Hypervisor technology is beginning to sprout up in real time telecommunications, mobile devices and other electronics products. But embedded systems have different requirements from data centres and a highly secure virtualisation environment enables some compelling applications.
A number of studies of virtualisation security and successful subversions of hypervisors have been published, demonstrating the risk of an 'escape' from the virtual machine (VM) layer, exposing all the guests, is very real. According to one analyst: "Virtualisation is essentially a new operating system … and it enables an intimate interaction between underlying hardware and the environment. The potential for messing things up is significant."
There is more to security than using the word 'secure' or 'trusted' in product names and, sadly, the world has become accustomed to the 'fail first, patch later' mentality of insecure software. Thus, many of the world's systems run insecure operating systems and hypervisors, leaving them open to compromise.
Secure virtualisation
Hypervisors typically employ a monolithic architecture, which requires a large body of operating software, including device drivers and middleware, to support the execution of one or more guest environments. In addition, the monolithic architecture often uses a single virtualisation component (itself a complicated piece of software) to support multiple guest environments. Thus, a single flaw in the hypervisor may result in a compromise of the fundamental guest environment separation intended by virtualisation in the first place.
An alternative, but similarly insecure, approach uses a trimmed down hypervisor that runs in the microprocessor's privileged mode, but which employs a special guest OS to handle I/O control and services for the other guests. Thus, a complex, monolithic body of software must still be relied upon for system security.
Green Hills Software's virtualisation architecture places virtualisation complexity and related I/O drivers and middleware into user mode applications outside the trusted computing base, which contains only the secure microkernel: GHS' INTEGRITY. The microkernel provides low level hardware support, resource partitioning and scheduling for the virtual environments. A separate instance of the virtualisation infrastructure is used for each guest environment, precluding cross VM escapes.
The combination of virtualised and native applications on one processor provides a compelling cost and power efficient operating environment, ideal for embedded electronics and portable devices (see figure 1). This hybrid model also takes advantage of multicore processors by enabling concurrent execution of native and virtualised subsystems.
The flexibility afforded by virtualisation has proven powerful in the data centre and promises even more varied and compelling advantages throughout the electronics world. However, the proper virtualisation architecture can drastically improve security without sacrificing the utility of legacy software. INTEGRITY is appropriate for electronic products that demand a high level of security, reliability, and functionality.