Title :
Cerberus: A Novel Hypervisor to Provide Trusted and Isolated Code Execution
Author :
Chen Wen-Zhi ; Zhang Zhi-Peng ; Yang Jian-hua ; He Qin-Ming
Author_Institution :
Coll. of Comput. Sci. & Technol., Zhejiang Univ., Hangzhou, China
Abstract :
Cerberus is a tiny x86 virtual machine monitor. It allows security sensitive codes to be executed in an isolated circumstance. The codes could attest their integrity to a remote party by a two-step attestation provided by Cerberus. Cerberus does not require the security sensitive applications to be modified or recompiled to run on it. These applications are packaged with the operating systems as virtual appliances (VA). The on-disk VA files are read-only to simplify the attestation process. Any storage file is sealed to the corresponding secure domain. Cerberus leveraged the nested paging technology to isolate the memory regions efficiently. And it also introduced a novel secure display sharing technology. It can guarantee the security property even when the attackers get control of everything but the core hardware infrastructures. Our performance experiment results show that the overhead introduced by Cerberus is less than 5%.
Keywords :
operating systems (computers); security of data; virtual machines; Cerberus; hypervisor; isolated code execution; operating systems; security sensitive codes; virtual appliances; x86 virtual machine monitor; Computer architecture; Driver circuits; Hardware; Kernel; Security; USA Councils; Code Attestation; Code Integrity; Isolated Codes Execution; Secure Display Sharing; Virtual Machine Monitor;
Conference_Titel :
Information Science and Management Engineering (ISME), 2010 International Conference of
Conference_Location :
Xi´an
Print_ISBN :
978-1-4244-7669-5
Electronic_ISBN :
978-1-4244-7670-1
DOI :
10.1109/ISME.2010.172
