Write a Blog >>
VEE 2017
Sat 8 - Sun 9 April 2017 Xi'an, China
Sun 9 Apr 2017 11:45 - 12:15 at Zhu Que Room - Performance Chair(s): Paolo Bonzini

Once compromising the hypervisor, remote or local adversaries can easily access other customers’ sensitive data in the memory and context of guest virtual machines (VMs). VM isolation is an efficient mechanism for protecting the memory of guest VMs from unauthorized access. However, previous VM isolation systems either modify hardware architecture or introduce a software module without being protected, and most of them focus on the x86 architecture.

This paper proposes HA-VMSI, a lightweight hardware-assisted VM isolation approach for ARM, to provide runtime protection of guest VMs, even with a compromised hypervisor. In the ARM TrustZone secure world, a thin security monitor is introduced as HA-VMSI’s entire TCB. Hence, the security monitor is much less vulnerable and safe from attacks that can compromise the hypervisor. The key of HA-VMSI is decoupling the functions of memory isolation among VMs from the hypervisor into the security monitor. As a result, the hypervisor can only update the Stage-2 page tables of VMs via the security monitor, which inspects and approves each new mapping. It is worth noting that HA-VMSI is more secure and effective than current software approaches, and more flexible and compatible than hardware approaches. We have implemented a prototype for KVM hypervisor with multiple Linux as guest OSes on Juno board. The security assessment and performance evaluation show that HA-VMSI is effective, efficient and practical.

Sun 9 Apr

10:45 - 12:15: Session 6 - Performance at Zhu Que Room
Chair(s): Paolo BonziniRed Hat, Inc.
vee-2017-Session-610:45 - 11:15
Chun YangPeking University, China, Xianhua LiuPeking University, China, Xu ChengPeking University, China
vee-2017-Session-611:15 - 11:45
Amanieu d'AntrasUniversity of Manchester, Cosmin GorgovanUniversity of Manchester, Jim GarsideUniversity of Manchester, John GoodacreUniversity of Manchester, Mikel Lujan
File Attached
vee-2017-Session-611:45 - 12:15
Min ZhuInstitute of Information Engineering, Chinese Academy of Sciences, Bibo TuInstitute of Information Engineering, Chinese Academy of Sciences, Wei WeiInstitute of Information Engineering, Chinese Academy of Sciences, Dan MengInstitute of Information Engineering, Chinese Academy of Sciences