Building a General-Purpose Secure Virtual Machine Monitor

Recent advances in the hardware available for commodity computer systems are enabling the construction of virtual machine monitors (VMMs) that provide complete isolation between virtual machines (VMs). This paper predicts that the availability of this isolation will increase the demand for VMM-based systems running mutually distrusted coalitions of VMs. Because the VMM systems can provide reliable isolation, some controlled sharing responsibilities of operating systems will be moved to the VMM, where practical; we investigate the efficacy of providing such controls in the VMM in this paper. This paper describes the design of the sHype security architecture, carefully considering which virtualizable resources are appropriately controlled by the VMM. sHype enables control of these resources using a system-wide mandatory access control (MAC) policy. One sHype design goal is to permit the hypervisor to retain a very stable, nearminimal code base, allowing significant security assurances (e.g., Common Criteria) to be achieved. Notably, this paper argues that it is not necessary to aim for the highest levels of assurance when designing secure VMMs for commodity hardware—when absolute isolation is required (e.g., the total prevention of covert timing channels), a multi-system, separate hardware architecture is recommended. Finally, this paper describes an implementation of the sHype architecture controlling virtual LAN (vLAN) resources in a fully-functional research hypervisor.