In the last post of this series, we described the value proposition of the Cyberus Secure Virtualization Platform (SVP). This post goes into more technical details.
In this post we will talk about:
- SVP as a fast, flexible and secure virtualization platform.
- How the open-source Hedron Hypervisor enables uniquely flexible virtualization solutions
- How our microkernel-based virtualization stack enables a small Trusted Compute Base for high-security use-cases
- Enabling great performance through pass-through virtualization
At Cyberus Technology we have built our virtualization platform from scratch. We have chosen a microkernel-based architecture for SVP. This allows us to meet customer demands and still provide a system that is easily certifiable.
Security Through Simplicity
Traditional operating system kernels, such as the Windows and the Linux kernel, are huge and come with millions of lines of code. A lot of functionality is provided within these kernels and all code providing this functionality runs in a privileged CPU mode. For security this creates two problems: First it is hard to reason about the code and second the amount of bugs and security issues tends to scale with the amount of code in a linear fashion.
All of this code needs to be trusted to be correct by any application running on top. It is also called the Trusted Compute Base (TCB) and reducing this has been a hot topic in operating systems research.
Our open-source microkernel Hedron ² comes in at roughly 10 thousand lines of code, thus reducing the TCB by two orders of magnitude compared to traditional operating system kernels. Hedron is at a size that can still be understood by a single person. Most of the functionality is implemented in isolated components running in a less privileged mode, called user-space. This is important because you only need to understand a single component to be able to understand what it does and which role it plays. This is important for security, but it also provides the nice benefit that it is far easier to track bugs. In general this kind of component- based system is easier to understand. This in turn makes it easier for developers to create correct code and easier for reviewers to certify a system's safety, security and correctness.
Having lots of small components also provides flexibility. While the Hedron and Supernova components provide basic virtualization primitives, we have developed a number of other components that can be combined to provide value.
Existing virtualization solutions usually emulate a number of devices in order to be able to run multiple virtual machines at the same time. This is necessary, for example when you want to run two VMs with network access, but only have one networking card in your system. While modern technologies like SR-IOV¹ make this easier this design still creates a lot of performance overhead and is not always necessary. Sometimes it is preferable to pass-through the actual hardware.
In SVP we are able to run a special kind of VM, that has access to the real hardware. Within this VM, which we call Control VM, we can run a deprivileged Linux system and Virtualbox in order to provide a full virtualization solution, or we can run Windows and malware samples as an analysis system.
Usually Virtualbox talks to its own kernel module to provide virtual machines. In the case of SVP Virtualbox talks to our own SLVM kernel module, which is a shim that forwards all calls to the SVP API, running in user-mode on the host system. This allows for a much smaller Linux system in the Control VM.
This design also allows us to move functionality from Virtualbox to SVP, either for performance reasons, or for security reasons. In the case of Graphics Virtualization we have moved the graphics stack from Virtualbox to SVP.
The Road Ahead
The flexible nature of SVP will allow us to provide more modules in the future. Think of a micro-VMM that allows special purpose VMs, running library operating systems ³ ⁴, just for networking. Or a specialized VMM to run cloud native applications directly on top of SVP.
We are also working on our own SDK, that will allow developers to easily build secure systems with their own components using the SVP platform, using the same libraries and languages they already are familiar with.