2010 International Conference on Multimedia Information Networking and Security

A Xen-based Secure Virtual Disk Access-Control Method

LIU Fagui
School of Computer Science & Engineering South China University of Technology Guangzhou, P. R. China fgliu@scut.edu.cn
AbstractThe paper begins with introduction on the xen-based secure computer, the common data sharing methods and virtual disk access control. It puts forward a data sharing method based on virtual disk between guest OSs of FullVirtualization in order to deal with the shortages of data sharing between virtual guest OSs based on Xen secure computer. It induces further analysis on the Xen driver split mechanism inspiring possibility to build a communication channel from guest OS to host OS. Meanwhile, along with the Xens virtual disk control principles, a data access control measure is also brought forward. Finally, it proves through a series of precise experiments, the method to be a cross-level data share, which makes data access more controllable and much safer with a promising efficiency beyond other sharing methods. Keywords- Xen; Virtual Disk; Access-Control; I/O; Dynamic Mounting

ZHANG Hao, ZHOU Haiyan

School of Computer Science & Engineering South China University of Technology Guangzhou, P. R. China hzhang.scut@gmail.com zhy_bb2003@163.com requests processing of virtual disk in Xen-based VM and puts forward a solution, a Xen-based secure virtual disk access-control method. The rest of the paper is organized as following: relevant background materials are present in section II followed the proposal of the Xen-based secure virtual disk access-control method in section III. In section IV, the specific realization data access-control methods are discussed. The related test experiments and analysis are stated in section V in succession with final conclusion in section VI. II.
Figure 1

RELATED WORKS

I. INTRODUCTION The application of virtual disk lies in two main categories: one is to virtualize a remote system disk as local disk (though it doesnt materially exist) to increase guest OSs disk volume or achieve saving disk volume by network sharing servers disk. The current research in this area focuses on how to improve the system I/O performance and data availability [1 2]. The other is to segregate an area in memory to be used as a temporary disk to improve the computer I/O performance. Both applications actually show that the current research focus is not on how to ensure the data security. The former depends on the network environment born with many insecurity factors like data leaks, data theft and so on. However, the virtual disk in VM is a real disk provided for guest OS to experience data sharing through non-network among guest OSs. Comparing to the traditional IDE devices, it is capable of literacy control and dynamical mounting; moreover, comparing to the network devices, it is isolated from the effect of network bandwidth and thus possesses a quicker reading/writing speed and higher level of security by reducing the data transmit channel. However, there are some shortcomings for the virtual disk: lack of literacy control and dynamic mounting due to its derivation as a software-only simulation of traditional IDE disk, certain insecurity factors such as lack of necessary data checking mechanism which will result in the wrongful sharing of the providers confidential data. This paper studies implementation as well as the principle of I/O operate

shows the architecture of computer system based on Xen. Xen runs directly on system hardware, accounting for Ring 0 of processors privilege level, the other guest OSs are on Ring 1, and the APPs are on Ring 3. Xen segregates job process and is only responsible for some privilege operations. The segregated operation such as creating and controlling VM, controlling real hardware and so on, are all accomplished by a privilege domain named Domain 0, which is also the host system in the architecture. The other virtual system are called Domain U: their frontend driver delivers the operation requests to backend driver on Domain 0, and then the backend driver calls the device driver to access the actual hardware to accomplish the operations.

The secure computer based on Xen achieves both domain-isolation and network-isolation, meanwhile; deploys a firewall in Domain 0 to enhance network security of Domain U[3]. This does ensure computers security with the

Figure 1 Architecture Of Xen

978-0-7695-4258-4/10 $26.00 2010 IEEE DOI 10.1109/MINES.2010.84

375 380

cost of inconvenient data sharing and controlling among Domain Us. As for the access control of virtual disk, reference [4] introduces a virtual disk-based file encryption method. It encrypts/decrypts the data in real time while processing I/O requests, authenticates user and manages key with USB smart card, which ensures the security of data. Reference [5] proposes an optimization of block addressing method COW (copy-on-write) disk format device driver in VM: it develops a new block device driver named mcow based on QEMU, which has higher virtual disk I/O performance than original virtual disk. There are also researches on other aspects of virtual disk. Reference [6] puts forward a method for integrality check on guest OSs virtual disk image in Xen VM. With the application of TPM(Trusted Platform Module) technology, it overcomes traditional virtual disk images lack of data integrality protection mechanism., which ensures virtual disks integration in real time and protects guest OSs security of data. For the real-time monitoring of virtual disk, reference [7] designs an operation surveillance library named XenAccess based on Xen VM environment, which can monitor the guest OSs event information including virtual disk, and thus implements guest OSs intrusion detection and ensures security and effectiveness of virtual disk data accessing. Reference [8] puts forward a network-isolated virtual network environment and an operable secure user switching system, which together effectively ensure security and operability of Xens virtual environment. Based on the analysis on the Xen driver split mechanism, reference [9] builds a communication channel between guest OS and host OS. With the Xens virtual disk control principles, a data access control measure is also brought forward, to thereby significantly reduce the data transmit channel, avoid confidential datas leaking without loss of high reading/writing speed. The references mentioned above dont allude to access control of virtual disk or protecting confidential data from leaking and tampering. The client system is completely passive in these two forms of surveillance, while in the virtual disk data sharing process, in addition that VMM can monitor the contents of shared virtual disk, the client systems also need to initiatively to provide VMM with control information to urgently forbid data sharing. Moreover, when illegal sharing is detected during virtual disk data sharing, it needs to be prohibited in real time which arent addressed in [6] and [7]. III. DESIGN METHOD

