This paper proposes enhancing trusted domain enforcement through a VMM interruption mechanism. Current systems lack fine-grained input validation and dynamic access control to resources. The proposed system detects illegal inputs and moves processes to an untrusted domain for sandboxing. When an invalid input is detected, the guest OS notifies the VMM through virtualized interrupts. The VMM then isolates the compromised domain by disabling its network and block devices. The system was implemented through Linux kernel patches and a security module to validate inputs and enforce domain transitions. Performance testing showed the module approach had lower overhead than modifying the kernel directly.

1. An Enhancement of Trusted
Domain Enforcement Using VMM
Interruption Mechanism
National Institute of Information and
Communication Technology
Ruo Ando, Youki Kadobayashi and
Yoichi Shinoda
IEEE International Symposium on Trusted Computing
(TrustCom 2008), Hunan China, June 2008

2. Introduction:
current computer system needs input validation for
dynamic access control and isolation
■ Current computer system lacks …
Input validation
Dynamic access control
Secure isolation
In this paper we propose improvement of input validation using trusted domain
enforcement. Isolation and dynamic access control is improved by VMM
(virtual machine monitor).
■ In this paper we propose an trusted domain enforcement using VMM
interruption mechanism. In proposed system, TE (type enforcement)
has become dynamic with process centric approach which is called as trusted
domain enforcement.
■ In proposed system, illegal input to system resources such as file, memory and
socket is detected, the system is moved to un-trusted domain which makes it
the system more secure and robust for security incident exploiting malicious
input.
■ We apply the modification and implementation of VMM (Virtual machine
monitor) for proposed system. Virtual machine monitor

3. Related work: computer security and virtual machine
introspection
■ In recent trend of computer security,
application of virtualization technologies (仮想化技術）for system protection is being
well-researched.
Related work: three hypervisor based security extesion.
■ Shype: A secure hypervisor develped by IBM research. MAC (Mandatory Access
Control) is inserted into hypervior
■ PlluxVM: A Secure Virtual Execution Environment for Untrusted Code 1997 National
University of Defense Technology, Changsha, China
■ Xen Access: A security improvement of XEN virtual machine monitor. Inspection
module for OS modification is inserted.
However, input validation with dynamic resource access control has not been
proposed and implemented. In this paper In this paper we propose an trusted
domain enforcement using VMM interruption mechanism.

4. Classification of five virtualization technologies.
There are 5 kinds of virtualization
methods.
[1][2]Logical / physical partition:
Multiboot. Operating systems
cannot run in at the Same time.
[3][4]VM / VMM OS or VM runs
virtually at the same time.
[5]HOSTING / virtual OS
Multiprogramming.
Application and virtulized OS
runs on the same kernel
at same the time.
VMM is new in the point that a
thin layer is inserted below the
operating system. VM and
resource monitor is constructed
on OS.

5. Trusted Domain Enforcement (1)
input validation
■Current computer security lacks fine-grained input
validation for resource access.
■ For example, boundary check such as string copy is well
researched and implemented. However, input validation
about resource access about which process accesses
which resources such as file, sockets and part of
memory has not been implemented.
■ Current security incidents such as information leakage
needs later one: input validation about resource access

6. Trusted Domain Enforcement (2)
■ TE (Type Enforcement) + MAC
(Mandatory Access Control)
Process based
■ Dynamic resource access control and
sandboxing

7. Proposed system: An enhancement of trusted domain
enforcement using VMM interruption mechanisms
VIRTUALIZED
ETH0VIRBR0
REAL
ETH0
DOMAIN 0
(HOST OS)
DOMAIN U
(GUEST OS) TDE=0
VIRTUALIZED
ETH0VIRBR0
REAL
ETH0
DOMAIN 0
(HOST OS)
DOMAIN U
(GUEST OS) TDE=1
XEND
XEND
UP(NAT)
DOWN
VMM(XEN)
VMM(XEN)
UNPROTECTED
INPUT
SANDBOXING DOMAIN U
When an unprotected (invalid)
input for user (virtualized Domain)
is detected, this is notified and
transferred as interruption
between guest domain and
host domain.
When the domain 0 (control
domain) is received interruption
as incident notification, control
Process on domain 0 isolate
Domain U by some means such
As de-activating virtualized NIC
(network interface card) and
Block device driver.

8. Trusted Domain Enforcement:
structure illustration from black list based to white list based.
PROCESS CAPABILITY
BLACK-LIST ACL
TRUSTED DOMAIN
UNTRUSTED DOMAIN
TRUSTED DOMAIN
UNTRUSTED DOMAIN
PROCESS CAPABILITY
WHITE-LIST ACL
PROHIBITED
RESOURCE
RESOURCE
UNPROTECTED INPUT When the unprotected
(invalid) input for trusted
domain is detected, the
domain is moved to
un-trusted domain.
After transition from
trusted domain to
un-trusted domain,
access control list is
moved to black-list based
to white list based.

9. Trusted Domain Enforcement:
flow chart
There are 2 phase checks,
[1] If the process is under TDE or not ?
[2] If the resource the process is going
to access is write protected or not ?
About [1], we modified the
struct task_struct in Linux source code.
About [2], inspection module checks
Struct d_entry in the Linux source code.
About terminate process and isolation
We modified the source of VMM side.

10. Notification from guest OS (domain) to VMM as virtualized
interruption.
FRONTEND KERNEL MODULE
BACKEND KERNEL MODULE
GUEST OS
I / O REQUEST
DRIVERS / DEVICES
I / O REQUEST
EVENT CHANNEL SHARED MEMORY
VIRTUALIZED
ETH0VIRBR0
REAL
ETH0
DOMAIN 0
(HOST OS)
DOMAIN U
(GUEST OS) TDE=0
VIRTUALIZED
ETH0VIRBR0
REAL
ETH0
DOMAIN 0
(HOST OS)
DOMAIN U
(GUEST OS) TDE=1
XEND
XEND
UP(NAT)
DOWN
VMM(XEN)
VMM(XEN)
UNPROTECTED
INPUT
SANDBOXING DOMAIN U

11. Implementation:
Kernel Patch and Linux Security Module
■ Input validation
Kernel patch: Input validation module is inserted into
kernel source code of Linux operating system.
LSM: Linux Security Module is an security extension for
Linux operating system. LSM is implemented as kernel
module (device driver).
■ Domain enforcement
Domain enforcement is implemented by modification of
data structure about process (task_struct) and
interruption module in virtual machine monitor.

12. Performance output
kernel patch vs LSM

13. Conclusion:
current computer system needs input validation for
dynamic access control and isolation
■ Current computer system lacks …
Input validation
Dynamic access control
Secure isolation
In this paper we propose improvement of input validation using trusted domain
enforcement. Isolation and dynamic access control is improved by VMM (virtual
machine monitor).
■ In this paper we propose an trusted domain enforcement using VMM
interruption mechanism. In proposed system, TE (type enforcement)
has become dynamic with process centric approach which is called as trusted
domain enforcement.
■ In proposed system, illegal input to system resources such as file, memory and
socket is detected, the system is moved to un-trusted domain which makes it the
system more secure and robust for security incident exploiting malicious input.
■ We apply the modification and implementation of VMM (Virtual machine monitor)
for proposed system. Virtual machine monitor