Title :
EqualVisor: Providing Memory Protection in an Untrusted Commodity Hypervisor
Author :
Liang Deng ; Qingkai Zeng ; Weiguang Wang ; Yao Liu
Author_Institution :
State Key Lab. for Novel Software Technol., Nanjing Univ., Nanjing, China
Abstract :
In cloud computing, hypervisor is the all-powerful software running in the highest privilege layer, thus attackers who compromise a hypervisor may jeopardize the whole cloud, especially cause memory corruption of any sensitive workloads within the cloud. In this paper, we propose a novel architecture and approach to provide memory protection from an untrusted hypervisor on current x86 platforms. Unlike previous approaches such as nested virtualization, we do not place another higher privilege TCB below the hypervisor. Instead, our approach introduces a properly isolated tiny TCB running in the same privilege level and the same address space with the hypervisor, and uses this TCB to intercept and validate hypervisor´s privilege actions for memory protection. In this way, we can enforce further memory security policies only relying on the TCB even if the hypervisor is fully compromised.
Keywords :
cloud computing; storage management; trusted computing; virtual machines; EqualVisor; TCB; address space; cloud computing; hypervisor privilege actions; memory protection; memory security policies; privilege level; trusted computing base; untrusted commodity hypervisor; x86 platforms; Hardware; Logic gates; Registers; Security; Software; Virtual machine monitors; Virtualization; cloud computing; hypervisor; memory protection;
Conference_Titel :
Trust, Security and Privacy in Computing and Communications (TrustCom), 2014 IEEE 13th International Conference on
Conference_Location :
Beijing
DOI :
10.1109/TrustCom.2014.41
