A Retrospective on the VAX VMM Security Kernel

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

A Retrospective on the VAX VMM Security Kernel

Full text

Publisher Site

Source

IEEE Transactions on Software Engineering archive
Volume 17 , Issue 11 (November 1991) table of contents

Pages: 1147 - 1165

Year of Publication: 1991

ISSN:0098-5589

Authors

Paul A. Karger
Mary Ellen Zurko
Douglas W. Bonin
Andrew H. Mason
Clifford E. Kahn

Publisher

IEEE Press Piscataway, NJ, USA

Bibliometrics

Downloads (6 Weeks): n/a, Downloads (12 Months): n/a, Citation Count: 28

Additional Information:

abstract references cited by index terms review collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	10.1109/32.106971

ABSTRACT

The development of a virtual-machine monitor (VMM) security kernel for the VAX architecture is described. The focus is on how the system's hardware, microcode, and software are aimed at meeting A1-level security requirements while maintaining the standard interfaces and applications of the VMS and ULTRIX-32 operating systems. The VAX security kernel supports multiple concurrent virtual machines on a single VAX system, providing isolation and controlled sharing of sensitive data. Rigorous engineering standards were applied during development to comply with the assurance requirements for verification and configuration management. The VAX security kernel has been developed with a heavy emphasis on performance and system management tools. The kernel performs sufficiently well that much of its development was carried out in virtual machines running on the kernel itself, rather than in a conventional time-sharing system.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	{1} R. R. Schell, "Computer security: the Achilles heel of the electronic air force?" <i>Air Univ. Rev.</i>, vol. XXX, pp. 16-33, Jan.-Feb. 1979.
	2	Butler W. Lampson, A note on the confinement problem, Communications of the ACM, v.16 n.10, p.613-615, Oct. 1973 [doi>10.1145/362375.362389]
	3	Michael A. Harrison , Walter L. Ruzzo , Jeffrey D. Ullman, Protection in operating systems, Communications of the ACM, v.19 n.8, p.461-471, Aug. 1976 [doi>10.1145/360303.360333]
	4	Steven B. Lipner, A comment on the confinement problem, Proceedings of the fifth ACM symposium on Operating systems principles, p.192-196, November 19-21, 1975, Austin, Texas, United States
	5	Dorothy E. Denning, A lattice model of secure information flow, Communications of the ACM, v.19 n.5, p.236-243, May 1976 [doi>10.1145/360051.360056]
	6	{6} "Department of defense trusted computer system evaluation criteria," DOD, Washington, DC, DOD 5200.28-STD, Dec. 1985.
	7	{7} S. Blotcky, K. Lynch, and S. Lipner, "SE/VMS: implementing mandatory security in VAX/VMS," in <i>Proc. 9th Nat. Comput. Security Conf.</i> (Gaithersburg, MD), 15-18 Sept. 1986, pp. 47-54.
	8	{8} D. E. Bell and L. J. LaPadula, "Computer security model: unified exposition and Multics interpretation," MITRE Corp., Bedford, MA, HQ Electron. Syst. Div., Hanscom AFB, MA, Tech. Rep. ESD-TR-75-306, June 1975.
	9	{9} K. J. Biba, "Integrity considerations for secure computer systems," MITRE Corp., Bedford, MA, HQ Electron. Syst. Div., Hanscom AFB, MA, Tech. Rep. ESD-TR-76-372, Apr. 1977.
	10	{10} "Guide to VMS system security," Digital Equip. Corp., Maynard, MA, Order No. AA-LA40B-TE, June 1989.
