Virtual machine monitors (VMMs), including hypervisors, are a popular platform for implementing various security functionalities. However, traditional VMMs require numerous components for providing virtual hardware devices and for sharing and protecting system resources among virtual machines (VMs), enlarging the code size of and reducing the reliability of the VMMs.

This paper introduces a hypervisor architecture, called parapass-through, designed to minimize the code size of hypervisors by allowing most of the I/O access from the guest operating system (OS) to pass-through the hypervisor, while the minimum access necessary to implement security functionalities is completely mediated by the hypervisor. This architecture uses device drivers of the guest OS to handle devices, thereby reducing the size of components in the hypervisor to provide virtual devices. This architecture also allows to run only single VM on it, eliminating the components for sharing and protecting system resources among VMs.

We implemented a hypervisor called BitVisor and a parapass-through driver for enforcing storage encryption of ATA devices based on the parapass-through architecture. The experimental result reveals that the hypervisor and ATA driver require approximately 20 kilo lines of code (KLOC) and 1.4 KLOC respectively.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Mohit Aron , Peter Druschel, Soft timers: efficient microsecond software timer support for network processing, Proceedings of the seventeenth ACM symposium on Operating systems principles, p.232-246, December 12-15, 1999, Charleston, South Carolina, United States
	2	Kurniadi Asrigo , Lionel Litty , David Lie, Using VMM-based sensors to monitor honeypots, Proceedings of the 2nd international conference on Virtual execution environments, June 14-16, 2006, Ottawa, Ontario, Canada  [doi>10.1145/1134760.1134765]
	3	Paul Barham , Boris Dragovic , Keir Fraser , Steven Hand , Tim Harris , Alex Ho , Rolf Neugebauer , Ian Pratt , Andrew Warfield, Xen and the art of virtualization, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
	4	Peter M. Chen , Brian D. Noble, When Virtual Is Better Than Real, Proceedings of the Eighth Workshop on Hot Topics in Operating Systems, p.133, May 20-22, 2001
	5	Xiaoxin Chen , Tal Garfinkel , E. Christopher Lewis , Pratap Subrahmanyam , Carl A. Waldspurger , Dan Boneh , Jeffrey Dwoskin , Dan R.K. Ports, Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems, Proceedings of the 13th international conference on Architectural support for programming languages and operating systems, March 01-05, 2008, Seattle, WA, USA
	6	Andy Chou , Junfeng Yang , Benjamin Chelf , Seth Hallem , Dawson Engler, An empirical study of operating systems errors, Proceedings of the eighteenth ACM symposium on Operating systems principles, October 21-24, 2001, Banff, Alberta, Canada
	7	Advanced Micro Devices. AMD64 architecture programmer's manual volume 2: System programming rev 3--14, September 2007.
	8	Vinod Ganapathy , Matthew J. Renzelmann , Arini Balakrishnan , Michael M. Swift , Somesh Jha, The design and implementation of microdrivers, Proceedings of the 13th international conference on Architectural support for programming languages and operating systems, March 01-05, 2008, Seattle, WA, USA
	9	Tal Garfinkel , Ben Pfaff , Jim Chow , Mendel Rosenblum , Dan Boneh, Terra: a virtual machine-based platform for trusted computing, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
	10	Ian Goldberg , David Wagner , Randi Thomas , Eric A. Brewer, A secure environment for untrusted helper applications confining the Wily Hacker, Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography, p.1-1, July 22-25, 1996, San Jose, California
	11	R. Goldberg. Architectural Principles for Virtual Computer Systems. PhD thesis, Harvard University, February 1973.
	12	IEEE. IEEE standard for cryptographic protection of data on blockoriented storage devices, April 2008. IEEE Std 1619-2007.
