Professional Documents
Culture Documents
PDF Practical Security Properties On Commodity Computing Platforms The Uber Extensible Micro Hypervisor Framework Amit Vasudevan Ebook Full Chapter
PDF Practical Security Properties On Commodity Computing Platforms The Uber Extensible Micro Hypervisor Framework Amit Vasudevan Ebook Full Chapter
https://textbookfull.com/product/towards-extensible-and-
adaptable-methods-in-computing-shampa-chakraverty/
https://textbookfull.com/product/modern-data-architecture-on-aws-
a-practical-guide-for-building-next-gen-data-platforms-on-aws-
behram-irani/
https://textbookfull.com/product/security-strategies-in-linux-
platforms-and-applications-michael-jang/
https://textbookfull.com/product/commodity-the-global-commodity-
system-in-the-21st-century-1st-edition-photis-lysandrou/
Security Strategies in Windows Platforms and
Applications Fourth Edition Shimonski
https://textbookfull.com/product/security-strategies-in-windows-
platforms-and-applications-fourth-edition-shimonski/
https://textbookfull.com/product/nuclear-magnetic-resonance-
vasudevan-ramesh/
https://textbookfull.com/product/handbook-of-multimedia-
information-security-techniques-and-applications-amit-kumar-
singh/
https://textbookfull.com/product/from-security-to-community-
detection-in-social-networking-platforms-panagiotis-karampelas/
https://textbookfull.com/product/practical-mobile-forensics-a-
hands-on-guide-to-mastering-mobile-forensics-for-the-ios-android-
and-the-windows-phone-platforms-3rd-edition-rohit-tamma/
SPRINGER BRIEFS IN COMPUTER SCIENCE
Amit Vasudevan
Practical Security
Properties on
Commodity
Computing Platforms
The uber eXtensible
Micro-Hypervisor
Framework
123
SpringerBriefs in Computer Science
Series editors
Stan Zdonik, Brown University, Providence, RI, USA
Shashi Shekhar, University of Minnesota, Minneapolis, MN, USA
Xindong Wu, University of Vermont, Burlington, VT, USA
Lakhmi C. Jain, University of South Australia, Adelaide, SA, Australia
David Padua, University of Illinois Urbana-Champaign, Urbana, IL, USA
Xuemin Sherman Shen, University of Waterloo, Waterloo, ON, Canada
Borko Furht, Florida Atlantic University, Boca Raton, FL, USA
V. S. Subrahmanian, Department of Computer Science, University of Maryland,
College Park, MD, USA
Martial Hebert, Carnegie Mellon University, Pittsburgh, PA, USA
Katsushi Ikeuchi, Meguro-ku, University of Tokyo, Tokyo, Japan
Bruno Siciliano, Dipartimento di Ingegneria Elettrica e delle Tecnologie
dell’Informazione, Università di Napoli Federico II, Napoli, Italy
Sushil Jajodia, George Mason University, Fairfax, VA, USA
Newton Lee, Institute for Education, Research, and Scholarships, Los Angeles,
CA, USA
SpringerBriefs present concise summaries of cutting-edge research and practical
applications across a wide spectrum of fields. Featuring compact volumes of 50 to
125 pages, the series covers a range of content from professional to academic.
Typical topics might include:
• A timely report of state-of-the art analytical techniques
• A bridge between new research results, as published in journal articles, and a
contextual literature review
• A snapshot of a hot or emerging topic
• An in-depth case study or clinical example
• A presentation of core concepts that students must understand in order to make
independent contributions
Briefs allow authors to present their ideas and readers to absorb them with
minimal time investment. Briefs will be published as part of Springer’s eBook
collection, with millions of users worldwide. In addition, Briefs will be available
for individual print and electronic purchase. Briefs are characterized by fast, global
electronic dissemination, standard publishing contracts, easy-to-use manuscript
preparation and formatting guidelines, and expedited production schedules. We
aim for publication 8–12 weeks after acceptance. Both solicited and unsolicited
manuscripts are considered for publication in this series.
123
Amit Vasudevan
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA, USA
This Springer imprint is published by the registered company Springer Nature Switzerland AG.
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
To my loving wife, Deepa, who continues to
transform my imperfections into perfections,
just by the touch of her love.
To my dear sons, Arjun and Akshay,
without whom this book would have been
completed 2 years earlier!
And finally, to my brother and parents who
are very surprised that I am an author
(again!).
With my second book, the dedication to my
family remains; they are always in my heart.
Foreword
My first direct interaction with Amit happened over a decade ago. It was early in
my research career and, like many in a similar stage, I was a program committee
member for a prestigious academic conference on systems. That meant I had to
carefully review conference submissions to decide on merit, giving everyone a fair
chance, and picking the papers that deserved to be published. One of the papers I
had reviewed was Amit’s.
He and his coauthors had crammed reams of detailed information into the
measly 11-page submission limit. After they tightened the language and shrank
the illustrations and still could not fit in everything they needed to tell a coherent
compelling story, they started shrinking paragraphs here and there, shrinking
possible white spaces, until they could barely pass the guidelines and test of the
automated format checker at the conference submission website.
