Skip to main content
SpringerLink
Log in

Security Limitations of Virtualization and How to Overcome Them

  • Conference paper
Security Protocols XVIII (Security Protocols 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7061))

Included in the following conference series:

Abstract

To be useful, security primitives must be available on commodity computers with demonstrable assurance and understandable by ordinary users with minimum effort. Trusted computing bases comprising a hypervisor, which implements the reference monitor, and virtual machines whose layered operating system services are formally verified, will continue to fail these criteria for client-side commodity computers. We argue that demonstrable high assurance will continue to elude commodity computers, and complex policies that require management of multiple subjects, object types, and permissions will continue to be misunderstood and misused by most users. We also argue that high-assurance, usable commodity computers require only two security primitives: partitions for isolated code execution, and trustworthy communication between partitions and between users and partitions. Usability requirements for isolated partitions are modest: users need to know when to use a small trusted system partition and when to switch to a larger untrusted one; developers need to isolate and assure only few security-sensitive code modules within an application; and security professionals needed to maintain only the trusted partition and a few isolated modules in the untrusted one. Trustworthy communication, which requires partitions and users to decide whether to accept input from or provide output to others, is more challenging because it requires trust, not merely secure (i.e., confidential and authentic) communication channels.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Attanasio, C.R., Markstein, P.W., Phillips, R.J.: Penetrating an Operating System: A Study of VM/370 Integrity. IBM Systems Journal 15(1), 102–116 (1976)

    Article  Google Scholar 

  2. Richard Attanasio, C.: Virtual Control Storage - Security Measures in VM/370. IBM Systems Journal 18(1), 93–110 (1979)

    Article  Google Scholar 

  3. Anderson, J.P.: Computer security technology planning study. Volume 2. Technical Report ESD-TR-73-51, Air Force Electronic Systems Division (1972)

    Google Scholar 

  4. Gligor, V., Luan, S.-W., Pato, J.: Inter-Realm Authentication in Large Distributed Systems. In: Proc. of IEEE Symp. on Security and Privacy, Oakland, CA (1992); also in the Journal of Computer Security 1993

    Google Scholar 

  5. BAE Systems. Information Technology LLC. Security Target, Version 1.11 for XTS-400, Version 6 (2004)

    Google Scholar 

  6. Lampson, B.W.: Software components: Only the giants survive. In: Computer Systems: Theory, Technology, and Applications, vol. (9), pp. 137–145. Springer (2004)

    Google Scholar 

  7. McCune, J., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V., Perrig, A.: TrustVisor: Efficient TCB Reduction and Attestation. Technical Report, CMU-CyLab-09-003 (March 2009); also in Proc. of IEEE Symp. on Security and Privacy, Oakland, CA (May 2010)

    Google Scholar 

  8. Vasudevan, A., Parno, B., Qu, N., Gligor, V., Perrig, A.: Lockdown: A Safe and Practical Environment for Security Applications. Technical Report, CMU-CyLab-09-011 (July 14, 2009); Also in International Conference on Trust and Trustworthy Computing (TRUST), Vienna, Austria, (2012)

    Google Scholar 

  9. Rushby, J.M.: Design and verification of secure systems. Proc. of SOSP 15(5), 12–21 (1981)

    Google Scholar 

  10. Rushby, J.M.: Separation and Integration in MILS (The MILS Constitution). Technical Report, SRI-CSL-TR-08-XX (February 2008)

    Google Scholar 

  11. Boettcher, C., DeLong, R., Rushby, J., Sifre, W.: The MILS Component Integration Approach to Secure Information Sharing. In: 27th IEEE/AIAA Digital Avionics Systems Conference (DASC), St. Paul MN (October 2008)

    Google Scholar 

  12. Peinado, M., Chen, Y., Engl, P., Manferdelli, J.: NGSCB: A Trusted Open System. In: Proc. Australasian Conference on Information Security and Privacy (2004)

    Google Scholar 

  13. Schell, R., Tao, T., Heckman, M.: Designing the GEMSOS security kernel for security and performance. In: Proc. National Computer Security Conference, Baltimore, MD (1985)

    Google Scholar 

  14. Trusted Computing Group. Trusted platform module main specification, Part 1: Design principles, Part 2: TPM structures, Part 3: Commands. Version 1.2, Revision 103 (July 2007)

    Google Scholar 

  15. Parno, B., McCune, J.M., Perrig, A.: Bootstrapping Trust in Commodity Computers. In: Proc. of the IEEE Symposium on Security and Privacy (May 2010)

    Google Scholar 

  16. Fraser, K., Hand, S., Neugebauer, R., Pratt, I., Warfield, A., Williamson, M.: Safe hardware access with the Xen virtual machine monitor. In: Proc. Workshop on Operating System and Architectural Support for the on demand IT InfraStructure (OASIS) (2004)

    Google Scholar 

  17. Zhou, Z., Gligor, V.D., Newsome, J., McCune, J.M.: Building verifiable trusted path on commodity x86 computers. In: Proc. IEEE Symposium on Security and Privacy (2012)

    Google Scholar 

  18. Gold, B.D., Linde, R.R., Cudney, P.: KVM/370 in Retrospect. In: Proc. of IEEE Symp. on Security and Privacy, Oakland, CA (May 1984)

