AN APPROACH TO INFORMATION SYSTEM ISOLATION AND SECURITY IN A SHARED FACILITY by Stuart E. Madnick John J. Donovan March 1973 648-73 * This paper is based upon a paper entitled "Application and Analysis of the Virtual Machine Approach to Information System Security and Isolation" that was presented at the ACM Workshop on Virtual Computer Systems, March 26-27, 1973, Harvard University, Cambridge, Massachusetts. An Approach to Information System Isolation and Security in a Shared Facility ABSTRACT Security Is an Important factor If the programs of Independent and possibly malicious users are to coexist on the same computer system. In this paper we show that a combined virtual machine monitor/operating system (VMM/OS) approach to Information system Isolation provides substantially better software security than a conventional multiprogramming operating system approach. This added protection s derived from redundant security using Independent mechanisms that are Inherent In the design of most VMM/OS systems. I. INTRODUCTION During (i.e., the on the the past decade the concurrent execution of several same computer advantage of medium- system) has and redundancy, etc.). shared multiprogramming Independent programs been developed to take full and large-scale computer systems (e.g., cost economics, flexibility, Isolated technique of ease of operation, Unfortunately, Information systems nformation systems (see hardware reliability In transferring physically Figure (a)) to (see Figure 1(b)), we physically must cope with the problems of: operating system compatibility, reliability, and security. In this paper we show that the Virtual Machine approach provides effective solutions to these problems. * Assistant Professor, Project MAC and Sloan School of Management. ** Associate Professor, Project MAC and Department of Electrical Engineering. Work reported herein was supported In part by Project MAC, an M.I.T. research project sponsored by the Advanced Research Projects Agency, Department of Defense, under Office of Naval Research Contract Nonr4102(01) and in part by the MIT-IBM Security Study Project. ___ ______1_1____1__1__I____ _i------· 1 -_1_11 -2System SI * Term ina Ils System S2 Storage Devices r System S3 Central D.tr, I I I J t) (n /"' __._, ,--- ~ " *" CJ ^ W ,l -:]:~lil, I Memory P31 P32 ~" P 33 4cz (a) Physically Isolated Information Systems Te Storage Devices als include ntional I /O units, such as 'eaders, printers, TTY, etc. (b) Physically Shared Information System Figure . Isolated and Shared Information Systems -3- II. VIRTUAL MACHINE APPROACH TO ISOLATION AND COMPATIBILITY Since virtual machines descr bed extensively Parmelee(6)) , we will virtual machi ne computer by a were It the as depicted controlling In a key points. Machine Monitor of a Virtual hardware support. IBM It were In Figure to the multiple multiplexing manner analogous company multiplexes appear System/370's VMM can 2. A (See For example, the System/370 Thus, a A real computer multiple independent as if been (Madnick(5), a. replica of a ssingle function hardware resources telephone briefly review "virtual mach ines"). Isolated sys5tems feat literature a more pre;cise definition). as If sy'stem applications have and aippropriate enables syst :em (i.e., multi ple this only by a comblna tlion Goldberg (3, 4) for functional y the in sof tvrare program VM/370 their may be define:d as system smul ated (VMM) and make one physically VMM accomplishes of to the the physical way that communications enabling the separate and, hopefully, isolated conversations over the same wires. a conventional operating system. A VMM Is totally unlike VMM restricts Itself the to the task of physical hardware, it presents Identical to a "bare machine". a conventional operating order to accomplish, useful work. basis for the problem. solution to Each virtual the multiplexing and allocating an Interface that In fact, system nto each virtual machine This latter in fact provides the operating system ___ appears t is necessary to load machine Is controlled by ___111_____1_11__1__I____·____I___ A compatibility a separate, and -4- r Central 1 ." Processor I - Memory TVP2---- r?"L -.PL-' - ~~ 1 r Central Processor - I< Mernor r 10 L 2 - rI I _J c-- K:31. KV~- p~f (a) Real Information System Hardware Figure 2. l (b) Virtual Information System Hardware Real and Virtual Information Systems _·_ 1__1___1_1___11·_1_11_1__1-__11__ Ir I..-=7 - Ca rr --_·_.