	11	{11} J. Whitmore <i>et al.</i>, "Design for Multics security enhancements," Honeywell Inform. Syst., Inc., HQ Electron. Syst. Div., Hanscom AFB, MA, Tech. Rep. ESD-TR-74-176, Dec. 1973.
	12	{12} P. A. Karger, "Computer security research at Digital," in <i>Proc. 3rd Seminar on the DoD Comput. Security Initiative Program</i> (Gaithersburg, MD), 18-20 Nov. 1980, pp. E-1-E-6.
	13	Timothy E. Leonard, VAX architecture reference manual, Digital Press, Newton, MA, 1987
	14	Stuart E. Madnick , John J. Donovan, Application and analysis of the virtual machine approach to information system security and isolation, Proceedings of the workshop on virtual computer systems, p.210-224, March 26-27, 1973, Cambridge, Massachusetts, United States [doi>10.1145/800122.803961]
	15	{15} R. Rhode, "Secure multilevel virtual computer systems," MITRE Corp., Bedford, MA, HQ Electron. Syst. Div., Hanscom AFB, MA, Tech. Rep. ESD-TR-74-370, Feb. 1975.
	16	{16} B. D. Gold <i>et al.</i>, "A security retrofit of VM/370," in <i>AFIPS Conf. Proc.</i>, vol. 48, <i>1979 Nat. Comput. Conf.</i> (Montvale, NJ), 1979, pp. 335-344.
	17	{17} B. D. Gold, R. R. Linde, and P. F. Cudney, "KVM/370 in retrospect," in <i>Proc. 1984 Symp. Security and Privacy</i> (Oakland, CA), 29 Apr.- 2 May 1984, pp. 13-23.
	18	Morrie Gasser, Building a secure computer system, Van Nostrand Reinhold Co., New York, NY, 1988
	19	Gerald J. Popek , Robert P. Goldberg, Formal requirements for virtualizable third generation architectures, Communications of the ACM, v.17 n.7, p.412-421, July 1974 [doi>10.1145/361011.361073]
	20	{20} P. A. Karger, T. E. Leonard, and A. H. Mason, "Computer with virtual machine mode and multiple protection rings," U.S. Patent No. 4787031, 22 Nov. 1988.
	21	Judith S. Hall , Paul T. Robinson, Virtualizing the VAX architecture, Proceedings of the 18th annual international symposium on Computer architecture, p.380-389, May 27-30, 1991, Toronto, Ontario, Canada
	22	{22} R. P. Goldberg, "Architectural principles for virtual computer systems," Ph.D. thesis, Div. Eng. and Appl. Phys., Harvard Univ., Cambridge, MA, Feb. 1973 (published as ESD-TR-73-105, HQ Electron. Syst. Div., Hanscom AFB, MA).
	23	Gerald J. Popek , Charles S. Kline, The PDP-11 virtual machine architecture: A case study, Proceedings of the fifth ACM symposium on Operating systems principles, p.97-105, November 19-21, 1975, Austin, Texas, United States
	24	{24} M. D. Vahey, "A virtualizer efficiency device for virtual machines," M.S. thesis, UCLA, 1975.
	25	{25} "A proposed interpretation of the TCSEC for virtual machine architectures," Trusted Inform. Syst., Inc., Glenwood, MD, Tech. Rep. draft, 31 Mar. 1989.
	26	{26} T. A. Berson and G. L. Barksdale, Jr., "KSOS--development methodology for a secure operating system," in <i>AFIPS Conf. Proc.</i>, vol. 48, 1979 Nat. Comput. Conf., (Montvale, NJ), 1979, pp. 365-371.
	27	Stuart E. Madnick , John J. Donovan, Operating Systems, McGraw-Hill, Inc., New York, NY, 1974
	28	{28} P.R. Halmos, <i>Naive Set Theory</i>. New York: Van Nostrand Reinhold, 1960.
	29	Edsger W. Dijkstra, The structure of the “THE”-multiprogramming system, Communications of the ACM, v.11 n.5, p.341-346, May 1968 [doi>10.1145/363095.363143]
	30	P. A. Janson, USING TYPE EXTENSION TO ORGANIZE VIRTUAL MEMORY MECHANISMS, Massachusetts Institute of Technology, Cambridge, MA, 1976