The process, Qemu-dm, exists in Domain 0, and corresponds with every virtual systems device daemon. Qemu-dm simulates a series of virtual devices for virtual guest OSs, such as virtual disk, virtual NIC and so on. With consideration of the generic nature of the virtual disk, Qemudm uses hierarchical model of progressive refinement in the services providing for virtual disk. All virtual disks are modeled as IDE devices, provided with abstract block device drivers; while the implementation of specific driver really depends on the format of disk, eg. vfat, raw, qcow ,vbd and etc. However, the implementation mechanism of IDE disk is lack of access control and operation controllability, which leaves some aftermath for the leaking an dtampering of confidential data. B. Secure Disk Access-Control Method The analysis of Qemu virtual disk model leads to the discovery that the access control of general block device has to be from block device driver layer. Therefore, Figure 3 presents a secure virtual disk access-control method.

Figure 2 Qemu virtual disk model

A. Xen-based Virtual Disk Preliminary Implementation The operation on virtual disk in Para-virtualization mode of Xen is realized by frontend and backend driver while in Full-virtualization the Qemu virtual device model. The corresponding processes in virtual guest OSs, Qemu-dm, in host system, serve for guest OSs virtual devices. Figure 2 shows the architecture of virtual disk with Qemu virtual device module.

There are many virtual disk devices in a virtual guest OS. Apart from the virtual disk VD1 which is indispensable for system running, there are disks for other users data storage and sharing (VDn). But these disks visible to guest OSs are stored as image file (VD1.img to VDn.img) in Domain 0. In

Figure 3 Architecture Of Secure Access Controlling

376 381

guest OS, access to VD1 is secure, but itll be unsafe if anyone read/write VDn where there are some confidential data. The implementation of I/O operations in guest OS are accomplished by corresponding driver in Qemu-dms virtual disk devices. In order to avoid this kind of unsafe behavior and considering various driver formats in virtual disk, this paper proposes to add control model on general block device driver layer to thereby achieve operation controllability on virtual disk. I/O operating permission level is in line with security. Meanwhile, it also dynamically mounts temporary disk to replace the disk that is at risk so as to achieve secure access control. IV. IMPLEMENTATION

functions to virtual disk are ide_ioport_read() and ide_ioport_write(). The whole procedure of processing to I/O operate request is showed in Figure 5.

A. Read/Write Control In Full-virtualization guest OS, the operation in essence is accomplished through IN/OUT command of CPU, and the address in the command is the I/O mapping address specific in the IDE agreement. If these commands are directly implemented, it will involve operation on the physical disk. Xens Hypervisor relies on CPU hardware virtualization technology to capture the I/O command, and pack it into an I/O request structure buf_ioreq_t, then put this buf_ioreq_t into cache queue buffered_io_page. In main loop function main_loop() of Qemu-dm, there is a function named handle_buffered_io() which is responsible for handling I/O operation cached in buffered_io_page queue. This function deals with I/O request from buffered_io_page in order, and dispatches them to upper layers to handle. Finally, the I/O request generated by CPU will be handled by cpu_ioreq_pio(). If the request is a read request to virtual disk, it calls ioport_read; or if a write request, it calls ioport_write.

Tracking the initialization process of virtual IDE device, we can find that the function ide_init_ioport() registers a series of functions to the two I/O operation tables abovementioned, including ide_ioport_read() and ide_ioport_write() which corresponds to reading/writing to virtual disk. With further tracking, we can also discover that these two functions will call ide_sector_read() and ide_sector_write() respectively to complete the specific read/write operation to sector. As long as the code about checking access permission is inserted into these two functions, it can handle guest OSs I/O request with dynamical reading/writing control over virtual disk. B. Dynamic Mounting For disks at risk, the operating permission needs to be cancelled and then unload the disk. A temporary disk is assigned for user to store temporary files. In order to achieve the dynamic replacement of virtual disk, we must firstly understand how the virtual disk in guest OS is initialized. In every daemon Qemu-dm, there is an array drives_table typed DriveInfo. This table play a main role to simulate device model of actual machine and bind a structure BlockDriverState(bdrv). Structure BlockDriverState corresponds to virtual disk image, and contains some information about virtual disk (eg, pathname (filename)) where the read/write control switching variable needs to be set. As for dynamic mounting, we need to consider restructure BlockDriverState. BlockDriverState also bind with BlockDriver, main part of which is made up of function pointers. These pointers are initialized to point to its handling functions corresponding with disk format (like IDE devices), containing read/write functions and disk mount/unload functions. Altogether they make up a set of virtual disk operate functions in the lowest layer. As shown in Figure 6, it determines every guest OS corresponding virtual disk and its corresponding operation handled function. To sum up, to mount/unload virtual disk can be achieved by

