Ivannikov Institute for System Programming of the RAS

Virtualization-based separation of privilege: working with sensitive data in untrusted environment.


A. Kossachev, I. Burdonov, P.Iakovenko.


Contemporary commodity operating systems are too big and do not inspire trust in their security and reliability. Still they are used for processing sensitive data due to vast amount of legacy software and good support for virtually all hardware devices. Common approaches used to ensure sensitive data protection are either too strict or not reliable.
In this article we propose virtualization-based approach for preventing sensitive data leaks from a computer running untrusted commodity OS without sacrificing public network connectivity, computer usability and performance. It’s based on separating privileges between two virtual machines: public VM that has unlimited network access and private (isolated) VM that is used for processing sensitive data. Virtual machine monitor uses public VM to provide transparent access to public resources for selected trusted applications running inside private VM on a system call level.
Proposed security architecture allows using one and the same untrusted OS on both virtual machines without need to encrypt any data. However is poses a challenge of enforcing dynamic protection over trusted appli-cations running in potentially compromised OS. We investigate this problem and provide our solution for it.

Full text of the paper in pdf


security architecture, data leak prevention, memory protection, disaggregation, virtualization, virtual machine monitor, VMM, hypervisor.


Proceedings of the 1st EuroSys Workshop on Virtualization Technology for Dependable Systems,2009, pp.1-6.

Research Group

Software Engineering

All publications during 2009 All publications