Parallel and Distributed Systems Group

Computer Science Department of Telecom SudParis

Fork-nox: a new virtualization technique to enforce system security

Team work: Jean-François Dumollard presented "Fork-nox: a new virtualization technique to enforce system security" at 1D19 the 15/9/2023 at 10h30.

Abstract

Enforcing system security in computing infrastructures is essential. To do so, we revive well-known virtualization mechanisms to provide an extra security layer in any linux-based environment. This layer can be represented as a highly privileged enclave whose role is to run and perform real-time intrusion detection with open mitigation. This work focuses on the integration of a hot-deployable security module in Linux. If this module can be described as being hypervisor-inspired, it will also address by nature the semantic gap encountered between the enclave and Linux. This really powerful capabilities ensure the enclave to be perfectly isolated with a complete knowledge of system’s components. In order to make this work future-coherent, the implementation is based on RISC-V and its very new virtualization extension. Also, we take advantage of the advanced interrupt architecture and extensions to minimize the virtualization overheads.