Skip to main content
SpringerLink
Log in

VIsolator: An Intel VMX-Based Isolation Mechanism

  • Conference paper
  • First Online:
Proceedings of the International Conference on Human-centric Computing 2011 and Embedded and Multimedia Computing 2011

Part of the book series: Lecture Notes in Electrical Engineering ((LNEE,volume 102))

  • 818 Accesses

Abstract

Integrity Measurement Mechanisms (IMMs) can be used to detect tampering attacks to integrity of system components, so as to ensure trustworthiness of a system. If an IMM has been compromised, measurement results are untrustworthy. Therefore, IMMs must be protected to provide credible measurement results. In this paper, we propose an isolation mechanism based on the Intel VMX technology to protect an IMM from being tampered with, even if the whole operating system (OS) is untrusted. The isolation mechanism we proposed can be divided into two parts, one of which is a module running inside an OS while the other one is a hypervisor running as the basis of this OS. As an IMM may be attacked by untrusted software in the way of writing its memory, the module of our isolation mechanism is used to modify the access permission of the IMM. Nevertheless, the threat is not disappeared as untrusted software may run in kernel mode and thus they can also modify the access permission of an IMM. Benefiting from the Intel VMX technology, the hypervisor of our isolation mechanism can monitor and stop these abnormal behaviors of untrusted software. To evaluate our approach, we implement a prototype system named VIsolator. Experimental results indicate that it can effectively and efficiently protect an IMM from being tampered with.

The work of this paper was supported in part by National Natural Science Foundation of China (61070192, 91018008, 60873213), National 863 High-Tech Research Development Program of China (2007AA01Z414), Natural Science Foundation of Beijing (4082018) and Open Project of Shanghai Key Laboratory of Intelligent Information Processing (IIPL-09-006).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 219.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Azab AM, Ning P, Sezer EC, Zhang X (2009) HIMA: a hypervisor based integrity measurement agent. In: Proceedings of the annual computer security applications conference

    Google Scholar 

  2. Shi W (2010) On methodology of modeling the trust base in operating systems. Comput Sci 37(6)

    Google Scholar 

  3. Swift MM, Bershad BN, Levy HM (2005) Improving the reliability of commodity operating systems. ACM Trans Comput Syst 23(1):77–110

    Article  Google Scholar 

  4. Venema W (2009) Isolation mechanisms for commodity applications and platforms. Computer Science, RC24725(W0901-048)

    Google Scholar 

  5. Suh GE, Clarke D, Gassend B, Dijk M, Devadas S (2003) AEGIS: architecture for tamper-evident and tamper-resistant processing. In: Proceedings of the 17th annual international conference on supercomputing (ICS), ACM Press, New York, pp 160–171

    Google Scholar 

  6. McCune JM, Parno B, Perrig A, Reiter MK, Seshadri A (2008) Flicker: an execution infrastructure for TCB minimization. In: Proceedings of ACM European conference in computer systems (EuroSys)

    Google Scholar 

  7. Dyer J, Lindemanm M, Perez R, Sailer R, Doorn L V, Smith S W, Weingart S (2001) Building the IBM 4758 secure coprocessor. IEEE Comput 34(10):57–66

    Google Scholar 

  8. Rosenblum M, Garfinkel T (2005) Virtual machine monitors: current technology and future trends. IEEE Comput Soc 38(5):39–47

    Google Scholar 

  9. Sharif M, Lee W, Cui W (2009) Secure In-VM monitoring using hardware virtualization. In: Proceedings of 16th ACM conference on computer and communications security (CCS)

    Google Scholar 

  10. Garfinkel T, Rosenblum M (2005) When virtual is harder than real: security challenges in virtual machine based computing environments. In: Proceedings of USENIX 10th workshop on hot topics in operating systems

    Google Scholar 

  11. Drepper U (2008) The cost of virtualization. ACM Queue 6(1):28–35

    Google Scholar 

  12. VMware. Understanding full virtualization, paravirtualization, and hardware assist. http://www.vmware.com/files/pdf/VMware_paravirtualization.pdf