I was absolutely horrified! Feeling the burden of impartiality and equal opportu-
nity weighing heavy on me, I was incensed by the apparent violation of the spirit of
the guidelines. But I was conflicted, because I also loved the work. It was careful,
principled, and used existing hardware facilities in an ingenious way to enable rich
interaction between low-level and high-level software securely and efficiently. As
the back-and-forths between the contact author, Amit, and the committee began, one
thing was obvious: there was a lot of passion. Amit and his coauthors had something
deep, complicated, and important to say; they felt it had to be said precisely and
without compromise on detail and completeness; and they were willing to do all
they could to say it well.
This book represents this opportunity. It distills and systematizes Amit’s and his
coauthors’ research over more than a decade toward building system support below
the operating system for secure and verifiable software. The micro-hypervisor, the
star of this book, is at the core of this challenge. It provides necessary software
functionality on which the entire software edifice above must rely to implement its
services and to be kept accountable and honest. That is a key challenge: in a world
of outsourced computing, it is not only applications but also the operating system
that must be helped and contained, kept fast and kept in check. This fundamental
vii
viii Foreword
Competitive markets with low cost of entry, little or no regulation, and no liability
will continue to foster innovative, attractively priced, large commodity platforms.
Such commodity platforms are inherently untrustworthy in nature, comprising
disparate hardware and diverse-origin software components with uncertain security
guarantees.
This book discusses the uber eXtensible Micro-hypervisor Framework
(UBERXMHF), a novel micro-hypervisor system security architecture and
framework that can isolate security-sensitive applications from other untrustworthy
applications on commodity platforms, enabling their safe coexistence and
facilitating runtime monitoring of the untrustworthy components.
UBER XMHF focuses on three goals which are keys to achieving practical secu-
rity on commodity platforms: (a) commodity compatibility (e.g., runs unmodified
Linux and Windows) and unfettered access to platform hardware; (b) efficient
implementation; and (c) low trusted computing base and complexity.
UBER XMHF strives to be a comprehensible, practical, and flexible platform for
performing micro-hypervisor research and development. UBERXMHF encapsulates
common hypervisor core functionality in a framework that allows developers
and users to build custom micro-hypervisor-based (security-sensitive) applications
(called “uberapps”).
ix
x Preface
Availability
We are encouraged by the end result—a clean, barebones, low trusted computing
base micro-hypervisor framework for commodity platforms with desirable perfor-
mance characteristics and an architecture amenable to manual audits and/or formal
reasoning. Active, open-source development of UBERXMHF continues at: https://
uberxmhf.org.
We welcome contributions from new developers, researchers, and pretty much
anyone interested in low-level system security and tinkering. More information on
how to contribute and get involved can be found at the aforementioned web portal.
Some might believe that this entire book is the sole responsibility of a single author.
They would be wrong.
The author is especially grateful to his long-time collaborator and good friend
Dr. Petros Maniatis, who incessantly urged the author to begin organizing his ideas
and thoughts from when it all began!
The author is also grateful to the following collaborators whose insights and
enthusiasm have greatly enriched the author’s research work over the past decade:
Drs. Adrian Perrig, Virgil Gligor, Anupam Datta, Sagar Chaki, Limin Jia, Leendert
van Doorn, Bryan Parno, Jonathan M. McCune, James Newsome, Yanlin Li, Qu
Ning, Zongwei Zhou, Miao Yu, Mr. Emmanuel Owusu, and Chen Chen.
The author would also like to thank Bill Hohl and Joe Bungo at ARM for
generously providing technical information and research hardware and software in
partial support of this work.
The last thank you the author would like to give is to his research colleagues
at Software Engineering Institute, Carnegie Mellon University, Drs. Grace Lewis,
Dionisio De Niz, Mark Klein, and Ruben Martins, for their unwavering belief and
support towards the author’s quest for building verifiable and trustworthy computing
systems.
This research was supported by CyLab at Carnegie Mellon University (CMU),
Northrop Grumman Corp., Intel Science and Technology Center (ISTC), and
Google Inc. The views and conclusions contained here are those of the authors
and should not be interpreted as necessarily representing the official policies or
endorsements, either express or implied, of CyLab, CMU, Northrup Grumman
Corp., Intel Corp., Google Inc., or the U.S. Government or any of its agencies.
xi
Copyright
Intel, the Intel Logo, and any other trademark found on the Intel Trademarks
List that are referred to or displayed in this book are trademark(s) or registered
trademark(s) of Intel Corp. or its subsidiaries.
AMD, the AMD Logo, and any other trademark found on the AMD Trademarks
List that are referred to or displayed in this book are trademark(s) or registered
trademark(s) of AMD Inc. or its subsidiaries.
ARM, the ARM Logo, and any other trademark found on the ARM Trademarks
List that are referred to or displayed in this book are trademark(s) or registered
trademark(s) of ARM Ltd or its subsidiaries.
Apple is a registered trademark of Apple Inc.
Windows is a registered trademark of Microsoft Corp.
Linux is a registered trademark of Linus Torvalds.