	31	D. P. Reed, PROCESSOR MULTIPLEXING IN A LAYED OPERATING SYSTEM, Massachusetts Institute of Technology, Cambridge, MA, 1976
	32	{32} L. A. Cox, Jr. and R. R. Schell, "The structure of a security kernel for a Z8000 multiprocessor," in <i>Proc. 1981 Symp. on Security and Privacy</i> (Oakland, CA), 27-29 Apr. 1981, pp. 124-129.
	33	David P. Reed , Rajendra K. Kanodia, Synchronization with eventcounts and sequencers, Communications of the ACM, v.22 n.2, p.115-123, Feb. 1979 [doi>10.1145/359060.359076]
	34	{34} K. F. Seiden and J. P. Melanson, "The auditing facility for a VMM security kernel," in <i>Proc. 1990 IEEE Symp. Res. in Security and Privacy</i> (Oakland, CA), 7-9 May 1990, pp. 262-277.
	35	{35} "VMS analyze/disk-structure utility manual," Digital Equip. Corp., Maynard, MA, Order No. AA-LA39A-TE, Apr. 1988.
	36	{36} J. Nagle, "Update on the kernelized security operating system (KSOS)," in <i>Proc. 3rd Seminar on the DoD Comput. Security Initiative Program</i> (Gaithersburg, MD), 18-20 Nov. 1980, pp. Q-1-Q-7.
	37	{37} L. J. Fraim, "SCOMP: A solution to the multilevel security problem," <i>Computer</i>, vol. 16, pp. 26-34, July 1983.
	38	{38} W. R. Shockley, T. F. Tao, and M. F. Thompson, "An overview of the GEMSOS class A1 technology and application experience," in <i>Proc. 11th Nat. Comput. Security Conf.</i>, 17-20 Oct. 1988, pp. 238-245.
	39	{39} J. Scheid, S. Anderson, R. Martin, and S. Holtzberg, "The Ina Jo specification language reference manual--release 1," System Development Corp., Santa Monica, CA, TM 6021/001/02, 1986.
	40	{40} R. A. Kemmerer, "A practical approach to identifying storage and timing channels," in <i>Proc. 1982 Symp. Security and Privacy</i> (Oakland, CA), 26-28 Apr. 1982, pp. 66-73.
	41	Marvin Schaefer , Barry Gold , Richard Linde , John Scheid, Program confinement in KVM/370, Proceedings of the 1977 annual conference, p.404-410, January 1977 [doi>10.1145/800179.1124633]
	42	{42} P. A. Karger and J. C. Wray, "Storage channels in disk arm optimization," in <i>Proc. 1991 IEEE Comput. Soc. Symp. on Res. in Security and Privacy</i> (Oakland, CA), 20-22 May 1991, pp. 52-61.
	43	{43} J. C. Wray, "An analysis of covert timing channels," in <i>Proc. 1991 IEEE Comput. Soc. Symp. on Res. in Security and Privacy</i> (Oakland, CA), 20-22 May 1991, pp. 2-7.
	44	{44} W.-M. Hu, "Reducing timing channels with fuzzy time," in <i>Proc. 1991 IEEE Comput. Soc. Symp. on Res. in Security and Privacy</i> (Oakland, CA), 20-22 May 1991, pp. 8-20.
	45	{45} P. A. Karger, "Preliminary design of a VAX-11 virtual machine monitor security kernel," Digital Equip. Corp., Hudson, MA, Tech. Rep. DEC TR-126, 13 Jan. 1982.
	46	{46} "VAX-11/730 central processing unit technical description," Digital Equip. Corp., Maynard, MA, EK-KA730-TD-001, May 1982.
	47	{47} S. N. Mishra, "The VAX 8800 microarchitecture," <i>Digital Tech. J.</i>, pp. 20-33, Feb. 1987.
	48	{48} S. Hill, "Secret service vets Unix," <i>Comput. Weekly</i>, p. 1, 26 Apr. 1990.
	49	CORPORATE National Research Council, Computers at risk: safe computing in the information age, National Academy Press, Washington, DC, 1991
	50	{50} "Minutes of the first workshop on covert channel analysis," <i>Cipher: Newsletter IEEE Comput. Soc. Tech. Committee on Security and Privacy</i>, July 1990.

