Xen 4.12 Improves Open-Source Hypervisor Virtualization Security

The Xen Project is continuing to enhance performance and boost security in its latest open-source hypervisor release.

Xen Project

The open-source Xen Project announced the 4.12 release of its namesake hypervisor virtualization technology on April 2, providing organizations and cloud operators with improved performance and security features.

The new release integrates an improved virtual machine introspection capability that can be used to detect potential zero-day vulnerabilities. The Argo hypervisor-mediated data exchange is another new capability that provides inter-domain communications across a virtualized workload domain. Xen 4.12 also provides a slimmed-down architecture that presents a smaller attack surface, which also helps to improve security.

"On x86, depending on configuration, the upper bound for reduction of lines of code is between 5 percent and 22 percent," Lars Kurth, chairperson of the Xen Project Advisory Board, told eWEEK. "On Arm, the reduction is 30 percent, getting us to just under 50 KSLOC [thousand lines of code]." 

Xen is a core element of many critical parts of the modern internet, including serving as one of the primary virtualization technologies that enable the Amazon Web Service EC2 public cloud service. The 4.12 update is the first new release for the project since July 2018, when the Xen 4.11 release became generally available.

Zero-Day Security

The zero-day vulnerability detection capability is found within the Xen Virtual Machine Introspection (VMI) component. Kurth explained that the VMI improvements are for helping to detect security exploits in general. Most traditional security technologies identify attacks by searching for known tell-tales (aka its "signature") in memory, binaries, etc., he said. The implication is that you can only detect an already known exploit.

"However, all security attacks use the same set of tools such as buffer overflows, code injection, heap spray, at a layer below the most privileged layer, within the guest operating systems," Kurth said. "VMI facilitates live introspection of virtual machine memory at the hypervisor, allowing for live introspection of VM memory from outside the VM. In other words, attack techniques that an exploit may use, such as buffer overflows, code injection and others, can be detected by a VMI-based solution without knowing the signature."


The Argo hypervisor-mediated data exchange is a big new addition in Xen 4.14, providing an alternative intercommunication layer between virtual machines (VM) to an existing capability within Xen known as XenBus. 

The key difference between XenBus and Argo has to do with security. Kurth said that XenBus uses shared system resources (such as memory and XenStore) for inter-domain communication. Shared memory architectures cannot be formally proven to follow the NEAT properties (Non-bypassable, Evaluatable, Always-invoked, Tamper-proof). In contrast, he said Argo can be formally proven to follow the Non-bypassable and Always-invoked properties and together with other existing Xen functionality can be proven to follow all NEAT properties. 

"This makes it possible to certify Xen-based systems to MILS [Multiple Independent Levels of Security] without replacing Xen's intercommunication layer," Kurth said. "It will also make it significantly easier and cheaper to certify Xen-based products to higher levels of Evaluation Assurance Level [EAL] or standards needed for Safety-Critical System Software."

Xen 4.13 and Beyond

In addition to the security improvements, Xen 4.12 integrates the new Credit2 scheduler, which specifically improves performance of latency-sensitive workloads including sound and video streaming, as well as scalability and predictability. Overall, Kurth said that Xen 4.12 shows a mixture of innovations for cloud and security as well as the emerging embedded and safety-critical market segments.

Looking forward, Kurth said that the way it looks now, Xen 4.13 will have a strong embedded and safety theme. 

"This is already prompting us to look at how the project develops code as enabling safety certifications comes with a slightly different set of needs than traditional open-source development," he said.

Kurth added that just last week the Xen Project hosted an invite-only automotive summit that brought together the core community, safety certification experts and vendors working on Xen-based products to find ways to reduce the cost and effort needed to build safety-certified products on Xen. At the meeting, mechanisms to drive changes in how the community works were put into place.

"With these market segments growing, we are likely to find ourselves in a situation where Xen is used widely in many different market segments, making the Xen Project the most flexible and widely used open-source hypervisor," he said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.