Greens - Rethinking Device Models for Reduced Attack Surface : a Prototype Implementation on seL4 with VirtIO and vhost
Ahvenjärvi, Markku (2025)
2025
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2025110527135
https://urn.fi/URN:NBN:fi:amk-2025110527135
Tiivistelmä
Hypervisors must support a wide range of virtual devices while ensuring strong isolation and minimal overhead. Because writing and maintaining device drivers for every hardware class is impractical, many hypervisors instead run device models inside a privileged Linux VM, leveraging its extensive driver support. However, it is common to rely on existing VMMs such as QEMU to implement the device models. These large code bases inherently increase the trusted computing base, expand the attack surface, and increase the system resource consumption. This is particularly problematic for security-sensitive and resource-constrained platforms.
To address these challenges, this thesis introduces an architecture for virtual devices that reduces the attack surface, lowers the resource footprint, and improves isolation. The approach is demonstrated with a Rust-based Virtio-net PCI prototype using the vhost mechanism, targeting seL4 microkernel. Its evaluation focused on validating performance parity with a QEMU/vhost_net baseline and on providing an indicative comparison of codebase size to illustrate the design’s potential for attack surface reduction.
The evaluation showed that the prototype achieved performance on par with the QEMU baseline while significantly reducing the loaded code base for the tested configuration, thereby demonstrating the feasibility of the proposed architecture.
The contributions of this work include (i) the design and implementation of a secure, lightweight virtual device system for hypervisors, and (ii) development of hypervisor agnostic PCI and VirtIO PCI transport emulation libraries in Rust for building VirtIO PCI devices. These results provide a path towards more secure hypervisor architectures and a foundation for extending device support to a broader range of hardware.
To address these challenges, this thesis introduces an architecture for virtual devices that reduces the attack surface, lowers the resource footprint, and improves isolation. The approach is demonstrated with a Rust-based Virtio-net PCI prototype using the vhost mechanism, targeting seL4 microkernel. Its evaluation focused on validating performance parity with a QEMU/vhost_net baseline and on providing an indicative comparison of codebase size to illustrate the design’s potential for attack surface reduction.
The evaluation showed that the prototype achieved performance on par with the QEMU baseline while significantly reducing the loaded code base for the tested configuration, thereby demonstrating the feasibility of the proposed architecture.
The contributions of this work include (i) the design and implementation of a secure, lightweight virtual device system for hypervisors, and (ii) development of hypervisor agnostic PCI and VirtIO PCI transport emulation libraries in Rust for building VirtIO PCI devices. These results provide a path towards more secure hypervisor architectures and a foundation for extending device support to a broader range of hardware.