CITED BY 28

	Kinshuk Govil , Dan Teodosiu , Yongqiang Huang , Mendel Rosenblum, Cellular Disco: resource management using virtual clusters on shared-memory multiprocessors, ACM SIGOPS Operating Systems Review, v.33 n.5, p.154-169, Dec. 1999
	Kinshuk Govil , Dan Teodosiu , Yongqiang Huang , Mendel Rosenblum, Cellular disco: resource management using virtual clusters on shared-memory multiprocessors, ACM Transactions on Computer Systems (TOCS), v.18 n.3, p.229-262, Aug. 2000
	Tal Garfinkel , Ben Pfaff , Jim Chow , Mendel Rosenblum , Dan Boneh, Terra: a virtual machine-based platform for trusted computing, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
	George W. Dunlap , Samuel T. King , Sukru Cinar , Murtaza A. Basrai , Peter M. Chen, ReVirt: enabling intrusion analysis through virtual-machine logging and replay, ACM SIGOPS Operating Systems Review, v.36 n.SI, Winter 2002
	Donald Mackenzie , Garrel Pottinger, Mathematics, Technology, and Trust: Formal Verification, Computer Security, and the U.S. Military, IEEE Annals of the History of Computing, v.19 n.3, p.41-59, July 1997
	Donald Mackenzie , Garrel Pottinger, Mathematics, Technology, and Trust: Formal Verification, Computer Security, and the U.S. Military, IEEE Annals of the History of Computing, v.19 n.3, p.41-59, July 1997
	Donald Mackenzie , Garrel Pottinger, Mathematics, Technology, and Trust: Formal Verification, Computer Security, and the U.S. Military, IEEE Annals of the History of Computing, v.19 n.3, p.41-59, July 1997
	Andrew Whitaker , Marianne Shaw , Steven D. Gribble, Scale and performance in the Denali isolation kernel, ACM SIGOPS Operating Systems Review, v.36 n.SI, Winter 2002
	James W. Gray, III , Paul F. Syverson, A logical approach to multilevel security of probabilistic systems, Distributed Computing, v.11 n.2, p.73-90, April 1998
	Andrew Whitaker , Richard S. Cox , Marianne Shaw , Steven D. Gribble, Rethinking the Design of Virtual Machine Monitors, Computer, v.38 n.5, p.57-62, May 2005
	Andrew Whitaker , Marianne Shaw , Steven D. Gribble, Scale and performance in the Denali isolation kernel, Proceedings of the 5th symposium on Operating systems design and implementation Due to copyright restrictions we are not able to make the PDFs for this conference available for downloading , December 09-11, 2002, Boston, Massachusetts
	Sam Weber , Paul A. Karger , Amit Paradkar, A software flaw taxonomy: aiming tools at security, ACM SIGSOFT Software Engineering Notes, v.30 n.4, July 2005
	George W. Dunlap , Samuel T. King , Sukru Cinar , Murtaza A. Basrai , Peter M. Chen, ReVirt: enabling intrusion analysis through virtual-machine logging and replay, Proceedings of the 5th symposium on Operating systems design and implementation Due to copyright restrictions we are not able to make the PDFs for this conference available for downloading , December 09-11, 2002, Boston, Massachusetts
	Lionel Litty , David Lie, Manitou: a layer-below approach to fighting malware, Proceedings of the 1st workshop on Architectural and system support for improving software dependability, p.6-11, October 21-21, 2006, San Jose, California
	Paul A. Karger, Performance and security lessons learned from virtualizing the alpha processor, ACM SIGARCH Computer Architecture News, v.35 n.2, May 2007
	Peter Gutmann, An open-source cryptographic coprocessor, Proceedings of the 9th conference on USENIX Security Symposium, p.8-8, August 14-17, 2000, Denver, Colorado
	John Scott Robin , Cynthia E. Irvine, Analysis of the Intel Pentium's ability to support a secure virtual machine monitor, Proceedings of the 9th conference on USENIX Security Symposium, p.10-10, August 14-17, 2000, Denver, Colorado