__I_ICI_----------_I- _LI-ll__ ·r -5- If necessary different, operating system. ! The feasibility of this solution has been demonstrated on the VM/370 system and the earlier CP-67 software and system. Introduce additlonal operation, but The extra VMM In overhead this overhead can Information the be kept rather 10-15%). Depending upon the precise economics and large-scale system, VMM approach Is often the hardware do system low (e.g., benefits of a preferable to the operation of the multiple physically Isolated real' systems. III. SECURITY AND RELIABILITY IN A VIRTUAL MACHINE ENVIRONMENT In the preceeding section t was shown that the v Irtual machine approach solves the OS compatibility problems by al lowing dlfferen t computer at the security and Is same time. much and coexist on thIs secti on suscepti ble less and reliability system to cease "crashes"), a securlty that allows one to such qul te are ____1__. _-----111··-- correct failure ope ration s a form (e.g., than a problems of simillar. A "s tops " or of reliability fall ure problem has _I.I__I^CI_ We program that cau ses Isolated user or gain control The reliability anal yze n a sys tem failures operat Ing syst em. The security same environment. user's program to access or destroy programs of another computer system. we wl.ll vlrtu.al machi ne reliabillty fallure Is any action of a user's the the the vir tual machine aipproach results conventional multiprogr amming software run In rellabill ty In a will show that that sy stems to operating I1I1- the data or of the entire been studied --- by -6- Buzen, Chen, j and Goldberg (1). Contem.norary Operat i n Most Systelm Envi ronment contemporary operating appropriate hardware support, systems, provide reliability and security falL res (e.g.., modes of operation, about complete access to solation any generalized etc.). other restrictive access difficult but, security (i.e., the state modes further Thus, on the same a security were operating violation with Is allowed much more OS/360, for example, uses the to Insulate users from each system. The supervisor/problem control" of the solate users. Illustrates the coexistence of multiple programs f Typical the Such a sngl e modern thousands, possibly millions, of interface Is of s not needed for the prevent users from "gaining nformation system. to occur. problem current operating systems It should be possible to Figure 3(a) user allowed n Figure 1. Isolation security. and from s The a fortunately, such a facility System/360's lock and key protection system. no user information) Under "ldeal" circumstances, most other prevent are only concerned information). access to wl th supervisor/problem state (.e., to another user's environment illustrated can provide mechanisms In this paper we user's controlled In conjunction operating ____1_1_1_ a system s susceptible to hardware or software failure operating systems Instructions. system consist of The user programs through hundreds of -7- SI S3 S2 All concurrent programs required .for all installations. (a) Conventional Operating System Approach SI Programs run concurrent ly on each instal la t ion. F1 P2 rL Operating system f or each installation S3 S2 Operating System I P2 1 P3 1 Operat ing System 2 P33 P3 2 Operating System 3 Virtual Machine Monitor (b) Virtual Figure ----- 3. Machine Approach Comparison of OS and VMM/OS ~111-"- ---------------I--~---I`--' Approaaches 1-~- -----'- -I------^-"-I-- -8- parame ter I zed entries (e.g., Interrupts, requests and I/0 supervisor cal ls, At nterrupts, etc.). program the present time there Is no known way to systematically val Idate the correct functioning of the operating system for all poss ble parameters for In fact, tend to all entries. vulnerable to sabotage (e.g., s to Issue certain systems data-returning supervisor Is t?" request) providing parameter. be highly For example, a popular form of nvalid'parameters. "what time as a most The operating system, calls an Invalid address running with protection disabled and assuming that the address parameter corresponds to a user's data area, transfers the return data to that location. If the address provided actually corresponds to locations within the the system can be operating system, made to destroy or disable systems, of course, attempt to detect this I tself. Most "secure" kind of error but there are techniques and many other sabotage complete security Is unlikely. Referring back to Figure 3(a) we can see some of the factors contributing to the functionality problem. to be In order heterogeneous programs, the operating system must be quite comprehensive and, thus, more vulnerable to error. In general, a single software logical Invalidate the error entire In the for operating security depicted In Figure 3(a), there is programs of a large sufficient and collection of user effective to provide differing user groups system mechanism, Furthermore, can as no more protection between the or the operating system than there is between the application programs of a single user group. _____1~1_______~_____I~l·~_ll_------ ___ -9The security of such conventional operating the military has strict sufficiently weak that appear to forbid the use of systems is regulations that the same information system for both SECRET and TOP SECRET use - even though using separate systems Is more costly. In the Even Industrial same company competitors or different functions (e.g., payroll and engineering) are often reluctant to share the same computer. 