A team of researchers have devised a way to create an isolated and trusted environment on virtualized servers. Called the "Strongly Isolated Computing Environment" (SICE), the approach makes it possible to run sensitive computing processes alongside less secure workloads on the same physical hardware.

SICE, developed by Ahmed M. Azab and Peng Ning of North Carolina State University and Xiaolan Zhang of IBM's T. J. Watson Research Center, is currently a research prototype. Peng and his fellow researchers will present a paper on SICE at the ACM Conference on Computer and Communications Security in Chicago on October 19. But if further developed, it potentially addresses one of the major security concerns with using virtualized environments: that attackers could take advantage of exploits in a hypervisor environment to access the memory and storage of the virtual machines running within it.

While it uses a hypervisor to communicate with the network and other workloads, SICE uses low-level functionality in x86 processors to carve off processing power and memory from the host computer, creating an environment partitioned off from less secure processes. SICE uses x86 processors' Systems Management Mode (SMM) to lock down regions of the computer's memory, "so even the hypervisor can't look inside," Dr. Peng said in an interview with Ars Technica. "Even though it's only one computer, it can be separated into two or more isolated environments," he said. SICE uses an extremely small amount of code to create the system isolation—approximately 300 lines—which makes the system much easier to secure, and "only these 300 lines of code need to be trusted to ensure the isolation," according to Peng.

Peng said that additional work is required before SICE can be deployed widely—including more evaluation of exactly how secure SMM can be made. "The SM mode is traditionally used for system management functions, not for security," he explained. "So if we want to use SICE in production, we have to reexamine SMM."

First introduced on the 386SL notebook processor, SMM was intended to handle system management events that run independently of the operating system, such as putting computers into sleep mode. It’s also been used the past as an attack vector on system security, including as a vehicle to stealthily install rootkits on systems. SICE operates in a similar way, but for security's sake. On a multicore or multiprocessor machine, it takes command of one core and a block of memory in a dedicated mode. Other workloads can be run in remaining processor cores and memory normally.

The prototype for SICE was built using the SMM for AMD processors. Peng says that it would require modification to run on Intel processors, because of a difference in implementation of memory locking in SMM. The prototype SICE deployment runs a Unix virtual machine within it, in parallel with a "legacy host" running = Ubuntu Linux and the KVM hypervisor. The SICE VM connects to the KVM environment through driver software so that it can communicate with other workloads and the machine's virtual network, but can't be moved or managed using the hypervisor.

According to Peng, there's not a huge performance hit on SICE-based VMs: on a multicore system, it only exacted about a three percent overhead on processor utilization. That's more than acceptable in exchange for better virtualization and cloud security, he believes.