Cerberus: A Novel Hypervisor to Provide Trusted and Isolated Code Execution
Cerberus is a tiny x86 virtual machine monitor. It allows security sensitive codes to be executed in an isolated circumstance. The codes could attest their integrity to a remote party by a two-step attestation provided by Cerberus. Cerberus does not require the security sensitive applications to be modified or recompiled to run on it These applications are packaged with the operating systems as virtual appliances (VA). The on-disk VA files are read-only to simplify the attestation process. Any storage file is sealed to the corresponding secure domain. Cerberus leveraged the nested paging technology to isolate the memory regions efficiently. And it also introduced a novel secure display sharing technology. It can guarantee the security property even when the attackers get control of everything but the core hardware infrastructures. Our performance experiment results show that the overhead introduced by Cerberus is less than 5%.
Virtual Machine Monitor Code Integrity Code Attestation Isolated Codes Execution Secure Display Sharing
Chen Wen-Zhi Zhang Zhi-Peng Yang Jian-Hua He Qin-Ming
College of Computer Science and Technology Zhejiang University Hangzhou, China
国际会议
西安
英文
330-333
2010-08-07(万方平台首次上网日期,不代表论文的发表时间)