2, VYrtual Machl ne Evironment Figure 3(b) Illustrates the virtual physically shared system. This advantages. If we define to a arrangement has numerous security Ps(P) to given run of program P will machine approach be the probability that a cause a security violation to occur, the following conditions would be expected to hold: Ps(PIOS(n)) < Ps(PIOS(m)) A. OS(I) refers to a at level I for n<m conventional operating system multiprogramming (I.e., I supporting concurrent probability of system failure tends to the operating system Issued, the variety requests, etc.). tends to be much multiprogramming (.e., of large. /-EU-··LIIII·I-LI- functions The ncrease with the load on of different provided, the requests frequency of In particular, a monoprogramming system, OS(1), simpler apd system. multiprogramming system support the number the programs). Furthermore, of the These problems have been m users, a comprehensive the often requires Intricate special needs --_1I-I_--_I·_.11-_..-11__1--- reliable 'than m-degree alterations to especially If m Is experienced In most large-scale -10multiprogramming systems. environment since each operating system. error-prone These problems are virtual machine Each operating system than a single diminished in a VM may run a separate may be simpler and less comprehensive all-encompassing operating system. B. VMH(I) Ps(OSIVMM(k)) < Ps(PIOS(m)) means a virtual machine monitor, VM, supporting I virtual machines. The operating machine has the program, P, has system, OS(m). system, OS, same relationship to a Using smaller the degree the for k<m the VMM the VMM(k) the same rationale a security than conventional violation, user's operating as in A above, k<m), the the smaller Furthermore, since be shorter, simpler, and easier multiprogramming operating the VMM Is less error-prone, s defined virtual as a conventional multiprogramming virtual machine monitors tend to even when k=m, to a particular of multiprogramming (i.e., probability of to debug on by the hardware systems, For example, since specifications of the real machine, the field engineer's hardware diagnostic software can be used to checkout the correctness of the VMM. We can define the probability of machine violating the a program P on one virtual security of another concurrent program on another virtual machine as: C. Ps(PiOS(n)IVMM(k)) = Ps(PIOS(n))xPs(OSIVMM(k)) Based on the Inequalities of A and B above and the multiplicative dependency In C, we arrive at the conclusion: -11D. Ps(PIOS(n)IVMM(k)) Ps(PIOS(n)IVMM(k)) Is <<(( Ps(PIOS(m)) the probability security failure of P's operating monitor. if a single operating Isolates this failure from VMM's security for n,k<m of the simultaneous system and the virtual machine system's security falls, the VMM the other virtual machines. fails, It exposes Information of other virtual machines to the operating system of one virtual machine. functioning correctly, P's operating advantage of the security designers of the Individual collusion with breach. This operating malicious users, hypothesis; otherwise, system assumes systems this seems using the will to be same collusion, If the But, If not that are not take the in a reasonable Ps(PIOS(m))=1 could be attained by subverting the common operating system. We security, are parti cularly that occurs due to s, concerned about the probability any program that n the system. the overal 1. system a security This violation situati on can be computed by: E. Ps(P11, P12 2,...,P33) = Ps(P11)x(1-Ps(P12))x... x( 1-Ps(P33)) + (1-Ps(Pll))xPs(P12)x...x( I-Ps(P33)) + 0.. + Ps(Pll)xPs(P12)x...xPs(P33) Alternately, It can be represented as: Ps(P11,P12,...,P33) = 1 - (1-Ps(P11))x(1-Ps(P12))x...x(1-Ps(P33)) We note that Ps(P11,P12,...,P33) Is minimized when the Individual Ps's are minimized. multiplicative nature of The effect Is accentuated Equation E. Thus, from due to the the Inequality -12- of D, we conclude: F. Ps(Pll, P12,...,P3310S(n)IVMM(k)) <<< Ps(P11, P12,...,P3310S(m)) for n,k<m. That is, the security In a much better than system In a environmenti. probabilistic following virtual machine environment conventional multiprogramming This conclusion Independence of section we show the that depends security the Is very operating upon failures. Independence the In the condition applies. _L Redundant Security Mechanisms If the machine systems, OS, Individual operating monitor, VMM, used Identical algorithms, then any user