Flux Research Group / School of Computing

Xen-Cap: A Capability Framework for Xen

Yathindra Naik

Flux Technical Note FTN–2013–04, University of Utah. 2013.

Operating Systems, Security, Virtualization


Hypervisors provide strong isolation and can be leveraged to disaggregate large software stack of a traditional, monolithic system. Disaggregation can be achieved by running individual applications and kernel components in separate VMs. Existing hypervisors, however, do not offer a fine grained access control mechanism. Without such mechanism, individual VMs still run in one of two extremes—complete isolation or excessive authority.

This project extends Xen with the capability access control model—a mechanism for fine grained, dynamic management of rights. Together with strong isolation, capabilities can be used to create least-privilege services—an environment in which individual applications have minimal rights, that are required to perform their tasks.

We discuss the design and implementation of a capadbility access framework for Xen. We also demonstrate examples of least-privilege services. Overall, we gained valuable insights for designing a secure system using an industry standard virtualization platform.