	13	Stephen T. Jones , Andrea C. Arpaci-Dusseau , Remzi H. Arpaci-Dusseau, VMM-based hidden process detection and identification using Lycosid, Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, March 05-07, 2008, Seattle, WA, USA  [doi>10.1145/1346256.1346269]
	14	Kenichi Kourai , Shigeru Chiba, HyperSpector: virtual distributed monitoring environments for secure intrusion detection, Proceedings of the 1st ACM/USENIX international conference on Virtual execution environments, June 11-12, 2005, Chicago, IL, USA  [doi>10.1145/1064979.1065006]
	15	Jiuxing Liu , Wei Huang , Bulent Abali , Dhabaleswar K. Panda, High performance VMM-bypass I/O in virtual machines, Proceedings of the annual conference on USENIX '06 Annual Technical Conference, p.3-3, May 30-June 03, 2006, Boston, MA
	16	David E. Lowell , Yasushi Saito , Eileen J. Samberg, Devirtualizable virtual machines enabling general, single-node, online maintenance, Proceedings of the 11th international conference on Architectural support for programming languages and operating systems, October 07-13, 2004, Boston, MA, USA
	17	Larry McVoy , Carl Staelin, lmbench: portable tools for performance analysis, Proceedings of the 1996 annual conference on USENIX Annual Technical Conference, p.23-23, January 22-26, 1996, San Diego, CA
	18	R. Meushaw and D. Simard. Nettop: Commercial technology in high assurance applications, 2000.
	19	Junichi Murakami. A hypervisor IPS based on hardware assisted virtualization technology. In Black Hat USA 2008, August 2008.
	20	Derek Gordon Murray , Grzegorz Milos , Steven Hand, Improving Xen security through disaggregation, Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, March 05-07, 2008, Seattle, WA, USA  [doi>10.1145/1346256.1346278]
	21	Gil Neiger, Amy Santoni, Felix Leung, Dion Rodgers, and Rich Uhlig. Intel virtualization technology: Hardware support for efficient processor virtualization. Intel Technology Journal, 10(03):167--177, August 2006.
	22	Mahendra Ramachandran, Ned Smith, Matthew Wood, Sharad Garg, Jim Stanley, Eswar Eduri, Rinat Rappoport, Arie Chobotaro, Carl Klotz, and Lori Janz. New client virtualization usage models using intel virtualization technology. Intel Technology Journal, 10(03):205--216, August 2006.
	23	John Scott Robin , Cynthia E. Irvine, Analysis of the Intel Pentium's ability to support a secure virtual machine monitor, Proceedings of the 9th conference on USENIX Security Symposium, p.10-10, August 14-17, 2000, Denver, Colorado
	24	Jerome H. Saltzer and Michael D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278--1308, September 1975.
	25	Arvind Seshadri , Mark Luk , Ning Qu , Adrian Perrig, SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes, Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles, October 14-17, 2007, Stevenson, Washington, USA
	26	Paul Willmann , Jeffrey Shafer , David Carr , Aravind Menon , Scott Rixner , Alan L. Cox , Willy Zwaenepoel, Concurrent Direct Network Access for Virtual Machine Monitors, Proceedings of the 2007 IEEE 13th International Symposium on High Performance Computer Architecture, p.306-317, February 10-14, 2007  [doi>10.1109/HPCA.2007.346208]
	27	Lenin Singaravelu , Calton Pu , Hermann Härtig , Christian Helmuth, Reducing TCB complexity for security-sensitive applications: three case studies, Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006, April 18-21, 2006, Leuven, Belgium
	28	VMWare. Vmware esx server virtual infrastructure node evaluator's guide, November 2005. http://www.vmware.com/pdf/esx_vin_eval.pdf.
	29	David A. Wheeler. Counting source lines of code (sloc). http://www.dwheeler.com/sloc/.
	30	Jisoo Yang , Kang G. Shin, Using hypervisor to provide data secrecy for user applications on a per-page basis, Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, March 05-07, 2008, Seattle, WA, USA  [doi>10.1145/1346256.1346267]