Efficient provisioning of a trustworthy environment for security-sensitive applications

Abstract

We propose a method to provide the users a trusted secure environment to run their security-sensitive applications within. Our solution runs user applications in different virtual machines (VMs): securitysensitive applications in a trusted green VM, while the others in an untrusted red VM. We isolate the two VMs using hardware virtualization mechanisms and run them alternatively. This contributes for a smaller hypervisor, a safer VM isolation and trusted I/O channels to the green VM. Switching between VMs is based on the ACPI S3 sleep events. The trustworthiness of the green VM is sustained by its reduced and restricted software stack and its launch-time integrity attestation. We focus on reducing the red-to-green VM switching time by applying a stateless strategy for the green VM: use a RAM-disk and start it in a pristine state any time a red-to-green VM switch is performed. We load the green VM’s image in memory and reserve memory space for the green VM at boot time. This leads to a lower switching time of about 18 s.