Abstract

Virtual machine monitors (VMMs) have been hailed as the basis for an increasing number of reliable or trusted computing systems. The Xen VMM is a relatively small piece of software—a hypervisor—that runs at a lower level than a conventional operating system in order to provide isolation between virtual machines: its size is offered as an argument for its trustworthiness. However, the management of a Xen-based system requires a privileged, full-blown operating system to be included in the trusted computing base (TCB).

In this talk, I will introduce our work to disaggregate the management virtual machine in a Xen-based system. I will present a study of the Xen architecture and explain why the status quo results in a large TCB . I will challenge the conventional wisdom that smaller TCBs are necessarily better, and argue that the “surface area” of the TCB is as important as its size. I will then describe how we implemented our approach on Xen, by moving the domain builder—the most important privileged component—into a minimal trusted compartment. I will also discuss some of the ongoing work that is based on our disaggregation approach.