IntroductionNewsUse CasesTechnologyAssurancePublicationsRelated WorkContact
HardwareOverviewHypervisorTrusted SoftwareVirtualization
The Hypervisor Layer

On top of the hardware layer, the hypervisor layer (see Figure 1) is responsible for both sharing of hardware resource and the enforcement of mandatory access control rules based on the available hardware resources.

Resource Management
Figure 1: The resource management layer shared hardware resources and enforces the mandatory security policy.

The hardware resources managed by this layer contains, but is not limited to, the following list of resource types:

  • CPU (process- and thread management, scheduling)
  • Communication channels
  • Hard- and software interrupts
  • I/O ports
  • Memory
  • Clock
  • Bus systems (PCI, LPC, ...)
  • Controllers
  • Persistent storage (Disk, Floppy, USB, ...)
  • Trusted computing hardware
  • Misc devices

Since access to hardware resources is most often highly security-critical, the resource management layer has to enforcement two elementary security properties, namely isolation and least priviledge. Therefore, appropriate managers have to be implemented such that the default behavior is not to share resources. Moreover, concurrent processes must not be able to access/use resources assigned to another process if not explicitly allowed by the owning process.

To be able to share hardware devices, device drivers are also part of the resource management layer. Since malicious code that has access to busmaster direct memory access (DMA) devices can bypass any security mechanisms, the resource management layer has to ensure that only secure values are used to invoke DMA functions.

Obviously, such a resource management layer can be realized differently. in the following we shortly discuss two different approaches - microkernel-based systems and hypervisors.

The Multi-Server Approach

Microkernels are minimalistic operating system kernels providing only elementary services like process management, inter-process communication, and memory resp. exception support. Since strategies (memory management, scheduling, device drivers, etc.) are implemented using separated user-mode processes, these components are isolated from each other. Since the operating system functionality is realized using separated processes, such systems are often called multi-server systems (cmp. Figure 2).

Microkernel
Figure 2: Realization of the resource management layer using a microkernel-based multi-server system.

One important advantage of microkernel-based systems are their small size which qualifies them as basis for leightweight computing platforms like mobile devices and embedded systems.

The Monolithic Approach

An alternative to multi-server systems are monolithic implementations of the hypervisor layer. Note that we are not talking about conventional monolithic operating systems like Linux or Microsoft Windows here, but only single-server implementations of the hypervisor layer. A common example of a single-server approach is the sHype project of IBM, or Xen developed at Cambridge. These are virtual machine monitors (VMM) virtualizing the underlying hardware including hardware devices (see Figure 3).

Hypervisor
Figure 3: A hypervisor acts as a virtual machine monitor (VMM) executing several virtual machines (VM) in parallel.

On top of the sHype, so-called isolated virtual machines (VM) are executed in parallel. One priviledged VM contains the policy management software and the real device drivers. As you can see in Figure 3, even hybrid approaches are imaginable: A hypervisor is used to executed instances of a legacy operating system, while a more trustworthy microkernel-based system runs as the priviledged VM.

The hypervisor approach is especially important in the context of large server systems.
© 1999-2006 by Christian Stüble Anmelden