A Virtualization Architecture for In-Depth Kernel Isolation

Recent advances in virtualization technologies have sparked a renewed interest in the use of kernel and process virtualization as a security mechanism to enforce resource isolation and management. Unfortunately, virtualization solutions incur performance overhead. The magnitude of this overhead is directly proportional to the extend of virtualization they offer: full virtualization incurs an additional indirection layer to interface with the ever increasing hardware devices.In this paper, we propose a hypervisor-assisted, micro-kernel architecture which aims to provide in-depth resource isolation without the performance penalty of full virtualization. To that end, we extend the hypervisor capabilities with a lightweight VMM which enforces "identity context\´\´ to all assigned devices for each of the hosted kernels. Furthermore, we separate the control from the data plane for all hardware devices using data memory mapping and modifications of the native device drivers to divert control flow via the hypervisor. Our approach is layered, accommodating a wide-range of devices from legacy to experimental devices capable to provide native, in-silicon context separation.