	Tal Garfinkel , Mendel Rosenblum , Dan Boneh, Flexible OS support and applications for trusted computing, Proceedings of the 9th conference on Hot Topics in Operating Systems, p.25-25, May 18-21, 2003, Lihue, Hawaii
	Maxwell Krohn , Petros Efstathopoulos , Cliff Frey , Frans Kaashoek , Eddie Kohler , David Mazières , Robert Morris , Michelle Osborne , Steve VanDeBogart , David Ziegler, Make least privilege a right (not a privilege), Proceedings of the 10th conference on Hot Topics in Operating Systems, p.21-21, June 12-15, 2005, Santa Fe, NM
	Samuel T. King , George W. Dunlap , Peter M. Chen, Operating system support for virtual machines, Proceedings of the USENIX Annual Technical Conference 2003 on USENIX Annual Technical Conference, p.6-6, June 09-14, 2003, San Antonio, Texas
	Stephen T. Jones , Andrea C. Arpaci-Dusseau , Remzi H. Arpaci-Dusseau, VMM-based hidden process detection and identification using Lycosid, Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, March 05-07, 2008, Seattle, WA, USA
	Bryan D. Payne , Reiner Sailer , Ramón Cáceres , Ron Perez , Wenke Lee, A layered approach to simplified access control in virtualized systems, ACM SIGOPS Operating Systems Review, v.41 n.4, July 2007
	Sandra Rueda , Yogesh Sreenivasan , Trent Jaeger, Flexible security configuration for virtual machines, Proceedings of the 2nd ACM workshop on Computer security architectures, October 31-31, 2008, Alexandria, Virginia, USA
	Yan Wen , Jinjing Zhao , Huaimin Wang, Hiding "real" machine from attackers and malware with a minimal virtual machine monitor, Proceedings of the 4th international conference on Security and privacy in communication netowrks, September 22-25, 2008, Istanbul, Turkey
	Victor Yodaiken , Cort Dougan, Active semantically aware hard real-time security hypervisors, Proceedings of the 4th annual workshop on Cyber security and informaiton intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead, May 12-14, 2008, Oak Ridge, Tennessee
	Diwaker Gupta , Ludmila Cherkasova , Rob Gardner , Amin Vahdat, Enforcing performance isolation across virtual machines in Xen, Proceedings of the ACM/IFIP/USENIX 2006 International Conference on Middleware, November 01-01, 2006, Melbourne, Australia
	Paul A. Karger, Securing virtual machine monitors: what is needed?, Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, March 10-12, 2009, Sydney, Australia
	Indrajit Roy , Donald E. Porter , Michael D. Bond , Kathryn S. McKinley , Emmett Witchel, Laminar: practical fine-grained decentralized information flow control, ACM SIGPLAN Notices, v.44 n.6, June 2009

INDEX TERMS

Primary Classification:
D. Software
D.4 OPERATING SYSTEMS
D.4.0 General

Nouns: VAX/VMS

Additional Classification:
B. Hardware

C. Computer Systems Organization

D. Software
D.4 OPERATING SYSTEMS
D.4.6 Security and Protection
Subjects: Security kernels**

General Terms:
Design, Human Factors, Reliability, Security

Keywords:
A1-level security requirements, DEC computers, ULTRIX-32 operating systems, VAX VMM, configuration management, controlled sharing, isolation, microcode, multiple concurrent virtual machines, security kernel, security of data, sensitive data, standard interfaces, supervisory programs, system management tools, virtual machines, virtual-machine monitor

REVIEW

"Matthew Allen Bishop : Reviewer"

This well-written, complete retrospective covers the design and implementation of a security kernel that is also a virtual machine monitor (VMM). This work differs from related work in that its goal was to build a production kernel that could more...

Collaborative Colleagues:

Paul A. Karger: colleagues

Mary Ellen Zurko: colleagues

Douglas W. Bonin: colleagues

Andrew H. Mason: colleagues

Clifford E. Kahn: colleagues