Figure 5 Procedure Of Processing To I/O Operate Request Of Xens Guest OS

Therere two I/O operation tables in Qemu-dm: ioport_read_table and ioport_write_table. These two tables process read and write operation respectively. The elements in tables are function pointers, and the indexes are addresses of I/O ports. When an I/O request arrives, cpu_ioreq_pio() can get the handling function in accordance with the type and address of this operation to complete this I/O request. As shown in figure 5, the corresponding I/O request process

Figure 4 Procedure Of Qemu-dm Implementing I/O Operation

377 382

setting pathname(filename) and calling related initialed disk mount/unload function

released, and both of the OSs has read-only permission to this disk. When OS1 sends out an operation of urgent dynamic mounting, OS2 finds out that it has lost any permission to this disk. Although file content list from this disk remain unchanged, OS2 cant access any file which it has not accessed before. In fact, these files have been temporarily mounted into another file image tmp.img. VI. CONCLUSION Virtual disk device can be seen as a pure simulation for physical disk device. The limitations within disk device, especially IDE device, make it impossible to control read/write operating permission and dynamic mounting in Windows. In this paper, a Xen-based virtual disk controllable operation is implemented, and a virtual disk secure accesscontrol method is put forward. This method can be used for virtual block devices in Xen environment, with operation controllability, and secure without compromising the efficiency. ACKNOWLEDGMENT It is supported by the Guangdong-HongKong Technology Cooperation Funding Scheme No. 2007A010101003 and Guangdong-Ministry of Education Industry-University Cooperation Funding Scheme No.2007B090200018. REFERENCES
[1] Wang Di, Xue Wei, Shu Jiwu, Shen Meiming. Fault Tolerance with Virtual Disk Replicas in the Mass Storage Network Jisuanji Yanjiu

The specific operation process of dynamic mounting a certain virtual disk(path is named filename) is as following. a) Traverse drives_table of this guest OS, looking for pointer named bs typed structure BlockDriverState whose filename is valued file_name. b) Call function bdrv_close registered in structure BlockDriver to dynamically unload the very virtual disk (accomplished by calling function raw_close). c) Call function bdrv_open to pack and initialize this pointer bs to bind with newly mounted disk. In fact, function bdrv_open call function bdrv_open2 which further call function raw_open. V. EXPERIMENT This paper carries out rigorous experiment to test and verify this virtual disk access-control method designed in this paper. Experiment is set with one host system and two guest OSs. The host system has kernel Linux 2.6.18, memory allocated 4GB and hard disk 160GB. The two guest OSs respectively has kernel Windows XP and Rhel 4.5. Both of them has 512MB of memory, 10GB of hard disk, They both also have 5GB hard disk used for spared disk. Use shared disk of guest OS1 for read/write controlling test. Initially, the shared disk is in state released, and both of guest OS1 and guest OS2 acquiescently has read-only permission to this disk. Any attempt of write operation to this disk is considered to be insecure. When OS1 send out close command to disk, its frontend driver delivers this command to backend driver of Domain 0s, and then the specific device drivers accomplish the close operation. At this moment, the status of the shared disk is switched into closed state, which means OS2 loses its read permission to this disk, and any attempt operation to this disk will triggered an error. However, OS1 now has both read and write permission to this disk. Use shared disk of guest OS1 for dynamic mounting test. Same as the former test, initially the shared disk is in a state

Figure 6 Information And Operate Function Of Virtual Disks

yu Fazhan/Computer Research and Development, 2006

[2] Liu Jun, Yang Xue jun, Wang Jun wei, TANG Yu hua. Data placement algorithms in dynamic virtual disk array, Computer Engineering and Design, 2005 [3] Liu Fagui, Su Xiang, Liu Wenqian, et al. The Design and Application of Xen-based Host System Firewall and its Extension. Electronic Computer Technology, 2009, p 392-395 [4] Li Qing-jun, Gan Meng. File encryption approach based on virtual disk, Computer Engineering and Design, 2006 [5] Chen Bin, Xiao Nong, Cai Zhiping, et al. An Optimized COW Block Device Driver in VMM for Fast, On-Demand Software Deployment[J]. Embedded and Ubiquitous Computing, 2008 [6] Gebhardt C.; Tomlinson A.. Secure Virtual Disk Images for Grid Computing[J]. APTC '08. Third Asia-Pacific, 2008 [7] Payne B.D.; de Carbone M.D.P.; Lee Wenke. Secure and Flexible Monitoring of Virtual Machines[J]. ACSAC 2007. Twenty-Third Annual, 2007 [8] Liu Fagui, Wu Gang, Zhou Ming. The Research & Implementation of Xen-based Operable and Secure Virtual Environment. 2009 International Conference on Computational Intelligence and Software Engineering, CiSE 2009. Dce. 2009, Wuhan, China. [9] Liu Fagui, Zhou Wei, Zhou Ming. A Xen-based Data Sharing & Access Controlling Method. IITA 2009. Nov. 2009, Nangchang, China.

378 383