A Virtual Machine Isolation Mechanism Based On Privilege Separation And Time-lock

The virtual machine technology is attracting more and more attention in the IT industry. Ithas broken the close dependence of the computer hardware and software, improved the resourceutilization and reduced the maintenance costs. At the same time, the security issues of virtualmachine have become increasingly prominent. Security has become one of the most importantchallenges for the development of virtual machine technology.In the representative virtual machine system, it can dummy multiple isolated virtualphysical resources available to the upper structure of the virtual machine, through theintroduction of the virtual machine monitor. In order to simplify the design, the system usuallyincludes a management VM, such as the Dom0in Xen and Linux in KVM, responsible for themanagement of other VMs and device driver support. They have the higher security level thannormal VMs. The security of user VM should rely on the security of VMM and themanagement VM. This structure will have three problems:(1) The privileges of the management VM is too concentrated.(2) The unauthorized access to the VMs sharing hardware platform is possible.(3) The TCB of user VM is too large to ensure its own security.In order to improve the system security, it’s efficacious to reduce the TCB of the system,decentralize the privileges of management VM and maintain the independence of each VM.Compared to writing no loopholes code of the operating system, maintaining the isolationbetween the various domains of the system is more simple and effective to prevent theexpansion of safety hazards and improve system security.Based on Non-interference，a time-lock isolation model was proposed. We designed aspatial isolation mechanism of virtual machine based on privilege separation. Further more,based on time-lock, we present a temporal isolation mechanism. It can reduce the system TCB,separate privileges, and isolate the access between each VM, improving the system security.The main work includes the following aspects:（1）Atime-lock isolation model based on the theory of non-interference.We proposed a time-lock mechanism based on the trusted computing and non-interferencetheory. The process from untrusted domain was allowed to access the trusted domain, whilelocking the other process to interfere with the accessing process during the access period andunlocking it after the access. The policy had been proved formally according to the theory ofnon-interference.(2) A spatial isolation mechanism of the virtual machine based on privilege separation. We split the traditional Dom0’s privileges into three parts: the device driver domain whichis easy to produce security vulnerabilities; the per-user management domain which can affectuser’s privacy; the remaining Thin Dom0which is responsible for the user domain creation andmanagement. Privilege separation mechanism for re-allocation of system privileges reduced theamount of TCB code and improved security. It also laid the foundation for the realization oftemporal isolation model.(3) A temporal isolation mechanism of the virtual machine based on time-lock.The untrusted domain has still need to access to the trusted domain after privilegeseparation. Through the time-lock mechanism, we isolated the trusted domain from untrusteddomains in time dimension. The interaction between Thin Dom0and DomU, and among thevirtual domains was analyzed. The corresponding temporal isolation mechanism was designed.(4) Combined with the Xen platform, privilege separation and time-lock mechanisms wereimplemented. Based on the open source project Xen, we isolated the domain from each other inspace by privilege separation mechanism; and isolated the domain from each other in time bythe use of time-lock.Finally, it presents the system security verification and performance testing. The resultsshow that the proposed security mechanisms can effectively improve the security of the systemwithin the range of acceptable performance overhead.