virtual machine (VM), Aquarius provides other two key features. One is that it can reuse the preinstalled software of the host OS. Another is that Aquarius faithfully reproduces the behavior of the Internet-accessing applications via providing transparent Internet accesses, as if they were directly connected to the Internet. Functional evaluation results illustrate the effectiveness of our approach, and performance evaluation results show that compute-intensive benchmarks run essentially at native speed on Aquarius VM, reaching 95.82-99.59% while network transmitting achieves 87.94% of the native network speed.

lei xu,zonghui wang,wenzhi chen

DOI: https://doi.org/10.1155/2015/310308

2015-01-01

Abstract:AbstractIn common sense, virtualization technology is adopted to offer several isolated execution environments and make better use of computational resources in server environment. However, in embedded systems, the significance of virtualization does not come into the picture. The extensive utilization of mobile smart devices has led to a series of issues such as security, wasting of resources, and power consumption. In this paper, we discuss how mobile virtualization addresses these challenges and then present a detail analysis of four mainstream mobile virtualization solutions: containers, paravirtualization, hardware-assisted full virtualization, and microkernel. At last, we carry out a series of performance comparisons among these solutions and make some suggestions for further research.

CHEN Wen-zhi,HUANG Wei,XIE Cheng,HE Qin-ming

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.02.016

2009-01-01

Abstract:Virtualization was introduced to increase the security of embedded devices while avoiding the shortcomings caused by the hardware-based approach such as poor flexibility,high complexity and high production cost of equipments.Virtualization platform SmartVP offers a secure system environment by the software-based approach.SmartVP partitions the computing resources on the ARM processor into two parallel sets,one for standard real-time operating system T-Kernel and the other for general-purpose operating system Linux.The trusted computing base of SmartVP is constructed by protecting the code and data of the software on T-Kernel,as well as by implementing the fundamental security services and interfaces.Both performance benchmark and applications show that SmartVP improves the security of embedded devices and reduces the implementing risk together with developing time and cost.

Hailei Sun,Tianyu Wo

DOI: https://doi.org/10.1109/CSC.2011.6138521

2011-01-01

Abstract:Application virtualization is to isolate applications from the host system and from other applications in an operating system. This paper focuses on virtualization strategies and optimized strategies in our optimized approach to virtualize an execution environment for windows applications. Since the resources, such as registry, file and system object, play different roles during the runtime, different virtualization strategies are adopted. Every resource is divided into different groups which have different priorities according to the attributes and functions of the groups during the runtime. Registry virtualization is to rewrite the system calls, and file visit virtualization and system objects virtualization are to rewrite the parameters of the system calls. Moreover, because of the complicated scenarios during the runtime, our approach adopts three main optimized strategies, which are synchronization methods, parameter buffer and optimized methods of private registry. Synchronization methods are used to improve the performance of multi-threads and multi-processes created by applications. Parameter buffer is used to reduce the allocation operation when parameters are required to rewritten in the high frequent system calls made by applications, usually tens of thousands of times per run. Optimized methods of private registry are used to speed up the rewritten system calls for the virtual registry. Through the optimized strategies, the average overhead is reduced to 30% and the absolute value of time-consuming is acceptable.

Hang Huang,Honglei Wang,Jia Rao,Song Wu,Hao Fan,Chen Yu,Hai Jin,Kun Suo,Lisong Pan

DOI: https://doi.org/10.1109/tc.2024.3383988

IF: 3.183

2024-01-01

IEEE Transactions on Computers

Abstract:Container technology is increasingly adopted in cloud environments. However, the lack of isolation in the shared kernel becomes a significant barrier to the wide adoption of containers. The challenges lie in how to simultaneously attain high performance and isolation. On the one hand, kernel-level isolation mechanisms, such as seccomp, capabilities, and apparmor, achieve good performance without much overhead, but lack the support for per-container customization. On the other hand, user-level and VM-based isolation offer superior security guarantees and allow for customization, since a container is assigned a dedicated kernel, but at the cost of high overhead. We present vKernel, a kernel isolation framework. It maintains a minimal set of code and data that are either sensitive or prone to interference in a vKernel Instance (vKI). vKernel relies on inline hooks to intercept and redirect requests sent to the host kernel to a vKI, where container-specific security rules, functions, and data are implemented. Through case studies, we demonstrate that under vKernel user-defined data isolation and kernel customization can be supported with a reasonable engineering effort. An evaluation of vKernel with micro-benchmarks, cloud services, real-world applications show that vKernel achieves good security guarantees, but with much less overhead.

