Abstract
To be useful, security primitives must be available on commodity computers with demonstrable assurance and understandable by ordinary users with minimum effort. Trusted computing bases comprising a hypervisor, which implements the reference monitor, and virtual machines whose layered operating system services are formally verified, will continue to fail these criteria for client-side commodity computers. We argue that demonstrable high assurance will continue to elude commodity computers, and complex policies that require management of multiple subjects, object types, and permissions will continue to be misunderstood and misused by most users. We also argue that high-assurance, usable commodity computers require only two security primitives: partitions for isolated code execution, and trustworthy communication between partitions and between users and partitions. Usability requirements for isolated partitions are modest: users need to know when to use a small trusted system partition and when to switch to a larger untrusted one; developers need to isolate and assure only few security-sensitive code modules within an application; and security professionals needed to maintain only the trusted partition and a few isolated modules in the untrusted one. Trustworthy communication, which requires partitions and users to decide whether to accept input from or provide output to others, is more challenging because it requires trust, not merely secure (i.e., confidential and authentic) communication channels.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Attanasio, C.R., Markstein, P.W., Phillips, R.J.: Penetrating an Operating System: A Study of VM/370 Integrity. IBM Systems Journal 15(1), 102–116 (1976)
Richard Attanasio, C.: Virtual Control Storage - Security Measures in VM/370. IBM Systems Journal 18(1), 93–110 (1979)
Anderson, J.P.: Computer security technology planning study. Volume 2. Technical Report ESD-TR-73-51, Air Force Electronic Systems Division (1972)
Gligor, V., Luan, S.-W., Pato, J.: Inter-Realm Authentication in Large Distributed Systems. In: Proc. of IEEE Symp. on Security and Privacy, Oakland, CA (1992); also in the Journal of Computer Security 1993
BAE Systems. Information Technology LLC. Security Target, Version 1.11 for XTS-400, Version 6 (2004)
Lampson, B.W.: Software components: Only the giants survive. In: Computer Systems: Theory, Technology, and Applications, vol. (9), pp. 137–145. Springer (2004)
McCune, J., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V., Perrig, A.: TrustVisor: Efficient TCB Reduction and Attestation. Technical Report, CMU-CyLab-09-003 (March 2009); also in Proc. of IEEE Symp. on Security and Privacy, Oakland, CA (May 2010)
Vasudevan, A., Parno, B., Qu, N., Gligor, V., Perrig, A.: Lockdown: A Safe and Practical Environment for Security Applications. Technical Report, CMU-CyLab-09-011 (July 14, 2009); Also in International Conference on Trust and Trustworthy Computing (TRUST), Vienna, Austria, (2012)
Rushby, J.M.: Design and verification of secure systems. Proc. of SOSP 15(5), 12–21 (1981)
Rushby, J.M.: Separation and Integration in MILS (The MILS Constitution). Technical Report, SRI-CSL-TR-08-XX (February 2008)
Boettcher, C., DeLong, R., Rushby, J., Sifre, W.: The MILS Component Integration Approach to Secure Information Sharing. In: 27th IEEE/AIAA Digital Avionics Systems Conference (DASC), St. Paul MN (October 2008)
Peinado, M., Chen, Y., Engl, P., Manferdelli, J.: NGSCB: A Trusted Open System. In: Proc. Australasian Conference on Information Security and Privacy (2004)
Schell, R., Tao, T., Heckman, M.: Designing the GEMSOS security kernel for security and performance. In: Proc. National Computer Security Conference, Baltimore, MD (1985)
Trusted Computing Group. Trusted platform module main specification, Part 1: Design principles, Part 2: TPM structures, Part 3: Commands. Version 1.2, Revision 103 (July 2007)
Parno, B., McCune, J.M., Perrig, A.: Bootstrapping Trust in Commodity Computers. In: Proc. of the IEEE Symposium on Security and Privacy (May 2010)
Fraser, K., Hand, S., Neugebauer, R., Pratt, I., Warfield, A., Williamson, M.: Safe hardware access with the Xen virtual machine monitor. In: Proc. Workshop on Operating System and Architectural Support for the on demand IT InfraStructure (OASIS) (2004)