Other names may be trademarks of their respective owners.
xiii
Contents
xv
xvi Contents
2.3 Non-goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.4 Attacker Model and Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3 Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.1 “Rich” Single-Guest Execution Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.2 Architecture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.3 µHV Core and Uberguest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.4 Uberguest Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.5 Uberapps and Uberapp Interactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.6 Attested Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.7 Protections via Trap-Inspect-Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.8 Secure Boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
4 UBER XMHF Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.1 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.2 Startup and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.3 UBERXMHF Distributor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.4 Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5 UBER XMHF Implementation on x86 Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.1 Rich-Guest Execution Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.2 µHV Core and Uberguest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
5.3 Uberguest Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
5.4 Uberapps and Uberapp Interactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
5.5 Attested Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.6 Protections via Trap-Inspect-Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
5.7 Secure Boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
6 UBER XMHF Implementation on ARM Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . 61
6.1 Raspberry PI Platform Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
6.2 Rich-Guest Execution Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
6.3 µHV Core and Uberguest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
6.4 Uberguest Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
6.5 Uberapps and Uberapp Interactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
6.6 Attested Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
6.7 Protections via Trap-Inspect-Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
6.8 Secure Boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
7 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
7.1 Trusted Computing Base (TCB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
7.2 UBERXMHF Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
9 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Micro-Hypervisor Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
2 Red-Green Compartmentalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
3 Efficient Attestation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
4 Approved Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Contents xvii
5 Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
6 Verifiable Resource Accounting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
7 Application Sandboxing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
8 Trusted Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
9 On-Demand I/O Isolation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
10 Execution Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Acronyms
Abstract In this chapter we will discuss what micro-hypervisors are and why they
are important. We will present a discussion on competing system architectures and
delineate the capabilities and importance of micro-hypervisors.
1 Introduction
1 https://github.com.
3 Micro-Kernel Architectures
4 Hybrid-Kernel Architectures
XNU which is based upon code from the Mach kernel and FreeBSD’s monolithic
kernel (Apple WWDC Videos, 2017). They are similar to micro kernels, except they
include some additional code in kernel-space to increase performance.
Hybrid-kernel architectures represent a compromise between pure monolithic
and pure micro-kernel- based approaches. This implies running some services (such
as the network stack or the filesystem) in kernel space to reduce the performance
overhead of a traditional micro-kernel, but still running kernel code (such as device
drivers) as servers in user space.
A few advantages to the modular (or) Hybrid-kernel are: (a) faster development
time for drivers that can operate from within modules; (b) on demand capability
versus spending time recompiling a whole kernel for things like new drivers or
subsystems; and (c) faster integration of third party technology and development
practices.
In hybrid-kernel architectures, modules generally communicate with the kernel
using a module interface of some sort. The interface is generalized (although
particular to a given operating system) so it is not always possible to create and
use modules. For example, the device drivers may need more flexibility than the
module interface affords. The module interface is essentially two system calls and
often the safety checks that only have to be done once in the monolithic kernel now
may be done twice.
Some of the disadvantages of the modular approach are: (a) with more interfaces
to pass through, the possibility of increased bugs exists (which implies more security
holes); and (b) maintaining modules can be confusing for some administrators and
system developers when dealing with problems like symbol differences.
5 Hypervisor Architectures
6 Micro-Hypervisor Architecture
hardware primitives to the guest. Monolithic kernel fall next in line in terms of
being able to use most of the hardware functionality except for those reserved
for hypervisor use (e.g., hypervisor mode execution). Micro-kernels only rely on
message passing and hence their use of hardware primitives is limited whereas
hybrid-kernels fall in between monolithic and micro-kernels in terms of the system
hardware capabilities that can be harnessed.
References
Accetta MJ, Baron RV, Bolosky WJ, Golub DB, Rashid RF, Tevanian A, Young M (1986) Mach: a
new kernel foundation for UNIX development. In: Proceedings USENIX summer conference.
USENIX Association, pp 93–113
Apple WWDC videos (2017) “Apple WWDC 2000 Session 106—Mac OS X: Kernel” via YouTube
Chen H, Zhang F, Chen C, Yang Z, Chen R, Zang B, Mao W (2007) Tamper-resistant execution in
an untrusted operating system using a virtual machine monitor. Technical report FDUPPITR-
2007-0801. Parallel Processing Institute/Fudan University, Fudan
Chen X, Garfinkel T, Lewis EC, Subrahmanyam P, Waldspurger CA, Boneh D, Dwoskin J,
Ports DRK (2008a) Overshadow: a virtualization-based approach to retrofitting protection in
commodity operating systems. In: Proceedings of ASPLOS, Seattle, WA
Chen X, Garfinkel T, Lewis EC, Subrahmanyam P, Waldspurger CA, Boneh D, Dwoskin J,
Ports DR (2008b) Overshadow: a virtualization-based approach to retrofitting protection
in commodity operating systems. In: Proceedings architectural support for programming
languages and operating systems
Chen C, Maniatis P, Perrig A, Vasudevan A, Sekar V (2013) Towards verifiable resource accounting
for outsourced computation. In: Proceedings of ACM VEE. ACM, New York, pp 167–178
Cheng Y, Ding X, Deng R (2013) AppShield: protecting applications against untrusted operating
system. Technical report SMU-SIS-13-101. Singapore Management University, Singapore
CVE (2007a) Elevated privileges. CVE-2007-4993
CVE (2007b) Multiple integer overflows allow execution of arbitrary code. CVE-2007-5497
Dinaburg A, Royal P, Sharif M, Lee W (2008) Ether: malware analysis via hardware virtualization
extensions. In: Proceedings of ACM CCS 2008
Doug Chamberlain. Containers vs. virtual machines (VMs): what’s the difference? https://blog.