Yuehua Dai,Yong Qi,Jianbao Ren,Yi Shi,Xiaoguang Wang,Xuan Yu

DOI: https://doi.org/10.1145/2517326.2451535

2013-01-01

ACM SIGPLAN Notices

Abstract:Traditional Virtual Machine Monitor (VMM) virtualizes some devices and instructions, which induces performance overhead to guest operating systems. Furthermore, the virtualization contributes a large amount of codes to VMM, which makes a VMM prone to bugs and vulnerabilities. On the other hand, in cloud computing, cloud service provider configures virtual machines based on requirements which are specified by customers in advance. As resources in a multi-core server increase to more than adequate in the future, virtualization is not necessary although it provides convenience for cloud computing. Based on the above observations, this paper presents an alternative way for constructing a VMM: configuring a booting interface instead of virtualization technology. A lightweight virtual machine monitor - OSV is proposed based on this idea. OSV can host multiple full functional Linux kernels with little performance overhead. There are only 6 hyper-calls in OSV. The Linux running on top of OSV is intercepted only for the inter-processor interrupts. The resource isolation is implemented with hardware-assist virtualization. The resource sharing is controlled by distributed protocols embedded in current operating systems. We implement a prototype of OSV on AMD Opteron processor based 32-core servers with SVM and cache-coherent NUMA architectures. OSV can host up to 8 Linux kernels on the server with less than 10 lines of code modifications to Linux kernel. OSV has about 8000 lines of code which can be easily tuned and debugged. The experiment results show that OSV VMM has 23.7% performance improvement compared with Xen VMM.

CHEN Hao,SUN JianHua,LIU Chen,LI HaiWei

DOI: https://doi.org/10.1360/112010-1008

2012-01-01

Abstract:Traditional trusted computing base (TCB) contains the OS, device drivers, and all the applications, and the validation of the entire TCB is tremendously complicated. To solve this problem, we propose a TCB minimization architecture that leverages hardware isolation features such as system management mode provided by CPU, executing security-sensitive code of applications in a virtual environment to exclude these unsecure- sensitive code, OS and other applications out of TCB, which makes the TCB only include security-sensitive code and some management code of the virtual environment. Even if attackers control OS and part of hardware (DMA, hardward debugger, etc.), the isolated environment can guarantee the security and integrity of sensitive code execution. Meanwhile, the system provides reliable fine-grained validation, which convinces that the correct security-sensitive code is executed and the whole execution is protected by our system.

Yuehua Dai,Yi Shi,Yong Qi,Jianbao Ren,Peijian Wang

DOI: https://doi.org/10.1007/s11704-012-2084-0

2013-01-01

Abstract:Virtual machine monitors (VMMs) play a central role in cloud computing. Their reliability and availability are critical for cloud computing. Virtualization and device emulation make the VMM code base large and the interface between OS and VMM complex. This results in a code base that is very hard to verify the security of the VMM. For example, a misuse of a VMM hyper-call by a malicious guest OS can corrupt the whole VMM. The complexity of the VMM also makes it hard to formally verify the correctness of the system's behavior. In this paper a new VMM, operating system virtualization (OSV), is proposed. The multiprocessor boot interface and memory configuration interface are virtualized in OSV at boot time in the Linux kernel. After booting, only inter-processor interrupt operations are intercepted by OSV, which makes the interface between OSV and OS simple. The interface is verified using formal model checking, which ensures a malicious OS cannot attack OSV through the interface. Currently, OSV is implemented based on the AMD Opteron multi-core server architecture. Evaluation results show that Linux running on OSV has a similar performance to native Linux. OSV has a performance improvement of 4%-13% over Xen.