Virtualization technology, which is an abstraction of computer resource that we can access, is a key technology of cloud computing. As the virtualization technology is becoming widely used, virtualization security problems will gain more and more attention.
This course introduces basic knowledge on Xen virtualization and Intel hardware virtualization technologies. In the meantime, two kinds of security vulnerabilities and threats in the Xen hypervisor technology are inlcuded.The first one is about the vulnerabilities and threats in a Xen-based cloud computing environment while the second one is about those in the Xen-based virtualized platform itself. What's more, something about XSM(Xen Security Modules) architecture and sample security policies enforced in Xen hypervisor, as well as the Intel VT-d IOMMU support technology, are also introduced. At the same time, some mitigation technologies, including secure VM(virtual machine) migration mechanism, VM safety monitoring technology, covert channel analysis technology between VMs, and virtual trusted platform technology are explained with case study.
We are integrating following teaching contents into our undergraduate course 1A007 "Principles of Operating System" and our graduate course 0BI04 “Operating System and Virtualization Security”.
|Related resources:||Xen source code, Compiling Xen From Source, Xen Beginners Guide|
|Ubuntu, Fedora, OpenSUSE|
|Related resources:||Installation Guide of GuestOS and covert channel configuration based on Xen(PDF)|
|Xen covert channel code(Download)|
|Xen covert channel Demonstration(Video)|
Here are all the related course slides. In addition, we provide some reading lists for you.
|Introduction to Virtualization （slides）|
|Hardware virtualization technology and its security (slides)|
|Security technology of system virtualization platform (slides)|
|Virtual Trusted Platform Technology (slides)|
|1. Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, Andrew Warfield. (2003). "Xen and the art of virtualization." ACM SIGOPS Operating Systems Review 37(5): 164-177.|
|2. Hiremane, R. (2007). "Intel virtualization technology for directed I/O (Intel VT-d)." Technology@ Intel Magazine 4(10).|
|3. G Neiger, A Santoni, F Leung, D Rodgers, R Uhlig. (2006). "Intel virtualization technology: Hardware support for efficient processor virtualization." Intel Technology Journal 10(3): 167-177.|
|4. Coker, G. (2006). "Xen security modules (xsm)." Xen Summit: 1-33.|
|5. Cherkasova, L. and R. Gardner (2005). Measuring CPU Overhead for I/O Processing in the Xen Virtual Machine Monitor. USENIX Annual Technical Conference, General Track.|
|6.Uhlig Rich, Neiger Gil, Rodgers Dion, Santoni Amy L, Martins Fernando CM, Anderson Andrew V, Bennett Steven M, Kagi Alain, Leung Felix H, Smith Larry (2005). "Intel virtualization technology." Computer 38(5): 48-56.|
|7. Timothy Wood, Prashant Shenoy, Arun Venkataramani, and Mazin Yousif. (2007). Black-box and gray-box strategies for virtual machine migration. Proceedings of the 4th USENIX conference on Networked systems design & implementation.|
|8. D Challener, K Yoder, R Catherman, D Safford. (2007). A practical guide to trusted computing, IBM press.|
|9. Trusted Computing Group TPM Working Group. TPM Main Part 1 Design Principles. Specification, Specification version 1.2 Level 2 Revision 103 (July 9, 2007), http://www.trustedcomputinggroup.org/files/static_page_files/72C26AB5-1A4B-B294-D002BC0B8C062FF6/TPM%20Main-Part%201%20Design%20Principles_v1.2_rev116_01032011.pdf|
|10. R Perez, R Sailer, L van Doorn. (2006). vTPM: virtualizing the trusted platform module. Proc. 15th Conf. on USENIX Security Symposium.|
|11. Salaün, M. (2010). "Practical overview of a Xen covert channel." Journal in computer virology 6(4): 317-328.|
|12. Jianjun Shen, Sihan Qing, Qingni Shen, Liping Li. (2005). Optimization of covert channel identification. Security in Storage Workshop, 2005. SISW'05. Third IEEE International, IEEE.|
|13. Yangwei Li, Qingni Shen, Cong Zhang, Pengfei Sun, Ying Chen, Sihan Qing. (2012). A Covert Channel Using Core Alternation. Advanced Information Networking and Applications Workshops (WAINA), 2012 26th International Conference on, IEEE.|
|16. 沈晴霓，卿斯汉等，操作系统安全设计，北京：机械工业出版社，To be published in 2013.8|
Project Leader: Dr. Qingni Shen, Associate Professor, School of Software and Microelectronics, Peking University. Researcher, MoE Key Lab of Network and Software Assurance, Peking University