netapp.com/blogs/containers-vs-vms/
Elhage N (2011) Virtunoid: breaking out of KVM. DEFCON 19. https://www.defcon.org/html/
defcon-19/dc-19-index.html
Engler DR, Kaashoek MF, O’Toole J (1995) Exokernel: an operating system architecture for
application-level resource management. In: Proceedings symposium on operating system
principles. ACM, New York, pp 251–266
Fattori A, Paleari R, Martignoni L, Monga M (2010) Dynamic and transparent analysis of
commodity production systems. In: Proceedings of IEEE/ACM ASE 2010
Kaashoek MF, Engler DR, Ganger GR, Briceaso HM, Hunt R, Mazires D, Pinckney T, Grimm R,
Jannotti J, Mackenzie K (1997) Application performance and flexibility on exokernel systems.
In: Proceedings of the sixteenth ACM symposium on operating systems principles, pp 52–65
Hansen PB (1970) The nucleus of a multiprogramming system. Commun ACM 13(4):238–241.
https://doi.org/10.1145/362258.362278
Hennessey J, Tikale S, Turk A, Kaynar EU, Hill C, Desnoyers P, Krieger O (2016) HIL: designing
an exokernel for the data center. In: Proceedings symposium on cloud computing. ACM, New
York, pp 155–168. https://doi.org/10.1145/2987550.2987588
References 9
Hofmann OS, Kim S, Dunn AM, Lee MZ, Witchel E (2013) InkTag: secure applications on an
untrusted operating system. In: Proceedings international conference on architectural support
for programming languages and operating systems
Hohmuth M, Peter M, Härtig H, Shapiro JS (2004) Reducing TCB size by using untrusted com-
ponents: small kernels versus virtual-machine monitors. In: Proceedings SIGOPS European
workshop. ACM, New York, Article 22. https://doi.org/10.1145/1133572.1133615
Information Assurance Directorate 2007 (2007) US government protection profile for separation
kernels in environments requiring high robustness
Karger P, Safford D (2008) I/O for virtual machine monitors: security and performance issues.
IEEE Secur Priv 6(5):16–23. https://doi.org/10.1109/MSP.2008.119
Lampson B (2004) Software components: only the giants survive. Comput Syst. Theory Technol
Appl (9):137–145
Li Y, Perrig A, McCune J, Newsome J, Baker B, Drewry W (2014) MiniBox: a two-way sandbox
for x86 native code. Technical report CMU-CyLab-14-001. Carnegie Mellon University,
Pittsburgh
Liedtke J (1993) Improving IPC by Kernel design. SIGOPS Oper Syst Rev 27(5):175–188. https://
doi.org/10.1145/173668.168633
Liedtke J (1996) Toward real microkernels. Commun ACM 39(9):70–77. https://doi.org/10.1145/
234215.234473
McCune JM, Parno B, Perrig A, Reiter MK, Isozaki H (2008) Flicker: an execution infrastructure
for TCB minimization. In: Proceedings European conference in computer systems
McCune JM, Li Y, Qu N, Zhou Z, Datta A, Gligor V, Perrig A (2010) Trust visor: efficient TCB
reduction and attestation. In: Proceedings IEEE symposium on security and privacy
McKeen F, Alexandrovich I, Berenzon A, Rozas CV, Shafi H, Shanbhogue V, Savagaonkar UR
(2013) Innovative instructions and software model for isolated execution. In: Proceedings
international workshop on hardware and architectural support for security and privacy
NSA security-enhanced linux. https://www.nsa.gov/What-We-Do/Research/SELinux/
NTT Data Corp. TOMOYO linux. https://tomoyo.osdn.jp/index.html.en
openSUSE (2018) AppArmor. http://en.opensuse.org/AppArmor
Operating systems/kernel models—“Wikiversity”. en.wikiversity.org
Oracle Corp. Understanding and using trusted extensions in Oracle Solaris 11. https://www.oracle.
com/technetwork/articles/servers-storage-admin/sol-trusted-extensions-1957756.html
Recordings of the debate between Torvalds and Tanenbaum can be found at dina.dk Archived 2012-
10-03 at the Wayback Machine, groups.google.com, oreilly.com and Andrew Tanenbaum’s
website
Rushby JM (1981) Design and verification of secure systems. SIGOPS Oper Syst Rev 15(5):12–21.
https://doi.org/10.1145/1067627.806586
Russell M “What Is Darwin (and How It Powers Mac OS X)”. O’Reilly Media. quote: “The tightly
coupled nature of a monolithic kernel allows it to make very efficient use of the underlying
hardware [. . . ] Microkernels, on the other hand, run a lot more of the core processes in userland.
[. . . ] Unfortunately, these benefits come at the cost of the microkernel having to pass a lot of
information in and out of the kernel space through a process known as a context switch. Context
switches introduce considerable overhead and therefore result in a performance penalty
Quist D, Liebrock L, Neil J (2011) Improving antivirus accuracy with hypervisor assisted analysis.
J Comput Virol 7(2):121–131
Sahita R, Warrier U, Dewan P. (2009) Protecting critical applications on mobile platforms. Intel
Technol J 13(2):16–35
Shapiro JS, Smith JM, Farber DJ (2000) EROS: a fast capability system. SIGOPS Oper Syst Rev
34(2):21–22. https://doi.org/10.1145/346152.34619
Sharif MI, Lee W, Cui W, Lanzi A (2009) Secure in-VM monitoring using hardware virtualization.
