Mar 26, 1973 -
AN APPROACH TO INFORMATION SYSTEM ISOLATION AND SECURITY IN A SHARED FACILITY by Stuart E. Madnick John J. Donovan March 1973
648-73
* This paper is based upon a paper entitled "Application and Analysis of the Virtual Machine Approach to Information System Security and Isolation" that was presented at the ACM Workshop on Virtual Computer Systems, March 26-27, 1973, Harvard University, Cambridge, Massachusetts.
An Approach to Information System Isolation and Security in a Shared Facility
ABSTRACT Security Is an Important factor If the programs of Independent and possibly malicious users are to coexist on the same computer system. In this paper we show that a combined virtual machine monitor/operating system (VMM/OS) approach to Information system Isolation provides substantially better software security than a conventional multiprogramming operating system approach. This added protection s derived from redundant security using Independent mechanisms that are Inherent In the design of most VMM/OS systems.
I.
INTRODUCTION
During (i.e.,
the
on the
the past
decade the
concurrent execution of several
same computer
advantage of medium-
system) has
and redundancy, etc.).
shared
multiprogramming
Independent programs
been developed
to take
full
and large-scale computer systems (e.g., cost
economics, flexibility,
Isolated
technique of
ease of operation, Unfortunately,
Information systems nformation systems
(see
hardware reliability
In transferring physically Figure
(a)) to
(see Figure 1(b)),
we
physically
must cope with
the problems of: operating system compatibility, reliability, and security. In this paper we show that the Virtual Machine approach provides effective solutions to these problems. * Assistant Professor, Project MAC and Sloan School of Management. ** Associate Professor, Project MAC and Department of Electrical Engineering. Work reported herein was supported In part by Project MAC, an M.I.T. research project sponsored by the Advanced Research Projects Agency, Department of Defense, under Office of Naval Research Contract Nonr4102(01)
and in part by the MIT-IBM Security Study Project.
___ ______1_1____1__1__I____
_i------·
1
-_1_11
-2System SI
*
Term ina Ils
System S2
Storage Devices
r
System S3 Central D.tr, I I I
J
t)
(n
/"' __._,
,---
~
" *"
CJ ^ W
,l -:]:~lil,
I
Memory P31 P32
~"
P 33
4cz
(a) Physically Isolated Information Systems
Te Storage Devices
als include ntional I /O units, such as 'eaders, printers, TTY, etc. (b) Physically Shared Information System Figure
.
Isolated and Shared Information
Systems
-3-
II.
VIRTUAL MACHINE APPROACH TO ISOLATION AND COMPATIBILITY
Since
virtual machines
descr bed
extensively
Parmelee(6)) ,
we will
virtual machi ne
computer
by
a were
It
the
as depicted controlling In a
key points.
Machine Monitor
of a Virtual
hardware support.
IBM
It
were
In Figure
to
the
multiple
multiplexing
manner analogous
company multiplexes
appear
System/370's
VMM can
2. A
(See
For example, the
System/370
Thus, a
A
real computer
multiple independent
as if
been
(Madnick(5),
a. replica of a
ssingle
function
hardware resources telephone
briefly review
"virtual mach ines").
Isolated sys5tems feat
literature
a more pre;cise definition).
as If
sy'stem
applications have
and aippropriate
enables
syst :em
(i.e., multi ple
this
only
by a comblna tlion
Goldberg (3, 4) for
functional y
the
in
sof tvrare program
VM/370
their
may be define:d as
system smul ated (VMM)
and
make one physically
VMM accomplishes of
to the
the
physical
way that
communications enabling
the
separate
and, hopefully, isolated conversations over the same wires.
a conventional operating system.
A VMM Is totally unlike VMM restricts Itself the
to the task of
physical hardware,
it presents
Identical to a "bare machine". a
conventional operating
order to accomplish, useful work. basis
for the
problem.
solution to
Each virtual
the
multiplexing and allocating an
Interface that
In fact,
system
nto
each
virtual machine
This latter
in
fact provides the
operating system
___
appears
t is necessary to load
machine Is controlled by
___111_____1_11__1__I____·____I___
A
compatibility a separate, and
-4-
r Central
1
." Processor
I
- Memory
TVP2----
r?"L -.PL-'
- ~~ 1
r Central
Processor
-
I
