P.A. Karger et al. A retrospective on the VAX VMM security kernel. 17(11), November 1991.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....their peak popularity in the 1970 s, with several research [27] as well as commercial projects [17, 51] The motivation for using these virtual machines was isolation between virtual machines and testing new operating system releases before full deployment. Later, the VAX VMM Security Kernel [33] used virtual machines to build a system targeted specifically at security issues at a low development cost by avoiding operating system modifications. VMware s Virtual Platform product [62] virtualizes the Intel x86 architecture showing that complex hardware architectures can be virtualized ....

Paul A. Karger, Mary Ellen Zurko, Douglas W. Bonin, Andrew H. Mason, and Clifford E. Kahn. A retrospective on the VAX VMM security kernel. IEEE Transactions on Software Engineering, 17(11):1147--1165, November 1991. Special Section on Security and Privacy.

....by buffering are undesirable, the security problem with buffering arises from a misattribution of burden (cost) By failing to attribute the cost of buffer storage to an appropriate process, the kernel becomes open to attack. The VAX VMM security monitor mitigated this issue using memory quotas [18], but a quota based approach is not practical in efficient IPC systems. Introduction of such a quota mechanism into a synchronous IPC system must eventually result in the delivery of an allocation fault to a usermode exception handler, which is exactly the problem that EROS faces with ....

P. A. Karger, M. E. Zurko, D. W. Bonin, A. H. Mason, and C. E. Kahn. A retrospective on the VAX VMM security kernel. IEEE Transactions on Software Engineering, (11):1147--1165, Nov. 1991.

....[14] VMM) A virtual machine monitor is a thin system software layer that exports the abstractions of virtual machines (VMs) that look like the real hardware. The simplicity of the VMMs interface and implementation provides the means for building a high assurance OS that offers strong isolation [17]. VMM s also provide backwards compatibility, allowing existing services and operating systems to realize the benefits provided by trusted platforms with little or no modification. Users can continue to use their normal operating systems for applications that do not require trust from a remote ....

P.A. Karger, M.E. Zurko, D.W. Bonin, A.H. Mason, and C.E. Kahn. A retrospective on the VAX VMM security kernel. In IEEE Transactions on Software Engineering, November 1991.

....to the underlying hardware is simpler to build and more robust. We are intrigued by the possibility of using transparent instruction set mapping, as is done on the Transmeta Crusoe processor. 6. 3 Small kernel architectures VMMs have served as the foundation of several security kernels [26, 31, 35]. More recently, the NetTop initiative has sought to create secure virtual workstations running on VMWare [40] Our work di#ers from these e#orts in that we aim to provide scalability as well as isolation. Our work also assumes a weaker threat model: we are not concerned with covert channels ....

P.A. Karger, M.E. Zurko, D.W. Bonin, A.H. Mason, and C.E. Kahn. A retrospective on the VAX VMM security kernel. 17(11), November 1991.

....to in [22] Denali exposes a virtual hardware API, whereas Fluke virtualizes at the level of OS API. By virtualizing below abstractions, Denali s kernel is simple, and we avoid layer below vulnerabilities. Virtual machine monitors have served as the foundation of several security kernels [21]. More recently, the NetTop proposal aims to create secure virtual workstations running on VMWare [24] Denali di ers from these e orts in that we aim to provide scalability as well as isolation. We assume a weaker threat model; for example, we are not concerned with covert channels between VMs. ....

P.A. Karger et al. A retrospective on the VAX VMM security kernel. 17(11), November 1991.

....control of operating system, databases and middleware in such a way to make the security mechanisms as relatively independent and self contained components in the systems. Most of operating systems implement authorization logic in the security part of their kernels [9, 18, 19, 23, 25, 30, 31, 35, 42, 44, 45,48, 53, 54, 60, 64] There are also specialpurpose ad on security software packages that furnish authorization decisions for operating systems [9, 15, 16, 32] Abadi et al. 1] and Lampson et al. [39] developed a unified theory of authentication and access control in distributed ....

P. A. Karger, M. E. Zurko, D. W. Bonin, A. H. Mason, and C. E. Kahn, A Retrospective on the VAX VMM Security Kernel, IEEE Transactions on Software Engineering, vol. 17(11), pp. 1147-1165, 1991.

....The concept has being employed in the AC design of operating systems from the early days of computer security. Most operating systems implement authorization logic in the security part of their kernels [Benantar 1996, Curry 1992, DEC 1989, Gligor 1986, Grampp 1984, Heydon 1994, Hommes 1990, Karger 1991, Luckenbaugh 1986, McCauley 1979, McInerney 1999, Mullender 1990, Pfleeger 1989, Quarterman 1985, Saltzer 1974, Walker 1980] Among special purpose ad on security software packages, Computer Associates Access Control Facility 2 (CA ACF2) CA 1998a] and CA Top Secret [CA 1998b] as well as IBM s ....

