Virtualization-based separation of privilege: working with sensitive data in untrusted environment.
Contemporary commodity operating systems are too big and do not inspire trust in their security and reliability. Still they are used for processing sensitive data due to vast amount of legacy software and good support for virtually all hardware devices. Common approaches used to ensure sensitive data protection are either too strict or not reliable.
In this article we propose virtualization-based approach for preventing sensitive data leaks from a computer running untrusted commodity OS without sacrificing public network connectivity, computer usability and performance. It’s based on separating privileges between two virtual machines: public VM that has unlimited network access and private (isolated) VM that is used for processing sensitive data. Virtual machine monitor uses public VM to provide transparent access to public resources for selected trusted applications running inside private VM on a system call level.
Proposed security architecture allows using one and the same untrusted OS on both virtual machines without need to encrypt any data. However is poses a challenge of enforcing dynamic protection over trusted appli-cations running in potentially compromised OS. We investigate this problem and provide our solution for it.
Proceedings of the 1st EuroSys Workshop on Virtualization Technology for Dependable Systems,2009, pp.1-6.