Derek Murray
Derek Murray (working in conjunction with Grzegorz Milos and Steven Hand
University of Cambridge Computer Laboratory
Improving Xen security through domain-zero disaggregation
******
Abstract
Although the Xen VMM is a relatively small piece of software, the
management of a Xen-based system requires a privileged, full-blown
operating system (domain-zero, or Dom0) to be included in the trusted
computing base (TCB).

In this talk, we will introduce our work to disaggregate Dom0. We will
briefly address the status quo and explain why it results in a large
TCB. We will then describe our implementation, which moves the domain
builder, the most important privileged component, into a minimal trusted
compartment.

In the second part of the talk, we will introduce the user-space granted
page driver (gntdev), which enables user-space applications to map pages
that have been shared explicitly by other domains. We will describe our
modifications to the existing tools to use gntdev, which move towards a
deprivileged dom0 user-space. Overall, we seek to inform other members
of the Xen development community about this new facility, and encourage
them to transition their code to using gntdev.