Delusional Boot: Securing Cloud Hypervisors without Massive Re-engineering

The set of virtual devices offered by a hypervisor to its guest VMs is a virtualization component ripe with security exploits – more than half of all vulnerabilities of today’s hypervisors are found in this codebase. This paper presents Min-V, a hypervisor that disables all virtual devices not critical to running VMs in the cloud. Of the remaining devices, Min-V takes a step further and eliminates all remaining functionality not needed for the cloud. To implement Min-V, we had to overcome an obstacle: the boot process of many commodity OSes depends on legacy virtual devices absent from our hypervisor. Min-V introduces delusional boot, a mechanism that allows guest VMs running commodity OSes to boot successfully without developers having to re-engineer the initialization code of these commodity OSes, as well as the BIOS and pre-OS (e.g., bootloader) code. We evaluate Min-V and demonstrate that our security improvements incur no performance overhead except for a small delay during reboot of a guest VM. Our reliability tests show that Min-V is able to run unmodified Linux and Windows OSes on top of this minimal virtualization in-