NDLI: Taming Hosted Hypervisors with (Mostly) Deprivileged Execution

Please wait, while we are loading the content...

Taming Hosted Hypervisors with (Mostly) Deprivileged Execution

Content Provider	CiteSeerX
Author	Wu, Chiachih Wang, Zhi Jiang, Xuxian
Abstract	Recent years have witnessed increased adoption of hosted hypervisors in virtualized computer systems. By non-intrusively extending commodity OSs, hosted hypervi-sors can effectively take advantage of a variety of mature and stable features as well as the existing broad user base of commodity OSs. However, virtualizing a computer system is still a rather complex task. As a result, existing hosted hypervisors typically have a large code base (e.g., 33.6K SLOC for KVM), which inevitably introduces exploitable software bugs. Unfortunately, any compromised hosted hy-pervisor can immediately jeopardize the host system and subsequently affect all running guests in the same physical machine. In this paper, we present a system that aims to dramati-cally reduce the exposed attack surface of a hosted hypervi-sor by deprivileging its execution to user mode. In essence, by decoupling the hypervisor code from the host OS and deprivileging its execution, our system demotes the hyper-visor mostly as a user-level library, which not only substan-tially reduces the attack surface (with a much smaller TCB), but also brings additional benefits in allowing for better de-velopment and debugging as well as concurrent execution of multiple hypervisors in the same physical machine. To evaluate its effectiveness, we have developed a proof-of-concept prototype that successfully deprivileges ∼ 93.2% of the loadable KVM module code base in user mode while only adding a small TCB (2.3K SLOC) to the host OS ker-nel. Additional evaluation results with a number of bench-mark programs further demonstrate its practicality and ef-ficiency. 1
File Format	PDF
Access Restriction	Open
Subject Keyword	Commodity Os Physical Machine Exploitable Software Bug Large Code Base Hosted Hypervisors Host O User-level Library Complex Task Proof-of-concept Prototype Bench-mark Program Attack Surface Virtualized Computer System Computer System Hypervisor Code Small Tcb Host O Ker-nel Stable Feature Host System Loadable Kvm Module Code Base Additional Evaluation Result Exposed Attack Surface Broad User Base Additional Benefit User Mode Concurrent Execution Multiple Hypervisors
Content Type	Text

Central Library (ISO-9001:2015 Certified)
Indian Institute of Technology Kharagpur
Kharagpur, West Bengal, India | PIN - 721302

See location in the Map
03222 282435
Mail: support@ndl.gov.in

Sl.	Authority	Responsibilities	Communication Details
1	Ministry of Education (GoI), Department of Higher Education	Sanctioning Authority	https://www.education.gov.in/ict-initiatives
2	Indian Institute of Technology Kharagpur	Host Institute of the Project: The host institute of the project is responsible for providing infrastructure support and hosting the project	https://www.iitkgp.ac.in
3	National Digital Library of India Office, Indian Institute of Technology Kharagpur	The administrative and infrastructural headquarters of the project	Dr. B. Sutradhar bsutra@ndl.gov.in
4	Project PI / Joint PI	Principal Investigator and Joint Principal Investigators of the project	Dr. B. Sutradhar bsutra@ndl.gov.in Prof. Saswat Chakrabarti will be added soon
5	Website/Portal (Helpdesk)	Queries regarding NDLI and its services	support@ndl.gov.in
6	Contents and Copyright Issues	Queries related to content curation and copyright issues	content@ndl.gov.in
7	National Digital Library of India Club (NDLI Club)	Queries related to NDLI Club formation, support, user awareness program, seminar/symposium, collaboration, social media, promotion, and outreach	clubsupport@ndl.gov.in
8	Digital Preservation Centre (DPC)	Assistance with digitizing and archiving copyright-free printed books	dpc@ndl.gov.in
9	IDR Setup or Support	Queries related to establishment and support of Institutional Digital Repository (IDR) and IDR workshops	idr@ndl.gov.in