In: Proceedings of ACM CCS, pp 477–487
Shinagawa T, Eiraku H, Tanimoto K, Omote K, Hasegawa S, Horie T, Hirano M, Kourai K, Oyama
Y, Kawai E, Kono K, Chiba S, Shinjo Y, Kato K (2009) BitVisor: a thin hypervisor for enforcing
10 Micro-Hypervisors: What? Why?
1 Introduction
1 Peripheral
Component Interconnect Express (PCIe) is a successor to the Peripheral Component
Interconnect (PCI (Shanley and Anderson, 1999)) system architecture.
2 Elements of x86 Hardware Virtualization 13
non-hardware virtualized x86 architecture. Both the PCIe and x86 architectures
define precise methods for moving data to and from system memory. This standard-
ization serves as a guide for the remainder of this section. To maintain generality,
where applicable, we adhere to the PCIe terminology instead of using CPU/vendor
specific terms.
2.1 Overview
2 While the PCIe bus is the industry standard for connecting various components in the system, both
Intel and AMD platforms employ proprietary buses to connect the Northbridge and Southbridge
(Quick Path Interconnect and HyperTransport).
3 Recent Intel-VT platforms use the term Memory Controller Hub (MCH) in place of the
Northbridge.
4 Recent Intel-VT platforms use the term Graphics and Memory Controller Hub (GMCH) to
But though the civil strife was ended, the injury it had inflicted was well nigh
incurable. It is to be reckoned chief among the causes of the weakness in after
years that made it possible—and, in the judgment of some, necessary and
justifiable—for the British government to thrust in its strong hand and subvert the
independent but [156]tottering republic that it might substitute therefor a more
stable colonial administration. The treasury had been impoverished. Taxes were
uncollected and irrecoverable. Salaries and other public liabilities were heavily in
arrears. Worse than all these, the republic had forfeited the confidence of other
nations to that degree that no one believed in its stability. Even its nearest
neighbor and sister republic, the Orange Free State, no longer desired union,
preferring to stand alone before the constant menace of the Basutos rather than
to be joined with a country wherein efficient government seemed to have
perished. To make matters still worse, the discord among the whites was turned
to advantage by their colored foes.
When the several factions in the Transvaal united on Mr. Pretorius as their
executive head, in 1864, the white population, all told, did not exceed 30,000—
less than one person to three square miles—while the blacks in the same
territory numbered hundreds of thousands. During the three years succeeding
1861 the prevailing anarchy made it impossible to give attention to cessions of
land agreed to by the Zulu chiefs. In consequence, the boundaries had not been
fixed, and these districts remained unoccupied by the [157]whites. With the
restoration of something like order in 1864, the government realized that its
relations with some of its native neighbors required definition and formal
settlement. This was successfully done, and the lines mutually agreed upon
between the whites and the native authorities were duly marked.
A leading spirit among the Zulus of this time was Cetawayo, a chief of
remarkable subtlety and power. In less than two months after the settlement and
marking of boundaries in the southern region of the Transvaal Cetawayo found
some pretext for repudiating his bargain, appeared on the borders of Utrecht at
the head of a Zulu army, in February, 1865, and removed the landmarks so
lately set up. During the negotiations that followed, Cetawayo did not appear at
any conference, but the presence of his force on the border so far affected the
final settlement that the boundary was changed near the Pongolo River,
restoring a small district in that region to Zululand.
This was a time of perpetual struggle with the blacks. Some of the tribes had
been made tributary to the Republic, others were practically independent, and
with these frequent and cruel wars were waged. Unspeakable atrocities were
[158]perpetrated on both sides—the Kaffirs slaughtering without mercy such white
families as they were able to surprise in a defenseless state, and the Africanders
inflicting vengeance without mercy when they came upon the savages in kraal or
mountain stronghold.
The whites could always defeat the natives in a pitched battle, but to hold so
vast a number in subjection was beyond their power. And they seem to have
relished everything connected with an expedition against the blacks but the
expense; they had an invincible dislike to paying taxes for any purpose.
The public treasury was in a state of chronic emptiness. The paper currency
depreciated more and more till in 1870 its purchasing value [159]was only twenty-
five per cent of its face value. Public works and proper internal administration
were unknown. Largely, every man’s will was his law, which he was disposed to
enforce upon others—whether black or white—by the strong hand.
In 1872 Mr. Pretorius became cordially disliked by the people and was forced to
resign the presidency, because he had accepted the finding of the arbitration
which awarded the diamond fields to Nicholas Waterboer instead of to the
Transvaal Republic. His successor, Mr. Burgess, a native of Cape Colony and
an unfrocked clergyman of the Dutch Reformed Church, was an unfortunate
choice. Learned, eloquent and energetic, he was nevertheless deficient in
practical business wisdom and in political acumen, and he was much distrusted
by the burghers on account of his theological opinions. Some of them charged
that he was guilty of maintaining that the real Devil differed from the pictures of
him in the old Dutch Bibles, in that he had no tail. For this and worse forms of
heterodoxy he was blamed as the cause of the calamities experienced by the
nation during his presidency. Mr. Burgers is said to have formed many visionary
though patriotic plans for the development [160]of his country and the extension
of the Africander power over the whole of South Africa, but his people were not
of the sort that could appreciate them, nor had he command of resources
sufficient to carry them out.
