Guarded Execution of Privileged Code in the Guest

Allowing a guest to have direct, privileged access to hardware can enhance its performance and functionality. Privileged access to hardware and the VMM also enables and improves the performance of virtualization services by allowing portions of their implementations to be hoisted into the guest, even uncooperatively. However, granting such privilege currently requires that the entire guest be trusted. We present a software technique, guarded execution of privileged code, that allows the VMM to inject code modules into the guest that enjoy unrestrained access to specific hardware and VMM resources. Our system, which combines compile-time, link-time, and run-time techniques, provides the module developer with the guarantee that the module remains unmodified, and that it acquires privilege only when untrusted code invokes it through developer-chosen, valid entry points with a valid stack. An execution path leaving the module will then trigger a revocation of privilege. The system also provides the administrator with a secure method for binding a specific module with particular privileges implemented by the VMM. This lays the basis for guaranteeing that only trusted code in the guest can utilize special privileges. We give a motivating example by guarding the execution of a privileged, network interface driver in the form of a Linux module, such that it, and only it, has uninhibited access to the NIC hardware. This project is made possible by support from the United States National Science Foundation (NSF) via grant CNS-0709168, and the Department of Energy (DOE) via grant DE-SC0005343.