action security mechanisms s and That Is, first take control of the OS and then, using the same technique, This virtual that resulted In penetration of one could also penetrate the other. VMM. and the logically analogous take control of the to placing one safe Inside another safe - but having the same combination on both safes. combat this danger, the OS and VMM must based upon Independent taken In the the mechanisms. A similar approach of Californla, Berkeley. dvnamic verification to mean "that every there Is a have redundant security PRIME modular computer system University consistency check To has been being constructed at They use the term time a decision Is made performed on the decision using Independent hardware and software" (Fabry(2)). Table 1 Illustrates redundant security mechanisms possible -13- In a VMM/OS environment systems. uses Let using us consider the System/360-370 VM/370 main memory lock and and OS/360 as example security first. OS/360 key hardware to Isolate one user's memory area from invalid access by another user's program. VM/370, on the other hand, Translation (DAT) hardware (i.e., address space) the locks uses the System/370 Dynamic Address to provide a separate virtual memory for each virtual machine and keys. Thus, a malicious - Independent of user would have to overwhelm both the lock and key and the DAT mechanisms to violate the Isolation security of another coexisting program virtual machine. The software OS/360 and V/370 for memory the mechanisms that highly unlikely that are used algorithms, of ecurity are are on another course, used by quite different since so different. Thus, they would both be susceptible It Is to the same penetration techniques. We find the same kind of redundant security In secondary storage devices. Securt y System (RSS) OS/360, the area of especially with the Resource option, provides an elaborate mechanisms to restrict access to data sets (files). set of Each storage volume has a recorded label that Is read by OS/360 to verify that It correct volume Is the Recognition, sets on the volume password codes the other AVR). be used Furthermore, may be or user hand, may to (i.e., under RSS, Automatic the specific ndividually protected volumes assigned machines by the computer operator or data by means of VM/370, on authorization restrictions. have the Volume to the virtual a directory on the basis of - _XIIIXI11__ _ _ _ -14- I OS Mechanism I (e.g., OS/360) FUNCTION 11 VMM Mechanism II (e.g., VM/370) Main Memory Security II Dynamic Address I LQcks and Keys 11 Translation (DAT)I … . 44......... ii Device Address II Mapping II ................... ++. Process Allocation Security . ……4--4. + ..............-----------------++ Storage Device Security ...... - --. II II II II ++ I Volume Label II i Verification and II I Data Set Passwordsll --- ----------------- ++ II Clock Comparator I Priority Interruptil II and Tlme-Slicing I (and, optionally, Ii I interval Timer) Ii II Table 1. Examples of Redundant Security Mechanisms In a VNMM/OS Environment the physical storage device address logical mapping of OS/360 of VM/370. These s being used. Once again, the Independent of the physical mapping redundant security mechanisms can be found In many other areas. Although most existing VMMIs to provide such comprehensive substantial redundant the needed were not designed specifically Isolation, they frequently security mechanisms. In order nclude to provide solation, future VMM's may be designed with Increased redundant secur ty. IV. CONCLUSIONS In this Information paper we system have shown Isolation that the provides VMM/OS approach substantially to better -15- reliability software and multiprogramming OS approach. through the use of security This redundant than a conventional added protection Is obtained security mechanisms Inherent in the design of most VMM/OS systems. REFERENCES Buzen, J. P., Peter P. Chen, and Robert P. 1. Goldberg, "Virtual Machine Techniques for Improving System Reliability", Proceedings of the ACH klorksho on Virtual Cmputer Systems, (March 26-27, 197,). 2. Fabry, R. S., "Dynamic Verification of Operating System Decisions", submitted for publication in the (February 23, 1972). Communications aof the A, 3. Goldberg, R. P., "Virtual Machines: Semantics and Examples", ProceedLnz$ of IEEE Com2utr Society Conference, (September 1971), 141-142. 4. Goldberg, R. S., Architectural PrinciPles for Virtual ComDuter Systems, PhD dissertation, Harvard University, (November 1972). 5. Madnick, S. E., "Time-Sharing Systems: Virtual Machine Concept vs Conventional Approach", Modern Data 2, 3 (March 1969), 34-36. 6. Parmelee, R. P., T. I. Peterson, C. C. Tillman, and D. J. Hatfie ld, "Virtual Storage and Virtual Machine Concepts", IBM Systems Journal 11, 2 (1972), 99-130. that are