In fact, the weak and disordered condition of the republic exposed its own
people—many of whom were British subjects—to immediate and frightful
danger. Moreover, it constituted a danger to all the European communities in
South Africa. In the event of two such chiefs as Sikukuni and Cetawayo joining
forces against the [161]whites and prevailing, as they seemed able and likely to
do, over the frontier civilization in the Transvaal Republic, nothing could prevent
them from moving in strength against the Free State on the south, and Natal on
the southeast, and later, against Cape Colony itself.
It was not without cause, therefore, that the British government resolved to avert
the threatened conflict. There were two possible ways of doing this. Britain might
have taken the field as a friendly ally, making common cause with the Transvaal
Republic against a common danger, and leaving its independence intact. The
other way was to annex the Transvaal territory, subvert its republican
government, and give it the status and administration of a British colony. There
is no record to show that the British government ever entertained the thought of
acting as the ally of the republic. On the contrary, Sir Theophilus Shepstone was
appointed as imperial commissioner to visit the scene of danger and examine
into the state of the country. He was secretly instructed and authorized to
proclaim the immediate annexation of the Transvaal territory to the British
dominions in South Africa in case he deemed it necessary for the general safety
[162]to do so, and if, in his judgment, a majority of the people would favor the
step.
After three months spent in observing and studying the situation Sir Theophilus
Shepstone, acting under the secret instructions given him, on the 12th of April,
1877, declared The Transvaal Republic annexed, for protection, to British
dominions in South Africa. His act was indorsed officially by the resident British
High Commissioner at the Cape, and by the Secretary of the Colonial Office in
England. In 1879 the Territory was declared a crown colony of Great Britain.
Thus, in the third contact of Boer and Briton, an independent republic was
deprived of its independence by the self-same power that had guaranteed it in
1852, and was reduced to the status of a crown colony without the formal
consent of its people and against the protests of many of them.
Before closing this chapter of events connected with this arbitrary and startling
measure, it will be well to consider some further facts which belong to the setting
in which the act should be viewed. Mr. Burgers, the president, had repeatedly
warned the people that unless certain reforms could be effected they must lose
their independence. They agreed with him, but did nothing [163]to carry out the
necessary reforms, nor would they pay taxes. Mr. Burgers was not strong with
any party in the country. One section of the people were for Paul Kruger, his rival
candidate for the approaching presidential election. Another party—principally
English settlers—favored annexation. Besides, he had estranged the great body
of the people by his heterodox opinions in theology. Being helpless, Mr. Burgers
recorded his personal protest against annexation and returned to the Cape,
where he lived on a pension granted him in consideration of his having spent all
his private fortune in the service of his country.
Mr. Kruger—then the vice-president, the entire executive council, and the
volksraad, all protested against the annexation; and delegates were sent to
London to carry the protest to the foot of the British throne. The mass of the
people made no resistance at the time, nor did they express much displeasure;
but, a little later, a large majority of them signed a petition praying for a reversal
of the act of annexation. Their temporary acquiescence in the loss of
independence was due, no doubt, to the depressing fears that had so lately
burdened them, and a sense of [164]relief in knowing that now the Kaffir invasion
that had threatened their very existence would be repelled by the military power
of Great Britain. [165]
[Contents]
CHAPTER XI.
THE AFRICANDERS’ FIRST WAR OF INDEPENDENCE.
Notwithstanding their native love of independence, and their protest to the British
throne against the act of annexation, the Africanders of the Transvaal might have
acquiesced in the British rule had they been fairly treated. There was a good
promise of peace at first. The finances of the country were at once relieved by
the expenditure of English money in liberal amounts. Numbers of the leading
Africanders retained their official positions at the request of the British
commissioner, Sir Theophilus Shepstone. It is only reasonable to suppose that
the people at large would have settled down to permanent content as British
subjects had the affairs of the newly constituted colony been administered to the
satisfaction of the leaders.
But, instead of following a policy dictated alike by wisdom and righteousness, the
very opposite seems to have been the rule observed in [166]the attempt to govern
these new and most difficult subjects of the British crown. A number of mistakes
—so called—were made which, as even Canon Knox Little admits, were a
sufficient justification of the Africander leaders in plotting and agitating against
the British connection.
The first of these mistakes was the too early recall of Sir Theophilus Shepstone,
who had so deftly managed the bloodless though arbitrary annexation, who knew
the country well and was much respected by the people. In place of his rule as
special commissioner was substituted an administration under Sir Bartle Frere as
governor of Cape Colony and British High Commissioner for South Africa. There
being no representative government in the Transvaal after annexation, the
administration became, perhaps necessarily, autocratic both in form and in spirit.
Sir William Owen Lanyon, who had been appointed governor of the Transvaal,
was an officer of some renown in dealing successfully with native uprisings, but
proved totally unfit for the delicate management required in governing the
Africanders. He has been described as haughty and arrogant in mind, indisposed
to excuse the rudeness of the Transvaal farmers, and incapable of tolerating the
social equality so dear to them. [167]His swarthy complexion, also, made against
his popularity, for it suggested the possibility of a strain of black blood in his veins
—a blemish unpardonable in the eyes of any slaveholding people. Under his rule
complaints were ignored, taxes were levied and peremptorily collected by
distraint, and soon the latent discontent broke out into open and active
disaffection.
The second mistake—if it does not deserve a harsher name—was the failure to
institute the local self-government by representatives promised by Sir Theophilus
Shepstone when he proclaimed annexation. The text of that part of the
proclamation reads thus:
“And I further proclaim and make known that the Transvaal will remain a separate
government, with its own Laws and Legislature, and that it is the wish of her Most
Gracious Majesty that it shall enjoy the fullest legislative privileges compatible
with the circumstances of the country and the intelligence of the people. That
arrangement will be made by which the Dutch language will practically be as
much the official language as the English. All laws, proclamations and
government notices will be published in the Dutch language; and in the courts of
law the same may be done at the option of suitors to a [168]case. The laws so in
force in the State will be retained until altered by competent legislative authority.”
CECIL J. RHODES.
Not one of these promises was ever fulfilled. The volksraad was never convened.
The promised constitution of local self-government was never promulgated.
Instead of redeeming these promises the Transvaal was put upon the status of a
crown colony in 1879, and the legislature proposed for it was to consist of some
crown officials and six members—all to be the nominees of the governor.
Mr. Bryce, in his “Impressions of South Africa,” calls this failure to redeem a
promise authoritatively made as a concession to a people whose independence
was being arbitrarily subverted, a “blunder.” Canon Little uses a still softer term,
calling it a “mistake”; and adds, “It was given in good faith, and in good faith was
received. Sir Theophilus Shepstone tried to fulfill it. He at once submitted his
views as to the necessary legislative arrangements. No action whatever was
taken on it, either by Conservatives or Liberals, and his dispatch is probably lying
uncared for in the Colonial Office now!”—(1899.)
One real and very serious blunder was committed, if one judges of it from the
view point of the policy intended to be pursued in the Transvaal by the British
government. The Africanders had accepted, under protest, the act of annexation
mainly because they were in mortal fear of the Zulus. That reason for submission
the British proceeded to remove by overthrowing the Zulu power.
In the northeast Sir Garnet Wolseley defeated Sikukuni and established what
promised to be a permanent peace. In 1879 Sir Bartle Frere inflicted a like
reverse upon Cetawayo, in the southeast, and so completed the subjugation of
the Zulus. The blunder in taking this course declared itself when, after subduing
the natives at great cost of blood and treasure, the British found that in so doing
they had relieved the Africanders of the one fear that thus far had prevented
them from reasserting their independence.
Many people, both in England and in South [170]Africa, regarded the annexation
of the Transvaal as final. But leading members of the Liberal party, then in
opposition, had emphatically condemned it, and this had raised hopes in the
Transvaal Africanders and their sympathizers in England that when Gladstone
came into power again the things which they regarded as wrong would be
righted. Such hopes were doomed to disappointment.
In 1880 the Liberals carried the country and took office in April of that year.
Guided by information derived from the crown officials in South Africa, the new
ministers were misled as to the measure of discontent in the Transvaal, and
declared that the act of annexation would not be reversed.
This flat refusal brought matters to an immediate issue. The Transvaal burghers,
though they had continued to agitate and protest and memorialize the throne,
had waited with considerable patience for three years, hoping for either a
restoration of their independence or—as the next best thing—the instituting of
such a representative local government as had been promised them by the
imperial authorities. But now the new Liberal government, after using the
Transvaal grievances for electioneering purposes, [171]had refused to consider
and redress those grievances; the military administration of a mere crown colony
continued in full force under the detested Sir William Owen Lanyon; and there
appeared to be no hope that the promises made to mollify their indignation when
their independence was being subverted would ever be fulfilled.
It has been said, in extenuation, that the British government of this time was too
busy with other pressing matters to give the attention necessary to a correct
understanding of the condition, and the rights and the wrongs, of the Transvaal
Africanders. And it has been said, in further extenuation, that there was an
honest intention on the part of the government to fulfill the promises made—
some time—as soon as the authorities could get to it. Be that as it may, at the
end of three years, which had brought no betterment of their state, the burghers
concluded that their protests and their patience had been wasted, and
determined to wait no longer.
The first battles of this war were little more than skirmishes. The British troops
were scattered through the country in small detachments, which the Africanders
—every man of whom was a marksman and an experienced fighter—found it
easy to either cut off or drive before them to positions that could be fortified.
The nearest available British troops, besides those already in the Transvaal,
were in Natal. General Sir George Colley, governor of that colony, raised what
force he could and marched northward to check the uprising. Before he could
enter the Transvaal, however, Commandant-General Joubert crossed the border
into Natal and took up a strong position at Laing’s Nek. This now historic spot is a
steep ridge forming the watershed between the Klip River, a tributary of the Vaal,
and Buffalo River, a confluent of the Tugela, which flows into the Indian Ocean.
Here a sanguinary battle was fought on the 28th of January, 1881. The British
attacked the Africanders with great spirit, but Joubert’s position was invulnerable.
The ridge protected his men from the artillery fire of the British, [173]while they, in
charging up the slope, were cut down by the accurate rifle fire of the Africanders,
and forced to retreat. On the 8th of February, in the same neighborhood, on the
Ingogo heights, the British were again defeated after suffering severe loss.