P. A. Karger, M. E. Zurko, D. W. Bonin, A. H. Mason, and C. E. Kahn, "A Retrospective on the VAX VMM Security Kernel," IEEE Transactions on Software Engineering, vol. 17(11), pp. 1147-1165, 1991.

....a constrained VM, legacy operating systems and applications are executed unmodified and are easily upgraded and replaced even within the context of rapidly evolving software product lifecycles. In the past, some virtual machine monitors, such as the SDC KVM 370 [11, 9, 33, 10] and the DEC VAX SVS [17], have been used to separate mandatory security classes. A secure VMM for the Intel Pentium 1 processor architecture would be very desirable because a single machine could be used to implement critical security policies while also running popular Win32 operating systems and applications. ....

....and objects within a system. It imposes three design requirements on its implementations: 1. The mechanism must be tamperproof. 2. The mechanism must always be invoked. 3. The mechanism must be small enough to be to subject to analysis and tests to ensure completeness. The VAX Security Kernel[17] was a highly secure Type I VMM. The system s hardware, microcode, and software were designed to meet TCSEC Class A1 assurance and security requirements [22] The project also maintained standard VMS and Ultrix 32 interfaces to run COTS operating systems and applications in virtual machines. The ....

P. A. Karger, M. E. Zurko, D. W. Bonin, A. H. Mason, and C. E. Kahn. A Retrospective on the VAX VMM Security Kernel. Transactions on Software Engineering, 17(11):1147--1165, November 1991.

....have only been able to specify and verify toy systems using our logic. Our SVC takes one small step towards practically verifiable security. However, it is unlikely that one could ever use FSC, or even SVC, for verifying real systems since real multilevel secure systems (e.g. as in Karger et al. [23]) are too complex to be completely free of covert channels, even at the specification level (e.g. as in Browne [5] Therefore, they cannot satisfy our ideal notions of security. Nevertheless, we feel it is important to cast ideal security in a precise logical framework. It is our hope that ....

Paul A. Karger, Mary Ellen Zurko, Douglas W. Bonin, Andrew H. Mason, and Clifford E. Kahn. A retrospective on the vax vmm security kernel. IEEE Transactions on Software Engineering, 17(11):1147--1165, November 1991.

....machine monitor for supporting hardware fault containment, and the development of both NUMA and fault containment aware scalable resource balancing and overcommitment mechanisms and policies [Govil99] Govil00] Other uses of virtual machines have been proposed. The VAX VMM Security Kernel [Karger91] used a virtual machine monitor to meet A1 level security requirements using the VMS operating system. Bressoud96] introduced a hypervisor based approach for providing fault tolerance using off the shelf operating systems; the solution is based on running multiple operating system copies in ....

P. Karger, M. Zurko, D. Bonin, A. Mason, and C. Kahn. "A Retrospective on the VAX VMM Security Kernel." IEEE Transactions on Software Engineering, 17(11), pp. 1147-1165, November 1991

....approaches, fault containment, and resource load balancing. 8.1 Virtual machines Virtual machines are not a new idea: numerous research projects in the 1970 s [9] as well as commercial product offerings [5] 20] attest to the popularity of this concept in its heyday. The VAX VMM Security Kernel [12] used virtual machines to build a compatible secure system at a low development cost. While Cellular Disco shares some of the fundamental framework and techniques of these virtual machine monitors, it is quite different in that it adapts the virtual machine concept to address new challenges posed ....

Paul Karger, Mary Zurko, Douglas Bonin, Andrew Mason, and Clifford Kahn. A Retrospective on the VAX VMM Security Kernel. IEEE Transactions on Software Engineering, 17(11), pp. 1147-1165. November 1991.

....that we describe to implement this approach is a software architecture termed a safety kernel, a concept directly analogous to the security kernel used in security applications. Security kernels have been covered extensively in the literature and have been implemented with a number of systems [2,15,22,45]. Safety kernels, on the other hand, have been proposed by a number of groups [33,38,44] but the development of the safety kernel concept has been limited and to the best of our knowledge, none of the proposed systems has been implemented. Given the relative novelty of the idea, the goal of this ....

....whether the required security was guaranteed. Over time however, concepts have been developed that have made the development of secure systems more general, repeatable, and more amenable to verification. One technique employed in developing secure systems is based on the use a security kernel [2,15,22,45]. The concept behind a security kernel is to enforce basic security policies using a relatively simple central mechanism. The typical security problem is to monitor the access of users to objects (typically information) The security kernel approach is to require all references to objects to be ....

Karger, P. A., et al, "A Retrospective on the VAX VMM Security Kernel," IEEE Transactions on Software Engineering, 17-11 (Nov. 1991) pp. 1147-1165.

No context found.

P.A. Karger et al. A retrospective on the VAX VMM security kernel. 17(11), November 1991.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC