VM:Joan project

From Trusted Cloud Group
Jump to: navigation, search

Mingyuan Xia; Miao Yu; Qian Lin; Zhengwei Qi; Xue Liu; Haibing Guan;


Current State


The security of applications is challenged by its own vulnerabilities, the threats from underlying OS and from peers that it interacts with. The complicated security dependence and large TCB suggest that applications will not obtain the level of trust they required.


Joan is a virtualization-based privacy preserving system, which offers two kind of privacy-aware memory primitives. Different from previous work, our system exploits memory virtualization to provide user friendly special memory to protect only sensitive code. Exchange memory is designed to present different view of its content to sensitive code and untrusted code. The cryptographic isolation allows secure sensitive data exchange without depending on specific data structure. Sealed memory stores sensitive code and is protected from unauthorized modification from untrusted code. Privileged \Joan{} module in the VMM cooperates with libjoan residing the target application to identify code context transparently and provide correct view of two memories.




  • We have adopted 4 case study:
TightVNC client and server, protect its password authentication
BIND server, protect the income DNS request UDP
OpenTracker, protect the peer list that tracker keeps at runtime against potential privacy leakage
FTP client, protect the data stream on transmission
  • More maybe:
'Email client and server
NFS server

Tech Reports Archived

Build and install Joan-aware Xen hypervisor

You can take the following steps to install the Joan-enabled Xen hypervisor to launch Joan system.
Stage 1, configure hypervisor

  • Install unmodified Xen (either by binary or source code, refer to xen_install centOS_install)
  • Download the Xen 3.4.2 code (hypervisor is enough), since Joan is implemented on this version
  • Patch the source code
  • Input `make clean && make xen && cp xen/xen.gz /boot/xen.gz` to build and install, we need the Joan-enabled hypervisor alone
  • (Advanced) you can refer to include/joan/config.h to enable or disable certain functionality of Joan (eg. Debugging, profiling, etc)
  • Reboot Dom0

Stage 2, configure DomU

  • Setup DomU, currently we support unmodified WinXP SP2, SP3
  • Configure the script to enable hardware-assisted paging (add `hap=1`)
  • Create the disk image launch the VM and install WinXP
  • Disable the PAE in the WinXP; Currently, Joan does not support this extended memory model to simplify our design
  • Reboot DomU

Stage 3, configure the application

  • Copy the source code for Joan-aware application
  • Compile the source code with legacy build system
  • Use joan_packer to process the raw binary executable
  • Go ahead, launch and test Joan!
Personal tools
Upload file