You are here: Resources > FIDIS Deliverables > HighTechID > D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management > 

D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management

Operating Systems Support and Secure Platforms  Title:
 Industrial and Academic Open Source Projects


Supporting Technologies: Virtualization

Virtualization technology allows several guest machines (i.e Virtual Machines) to share one host machine using a Virtual Machine Monitor (VMM). In contrast to other sharing mechanisms, the virtual machine monitor offers to its virtual machines the same interface that is provided by the host machine or by a different native host. This means that several legacy operating systems can be executed on top the VMM. Therefore, security kernels that provide virtualization are also denoted as secure hypervisor or secure VMM. Virtualization is a very efficient mechanism to build secure IT-system, since it ensures vertical isolation of the several virtual machines.

The combination of Trusted Computing functionalities with virtualization techniques seems to be a promising approach for enhancing the platforms security. The isolation features provided by virtualization techniques is necessary to efficiently provide the Trusted Computing functionalities. In the following, we give an overview of current virtualization methods.  

Hypervisor-based virtualization

Hypervisor-based virtualization ensures full virtualization in the sense that the virtual machine simulates enough hardware to allow an unmodified "guest" OS (one designed for the same CPU) to be run in isolation.

An example is Xen [3], an Open Source virtual machine monitor (VMM), which has been developed by the University of Cambridge and is currently distributed under the GNU General Public License (GPL). Xen is able to execute multiple guest operating systems in a virtual machine (VM) by providing an abstract layer above the computer’s hardware. It supervises and manages the distribution of resources like CPU time or I/O cycles to the guest systems. In order to be able to work with the Xen architecture, the guest operating system’s kernel has to be modified.

IBM Research integrated sHype [79], a hypervisor security architecture, into Xen. sHype provides flexible access control enforcement to strongly isolate and control the sharing of hardware resources and the communication between different VMs. More information about sHype can be found at [79]. 

Since a TPM is not a device that was designed to be accessed by multiple operating systems at the same time, IBM Research is about to develop a virtual TPM architecture in order to provide TPM support to all operating systems running on Xen. To realize this, the TPM command set defined in the TCG 1.2 Specification has been extended by virtual TPM management commands which enable virtual instances of TPMs that can be transparently used by all guest operating systems. Thus software intended to work with hardware TPMs is supposed to continue to work without any changes when executed on Xen.  


Instead of modifying legacy operating systems such that they can be executed on top of the underlying abstraction layers, it is also possible to implement a software-based virtual machine monitor allowing the reuse of unmodified legacy operating systems. A common example of software-based VMMs is VMware [VMWa07]. 

A VMWare Workstation is able to emulate the complete set of hardware (video adapter, network adapter, harddisk adapters) within the virtual environment to the guest operating system. The aim is to let more than one operating system run simultaneously on the same physical machine by sharing its resources. 

However, from a security point of view, VMWare virtualization is not efficient as hypervisor or microkernel based virtualization. It lacks the ability to enforce process isolation on the memory level [webb06] which is usually provided by separation kernels.  

Microkernel-based virtualization

A microkernel is a minimized operating system kernel that provides only essential services such as logical address spaces, tread management and inter-process communication (IPC).  Processes on top of the microkernel run in their own address space and are therefore strongly isolated from each other. Especially, high-privileged code runs in protected memory, which isolates it from potential intrusions.


In a microkernel-based virtualization, the largest part of the VMM is realized by a process running in user mode. This reduces the complexity of the code running in supervisor mode. Only non-essential services such as networking, display and device-driver processes are run in user-space. The supervisor mode can still perform any operation the hardware can, such as writing to write-protected memory and switching to arbitrary address-spaces. Hence, device-drivers processes for example must invoke the kernel to perform privileged operations for them, allowing the microkernel to check for safety and security.



Operating Systems Support and Secure Platforms  fidis-wp3-del3.9_Study_on_the_Impact_of_Trusted_Computing_on_Identity_and_Identity_Management_v1.1.sxw  Industrial and Academic Open Source Projects
14 / 38