Building a General-Purpose Secure Virtual Machine Monitor

Recent advances in the hardware available for commodity computer systems are enabling the construction of virtual machine monitors (VMMs) that provide complete isolation between virtual machines (VMs). This paper predicts that the availability of this isolation will increase the demand for VMM-based systems running mutually distrusted coalitions of VMs. Because the VMM systems can provide reliable isolation, some controlled sharing responsibilities of operating systems will be moved to the VMM, where practical; we investigate the efficacy of providing such controls in the VMM in this paper.

This paper describes the design of the sHype security architecture, carefully considering which virtualizable resources are appropriately controlled by the VMM. sHype enables control of these resources using a system-wide mandatory access control (MAC) policy. One sHype design goal is to permit the hypervisor to retain a very stable, near-minimal code base, allowing significant security assurances (e.g., Common Criteria) to be achieved. Notably, this paper argues that it is not necessary to aim for the highest levels of assurance when designing secure VMMs for commodity hardware - when absolute isolation is required (e.g., the total prevention of covert timing channels), a multi-system, separate hardware architecture is recommended. Finally, this paper describes an implementation of the sHype architecture controlling virtual LAN (vLAN) resources in a fully-functional research hypervisor.

By: Reiner Sailer; Trent Jaeger; John Linwood Griffin; Stefan Berger; Leendert van Doorn; Ronald Perez; Enriquillo Valdez

Published in: RC23537 in 2005


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to .