iKernel Isolating Buggy and Malicious Device Drivers Using Hardware Virtualization Support

iKernel Isolating Buggy and Malicious Device Drivers Using Hardware Virtualization SupportShort Description
The users of today’s operating systems demand high reliability and security. However, faults introduced outside of the core operating system by buggy and malicious device drivers can significantly impact these dependability attributes. To help improve driver isolation, we propose an approach that utilizes the latest hardware virtualization support to efficiently sandbox each device driver in its own minimal Virtual Machine (VM) so that the kernel is protected from faults in these drivers. We present our imple- mentation of a low-overhead virtual-machine based framework which allows reuse of existing drivers.

Website: choices.cs.uiuc.edu | Filesize: 134kb
No of Page(s): 9

Content

Intel has recently launched Pentium-based processors supporting the new Intel Virtualization Technology (IVT). Formerly known as Vanderpool, this technology provides hardware support for virtualization. A Virtual Machine Monitor (VMM) is a very thin privileged “hypervisor” which resides above the physical hardware. Virtual machines (VM), running on top of the VMM, all run at a reduced privilege level; code running inside a VM including an operating system is said to be de-privileged. One ormore of these VMs can be allowed to access physical resources and made responsible for I/O processing and sharing. In our evaluation, we demonstrate and analyze the performance of one VM running Linux with a virtual device driver which is used by the host operating system. With this approach, we can use the device drivers in their unmodified form and still achieve sufficient driver isolation.

In the iKernel system architecture, most device drivers are designed to run in their own virtual machine. The host kernel acts as the primary OS environment of the computing system which will run all of the user processes. Lightweight communication stubs are placed in both host and guest OSes, which can communicate with each other using shared memory mechanisms. Shared memory communication mechanisms are chosen so that communication between stubs incurs the least overhead. The host stub provides the same interface to the operating system as the original driver. For example, a typical Linux driver provides the open, close, read, write and ioctl functions, but instead of executing the request, iKernel forwards the information to the stub driver which runs in the guest virtual machine. The guest stub driver will then relay the call to the real device driver functions, which also run in the guest virtual machine.

Get the file Download here

AddThis Social Bookmark Button
Related Books:
  • XenSource XenEnterprise 3.1 hardware assisted server virtualization software introduction and installation for HP ProLiant servers
  • TOP TEN CONSIDERATIONS FOR CHOOSING A SERVER VIRTUALIZATION TECHNOLOGY
  • The advantages of hardware based Virtualization
  • Hardware virtualization support for Afterburner/L4
  • Hardware Virtualization Trends
  • Virtualization is More than Virtual Machine Software
  • Solaris Operating System Hardware Virtualization Product Architecture
  • Oracle On Demand Infrastructure Virtualization with Oracle VM

    • Filed Under Virtualization, Hardware 

    Related Searches: , , , ,



    Comments

    Leave a Reply