Zhou, Z., Gligor, V.D., Newsome, J., McCune, J.M.: Building verifiable trusted path on commodity x86 computers. In: Proc. IEEE Symposium on Security and Privacy (2012)
Gold, B.D., Linde, R.R., Cudney, P.: KVM/370 in Retrospect. In: Proc. of IEEE Symp. on Security and Privacy, Oakland, CA (May 1984)
Karger, P.A., Zurko, M.E., Bonin, D.W., Mason, A.H.: A Retrospective on the VAX VMM Security Kernel. IEEE Transaction on Software Engineering 17(11) (November 1991)
Lampson, B.W.: Accountability and Freedom Slides., http://research.microsoft.com/en-us/um/people/blampson/slides/accountabilityAndFreedomAbstract.htm
Lucky, R.W.: When is Dumb Smart. IEEE Spectrum, 21 (November 1997)
Lampson, B.W.: Usable Security: How to Get It. Comm. ACM (November 2009)
Fraim, L.J.: SCOMP: A Solution to the Multilevel Security Problem. IEEE Computer 16(7), 26–34 (1983)
Gligor, V.D.: On the evolution of adversary models in security protocols (or know your friend and foe alike). In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2005. LNCS, vol. 4631, pp. 276–283. Springer, Heidelberg (2007)
Gligor, V., Wing, J.M.: Towards a Theory of Trust in Networks of Humans and Computers. In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds.) Security Protocols 2011. LNCS, vol. 7114, pp. 223–242. Springer, Heidelberg (2011)
Mason, J., Small, S., McManus, G., Monrose, F.: English Shellcode. In: Proc. of the 16th ACM Conference on Computer and Communications Security (CCS), pp. 524–533 (November 2009)
Bell, D.E., LaPadula, L.J.: Secure Computer System: Unified Exposition and Multics Interpretation. In: Deputy for Command and Management Systems, HQ Electronic Systems Division (AFSC), ESD-TR-75-306 (March 1976)
Adleman, N., Gilson, J.R., Sestak, R.J., Ziller, R.J.: Security Kernel Evaluation for Multics and Secure Multics Design. Technical Report, Honeywell Information Systems Inc., Mclean Va Federal Systems Operations (August 1976); Available at NTIS AD-A038 261/4
Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: formal verification of an OS kernel. In: Proc. of SOSP, pp. 207–220. ACM (2009)
Howard, M., Pincus, J., Wing, J.M.: Computer Security in the 21st Century. In: Lee, D.T., Shieh, S.P., Tygar, J.D. (eds.) Measuring Relative Attack Surfaces, pp. 109–137. Springer (March 2005)
Manadhata, P.K., Karabulut, Y., Wing, J.M.: Report: Measuring the Attack Surfaces of Enterprise Software. In: Massacci, F., Redwine Jr., S.T., Zannone, N. (eds.) ESSoS 2009. LNCS, vol. 5429, pp. 91–100. Springer, Heidelberg (2009)
Reeder, R.W., Maxion, R.A.: User Interface Dependability through Goal-Error Prevention. In: Proc. of International Conference on Dependable Systems and Networks, Yokohama, Japan, June 28 -July 01, pp. 60–69 (2005)
Lipner, S., Jaeger, T., Zurko, M.E.: Lessons from VAX/SVS for High Assurance VM Systems. IEEE Security and Privacy 10(6), 26–35 (2012)
VMware White paper. Understanding Full Virtualization, Paravirtualization and Hardware Assist, http://www.vmware.com/files/pdf/VMware_paravirtualization.pdf (accessed March 23, 2010)
De Clercq, J.: Windows Server 2008 Hyper-V Security, http://windowsitpro.com/virtualization/windows-server-2008-hyper-v-security (accessed March 23, 2010)
Schroeder, M.D., Clark, D.D., Saltzer, J.H.: The Multics Kernel Design Project. In: Proc. of SOSP, pp. 43–56. ACM (1977)
Neumann, P.G., Feiertag, R.J.: PSOS Revisited. In: Proc. of the 19th Annual Computer Security Applications Conference (2003)
Schell, R.R., Tao, T.F., Heckman, M.: Designing the GEMSOS security kernel for security and performance. In: Proc. of the 8th National Computer Security Conference, Gaithersburg, MD, pp. 108–119 (1985)
Wendlandt, D., Andersen, D., Perrig, A.: Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing. In: Proceedings of USENIX Annual Technical Conference (June 2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gligor, V. (2014). Security Limitations of Virtualization and How to Overcome Them. In: Christianson, B., Malcolm, J. (eds) Security Protocols XVIII. Security Protocols 2010. Lecture Notes in Computer Science, vol 7061. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-45921-8_34
Download citation
DOI: https://doi.org/10.1007/978-3-662-45921-8_34
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-45920-1
Online ISBN: 978-3-662-45921-8
eBook Packages: Computer ScienceComputer Science (R0)