    Google Scholar 

  19. Karger, P.A., Zurko, M.E., Bonin, D.W., Mason, A.H.: A Retrospective on the VAX VMM Security Kernel. IEEE Transaction on Software Engineering 17(11) (November 1991)

    Google Scholar 

  20. Lampson, B.W.: Accountability and Freedom Slides., http://research.microsoft.com/en-us/um/people/blampson/slides/accountabilityAndFreedomAbstract.htm

  21. Lucky, R.W.: When is Dumb Smart. IEEE Spectrum, 21 (November 1997)

    Google Scholar 

  22. Lampson, B.W.: Usable Security: How to Get It. Comm. ACM (November 2009)

    Google Scholar 

  23. Fraim, L.J.: SCOMP: A Solution to the Multilevel Security Problem. IEEE Computer 16(7), 26–34 (1983)

    Article  Google Scholar 

  24. Gligor, V.D.: On the evolution of adversary models in security protocols (or know your friend and foe alike). In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2005. LNCS, vol. 4631, pp. 276–283. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  25. Gligor, V., Wing, J.M.: Towards a Theory of Trust in Networks of Humans and Computers. In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds.) Security Protocols 2011. LNCS, vol. 7114, pp. 223–242. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  26. Mason, J., Small, S., McManus, G., Monrose, F.: English Shellcode. In: Proc. of the 16th ACM Conference on Computer and Communications Security (CCS), pp. 524–533 (November 2009)

    Google Scholar 

  27. Bell, D.E., LaPadula, L.J.: Secure Computer System: Unified Exposition and Multics Interpretation. In: Deputy for Command and Management Systems, HQ Electronic Systems Division (AFSC), ESD-TR-75-306 (March 1976)

    Google Scholar 

  28. Adleman, N., Gilson, J.R., Sestak, R.J., Ziller, R.J.: Security Kernel Evaluation for Multics and Secure Multics Design. Technical Report, Honeywell Information Systems Inc., Mclean Va Federal Systems Operations (August 1976); Available at NTIS AD-A038 261/4

    Google Scholar 

  29. Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: formal verification of an OS kernel. In: Proc. of SOSP, pp. 207–220. ACM (2009)

    Google Scholar 

  30. Howard, M., Pincus, J., Wing, J.M.: Computer Security in the 21st Century. In: Lee, D.T., Shieh, S.P., Tygar, J.D. (eds.) Measuring Relative Attack Surfaces, pp. 109–137. Springer (March 2005)

    Google Scholar 

  31. Manadhata, P.K., Karabulut, Y., Wing, J.M.: Report: Measuring the Attack Surfaces of Enterprise Software. In: Massacci, F., Redwine Jr., S.T., Zannone, N. (eds.) ESSoS 2009. LNCS, vol. 5429, pp. 91–100. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  32. Reeder, R.W., Maxion, R.A.: User Interface Dependability through Goal-Error Prevention. In: Proc. of International Conference on Dependable Systems and Networks, Yokohama, Japan, June 28 -July 01, pp. 60–69 (2005)

    Google Scholar 

  33. Lipner, S., Jaeger, T., Zurko, M.E.: Lessons from VAX/SVS for High Assurance VM Systems. IEEE Security and Privacy 10(6), 26–35 (2012)

    Google Scholar 

  34. VMware White paper. Understanding Full Virtualization, Paravirtualization and Hardware Assist, http://www.vmware.com/files/pdf/VMware_paravirtualization.pdf (accessed March 23, 2010)

  35. De Clercq, J.: Windows Server 2008 Hyper-V Security, http://windowsitpro.com/virtualization/windows-server-2008-hyper-v-security (accessed March 23, 2010)

  36. Schroeder, M.D., Clark, D.D., Saltzer, J.H.: The Multics Kernel Design Project. In: Proc. of SOSP, pp. 43–56. ACM (1977)

    Google Scholar 

  37. Neumann, P.G., Feiertag, R.J.: PSOS Revisited. In: Proc. of the 19th Annual Computer Security Applications Conference (2003)

    Google Scholar 

  38. Schell, R.R., Tao, T.F., Heckman, M.: Designing the GEMSOS security kernel for security and performance. In: Proc. of the 8th National Computer Security Conference, Gaithersburg, MD, pp. 108–119 (1985)

    Google Scholar 

  39. Wendlandt, D., Andersen, D., Perrig, A.: Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing. In: Proceedings of USENIX Annual Technical Conference (June 2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Carnegie Mellon University, Pittsburgh, PA, 15213, USA

    Virgil Gligor

Authors
  1. Virgil Gligor
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. University of Hertfordshire, AL10 9AB, Hatfield, Hertfordshire, UK

    Bruce Christianson  & James Malcolm  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Gligor, V. (2014). Security Limitations of Virtualization and How to Overcome Them. In: Christianson, B., Malcolm, J. (eds) Security Protocols XVIII. Security Protocols 2010. Lecture Notes in Computer Science, vol 7061. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-45921-8_34

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-45921-8_34

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-45920-1

  • Online ISBN: 978-3-662-45921-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation