Abstract

With attack surfaces totalling many tens of millions of lines of code, common endpoint applications and operating systems pose an easy target for attackers. Users are easily duped into exposing their systems to attack through a variety of means such as malicious email/chat links and attachments, and poisoned web sites and downloads.

This talk looks at how a hypervisor can be used to radically improve the security of endpoint devices by robustly isolating user activities without changing the user experience. A new VM can be created for each task the user performs (clicking on a link, opening a document etc), and will have access to just the resources needed for that task and no more. The VM lives just for the duration of the task and can then be disposed of, with only explicitly expected changes persisted. Threats are thus contained and rendered harmless. Further, the hypervisor can be used to isolate user applications and data that are more trusted than the host operating system itself, providing confidentiality and integrity to the most critical tasks.

I will give an overview of some of the many technical challenges involved in building such a system and making it transparent to the end user. I will then relate our experiences securing the hypervisor itself, the lessons learned over two decades of security-critical hypervisor design that fed in to the current architecture and implementation.