  13. Intel Corporation (2009) Intel 64 and IA-32 architectures software developer’s manual, vol 3A: system programming guide, part 1, number: 253668-031US, June 2009

    Google Scholar 

  14. Intel Corporation (2009) Intel 64 and IA-32 architectures software developer’s manual, vol 3B: system programming guide, part 2, number: 253669-031US, June 2009

    Google Scholar 

  15. McCune JM, Qu N, Li Y, Datta A, Gligor VD, Perrig A (2010) TrustVisor: efficient TCB reduction and attestation. In: Proceedings of the IEEE symposium on security and privacy

    Google Scholar 

  16. Berger S, Caceres R, Goldman KA, Perez R, Sailer R, Doorn L (2006) vTPM: virtualizing the trusted platform module. In: Proceedings of 15th USENIX security symposium, pp 305–320

    Google Scholar 

  17. Seshadri A, Luk M, Qu N, Perrig A (2007) SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of the symposium on operating systems principles (SOSP)

    Google Scholar 

  18. Li X, Shi W, Liang Z, Liang B, Shan Z (2009) Operating system mechanisms for TPM-based lifetime measurement of process integrity. In: Proceedings of the IEEE 6th international conference on mobile adhoc and sensor systems (MASS), also (TSP 2009), IEEE computer society, pp 783–789

    Google Scholar 

  19. SecurAble. http://www.grc.com/securable.htm

  20. Advanced Micro Devices (2005) AMD64 virtualization: secure virtual machine architecture reference manual. AMD Publication no. 33047 rev. 3.01, May 2005

    Google Scholar 

  21. Barham P, Dragovic B, Fraser K, Hand S, Harris T, Ho A, Neugebauer R, Pratt I, Warfield A (2003) Xen and the art of virtualization. In: Proceedings of the symposium on operating systems principles (SOSP)

    Google Scholar 

  22. Kernel based virtual machine. http://www.linux-kvm.org/page_Main

Download references

Author information

Authors and Affiliations

  1. Key Laboratory of Data Engineering and Knowledge Engineering (Renmin University), Ministry of Education, 100872, Beijing, China

    Liuxing He, Xiao Li, Wenchang Shi, Zhaohui Liang & Bin Liang

  2. School of Information, Renmin University of China, 100872, Beijing, China

    Liuxing He, Xiao Li, Wenchang Shi, Zhaohui Liang & Bin Liang

Authors
  1. Liuxing He
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xiao Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Wenchang Shi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Zhaohui Liang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Bin Liang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wenchang Shi .

Editor information

Editors and Affiliations

  1. SeoulTech, Computer Science and Engineering, Seoul University of Science & Technology, Gongreung 2-dong 172, Seoul, 139-743, Korea, Republic of (South Korea)

    Jame J. Park

  2. HUST, Computer Science and Engineering, Huazhong University Science & Technology, Luoyu Road 1037, Wuhan, 430074, Hubei, China, People's Republic

    Hai Jin

  3. , Computer Science & Technology, Huazhong University of Science and Techn, Luoyu Road 1037, Wuhan, 430074, Hubei, China, People's Republic

    Xiaofei Liao

  4. , Computer Science and Technology, Huazhong University of Science and Techn, Luoyu Road 1037, Wuhan, 430074, Hubei, China, People's Republic

    Ran Zheng

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer Science+Business Media B.V.

About this paper

Cite this paper

He, L., Li, X., Shi, W., Liang, Z., Liang, B. (2011). VIsolator: An Intel VMX-Based Isolation Mechanism. In: Park, J., Jin, H., Liao, X., Zheng, R. (eds) Proceedings of the International Conference on Human-centric Computing 2011 and Embedded and Multimedia Computing 2011. Lecture Notes in Electrical Engineering, vol 102. Springer, Dordrecht. https://doi.org/10.1007/978-94-007-2105-0_24

Download citation

  • DOI: https://doi.org/10.1007/978-94-007-2105-0_24

  • Published:

  • Publisher Name: Springer, Dordrecht

  • Print ISBN: 978-94-007-2104-3

  • Online ISBN: 978-94-007-2105-0

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation