Proceedings of ISP RAS

Remote Service of System Calls in Microkernel Hypervisor

K. Mallachiev (MSU, Moscow), N. Pakulin (ISP RAS, Moscow)


This paper presents further development of Sevigator hypervisor-based security system. Origi-nal design of Sevigator confines users’ applications in a separate virtual machine that has no network interfaces. For trusted applications Sevigator intercepts network-related system calls and routes them to the dedicated virtual machine that services those calls. This design allows Sevigator protect networking from malicious applications including high-level intruders resid-ing in the kernel.    
Modern microkernel-based hypervisors opened the door to redesign of Sevigator. Those hy-pervisors are small operating systems by nature, where management of virtual machines as well as most of hardware operations are isolated in processes with low priority level. Compromising such a process does not result in compromising the whole hypervisor.
In this paper we present an experimental design of Sevigator based on NOVA hypervisor where system calls of trusted applications are serviced by a dedicated process in the hypervisor rather than a separate VM. The experiment shows about 25% performance gain due to reduced number of context switches.


virtualization, hypervisor, security, microkernel


Proceedings of the Institute for System Programming, vol. 27, issue 3, 2015, pp. 267-278.

ISSN 2220-6426 (Online), ISSN 2079-8156 (Print).

DOI: 10.15514/ISPRAS-2015-27(3)-18

Full text of the paper in pdf Back to the contents of the volume