Security: Hypervisor technology makes even PCs secure
Computers running Microsoft Windows operating systems are notorious for high “hackability.” In fact, this reporter just had to install a patch to close yet another Microsoft Windows XP vulnerability. Other desktop operating systems have similar vulnerabilities as well. These vulnerabilities make securing sensitive information and protecting PC-based control systems particularly difficult. Green Hills Software introduced a hypervisor system that the company claims can virtually eliminate security problems in PC-based systems by creating “virtual processors” that isolate sensitive data and operations from activities that connect to the outside world via the World Wide Web.
The company claims Padded Cell Secure Hypervisor is the worlds first secure hypervisor and supports computing platforms from embedded devices to enterprise desktop and server systems. The hypervisor runs atop the company’s Integrity separation kernel, which the company says is the only operating system ever to be accepted by a U.S. National Information Assurance Partnership (NIAP) into a high assurance (EAL6+) Common Criteria security evaluation.
A hypervisor runs directly on the computer hardware. Its main function is to simulate multiple virtual machines that behave like separate, isolated processors. Each virtual machine runs its own operating system, has its own isolated memory and hard-disk storage space, and application programs. Any virtual machine can run any operating system the hardware processor can run.
The hypervisor interfaces to all signals the virtual-machine operating system would use to control the hardware, and passes them to the actual hardware. The hardware acts on those signals as if they were coming directly from the virtual machine. The hypervisor also schedules hardware resources for each of the virtual machines on an as-needed basis. Thus, each virtual machine thinks it has exclusive control of the hardware, and the hardware thinks there is only one virtual machine.
Firewalls, anti-virus software, and other security applications run in the hypervisor, nullifying virtual machine vulnerabilities by blocking attacks before they reach the virtual machines. For example, a user would create one virtual machine with a connection to the Internet and keep all sensitive and irreplaceable databases and documents, as well as all control applications on separate virtual machines.
If a corrupt file or hacker attack comes in through the Internet, it only affects the one Internet-connected virtual machine, where there is no sensitive data and no control applications to compromise. If that machine becomes too disrupted to clean, it is a simple matter to delete it and initialize another Internet-connected virtual machine.
When a file, for example, comes in from the Internet from a known-friendly source and needs to be used by an application on one of the secure virtual machines, it has to go through the hypervisor with its security features before being passed to the appropriate virtual machine.
Internet-connected embedded systems, as well as the development systems designers use to create software for them face an increasing need for security. Hypervisor technology is one high-assurance way to implement it.
— C.G. Masi , senior editor