Xen-Cap: A Capability Framework for Xen
Flux Technical Note FTN–2013–04, University of Utah. 2013.
Hypervisors provide strong isolation and can be leveraged to disaggregate large software stack of a traditional, monolithic system. Disaggregation can be achieved by running individual applications and kernel components in separate VMs. Existing hypervisors, however, do not offer a fine grained access control mechanism. Without such mechanism, individual VMs still run in one of two extremes—complete isolation or excessive authority.
This project extends Xen with the capability access control model—a mechanism for fine grained, dynamic management of rights. Together with strong isolation, capabilities can be used to create least-privilege services—an environment in which individual applications have minimal rights, that are required to perform their tasks.
We discuss the design and implementation of a capadbility access framework for Xen. We also demonstrate examples of least-privilege services. Overall, we gained valuable insights for designing a secure system using an industry standard virtualization platform.