General Colley now decided to seize by night Majuba Hill, which is really a
considerable mountain, rising nearly 2,000 feet above Laing’s Nek, and
commanding that ridge for the purpose of artillery fighting. On the night of
February 26th, leaving the main body of his army in camp, and unaccountably
forgetting to order it to advance on the enemy so as to divert attention from his
tactical movement, General Colley led a smaller division to the top of Majuba Hill.
The burgher force was thrown into temporary dismay when they first observed
British soldiers in that commanding position. But when there was no advance
against them in front, and no artillery fire from the top of Majuba, they sent out a
volunteer party to storm the hill. The story of that charge has gone into history to
stay as an example, on the one side, of rugged bravery and splendid courage
achieving victory, and on the other of equal bravery and courage strangely
betrayed by some one’s blunder into defeat and [174]ruinous disaster. Why the
main force of the British army was not ordered to co-operate in the movement,
why there were no entrenchments thrown up on the hill, why the order, “Charge
bayonets,” so eagerly looked for by the British soldiers on the hill-top, was never
given, General Colley did not live to tell—no one else knew. The Africanders
scaled the hill, shooting as they went up every man that showed on the sky line—
themselves protected by the steep declivities above them, and carried the hill-
top, routing and almost annihilating the British force. General Colley and ninety-
two of his men were killed, and fifty-nine were made prisoners.
In the meanwhile additional British troops were hurrying to the scene of conflict,
under command of Sir Evelyn Wood. What the outcome would have been of
further hostilities between the Africanders and the greatly increased British force
no one can tell. The sudden and surprising action of the British government, that
put an end to the war, was not based upon any estimate of the probable issue of
continued conflict, but altogether upon the moral aspects of the situation as seen
by Mr. Gladstone and his associates in the British cabinet. Before Sir Evelyn
Wood could strike a single blow toward wiping [175]out the disgrace of Majuba
Hill, the home government, on the 5th of March, 1881, ordered an armistice, and
on the 23d agreed to terms of peace by which the Transvaal was restored to its
former political independence in all regards, save that it was to be under the
suzerainty of the British crown.
In August, 1881, a more formal convention was held at Pretoria, when it was
agreed that the Transvaal government should be independent in the
management of its internal affairs; that the Republic should respect the
independence of the Swazies, a tribe of natives on the eastern border of the
Transvaal; that British troops should be allowed to pass through the territory of
the Republic in time of war; and that the British sovereign should be
acknowledged as suzerain of the Republic and have a veto power over all
treaties between the government of the Transvaal and foreign nations.
Several of the stipulations in this convention were very distasteful to Paul Kruger
and other leading spirits in the Transvaal, and also to the volksraad. Negotiations
for desired changes were continued until 1884, when, on the 27th of February, a
revision called the London Convention [176]was made and signed, formulating the
obligations of the Republic as follows:
RAAD ZAAL (GOVERNMENT BUILDING), PRETORIA.
The Sovereign of Great Britain was to have, for the space of six months after
their date, a veto power over all treaties between the Republic and any native
tribes to the eastward and westward of its territory, and between it and any
foreign state or nation except the Orange Free State.
And the Republic was to accord to Great Britain the treatment of a most favored
nation, and to deal kindly with strangers entering its territory.
Nothing whatever was said in this latest convention of the suzerainty of the
British Sovereign mentioned in that of 1881, and, as this instrument, negotiated
in London with Lord Derby, the Colonial Secretary, was understood to take the
place of all former conventions, the Africanders of the Transvaal have contended
very reasonably that the omission is sufficient evidence of the renunciation of
suzerainty by the British government. Furthermore, by the London Convention of
1884, the British crown for the first time conceded to the Transvaal the title of
“The [177]South African Republic,” by which name it has ever since been
designated in all diplomatic transactions and correspondence between it and
other states. [178]
[Contents]
CHAPTER XII.
THE AFRICANDER REPUBLICS AND BRITISH
POLICY.
The only reply of the Liberal government [179]was to the effect that
the annexation, and the refusal to reverse it, had been due to
misapprehension of the facts; that the officers of the crown in South
Africa, partly through ignorance and partly through prejudice, had
reported that there was no such passionate desire for independence
among the Africanders as was pretended by their leaders, and as
was proved to exist by the uprising; that as soon as the facts were
known it became the duty of a liberty-loving people like the English
to honor their own principles by the immediate retrocession of the
Transvaal without waiting to first avenge defeats and vindicate the
military superiority of Great Britain; and that a great country better
illustrated her greatness by doing justice and showing mercy, even at
great cost to herself, than by taking a bloody revenge for reverses
suffered on the fields of war in trying to enforce a policy now seen to
be morally wrong.
The South African Republic emerged from its brief and successful
struggle for independence impoverished and in a state of political
chaos, but rejoicing, nevertheless, in a sense of national freedom,
and more than ever confident that it enjoyed the special favor of
Heaven. The old constitution, or Grondwet, was revived, the
volksraad was convoked, and an election was held, resulting in the
choice of Mr. Paul Kruger to be president. Mr. Kruger immediately
[182]planned for bold and far-reaching movements on three sides of
the republic’s territory.