Security Implications of Different Virtualization Approaches for Secure Cyber Architectures

Virtualization is increasingly being used as a component in designing secure cyber architectures. The proposed applications include strong isolation, monitoring, fault tolerance, execution replay, etc. However, there are various virtualization approaches which differ in their security implications, proper applications, overheads, requirements, and most importantly threat models. Firstly, virtualization solutions range from hardware assisted to completely software emulated. They can be further categorized by their abstraction level from hardware virtualization, to operating system level virtualization (containers), to application virtualization. Finally, they differ widely in the way they handle I/O; from having a separate I/O virtual machine (privileged partition) to hardware assisted I/O virtualization (IOMMU). In order to deploy the most effective virtualization approach when designing a secure cyber system, it is imperative to fully understand the benefits offered and the trade-offs involved in each method. In this work, we study the spectrum of virtualization modes and discuss their strengths, weaknesses, requirements, and threat models. For instance, lightweight paravirtualization with IOMMU can reduce the size of the trusted computing base (TCB) significantly which makes it a proper candidate for high assurance isolation and thin client applications. On the other hand, containers have the similar TCB size as a full blown operating system, but they preserve the semantic information lost in the lower level virtualizations which makes them suitable for replay and monitoring applications. Moreover, we identify several gaps combinations that have not been implemented yet, to the best of our knowledge which, if available, can be valuable for specific applications and assurance requirements.