Re-engineering Xen internals for higher-assurance security

The Xenon project is investigating the construction of a higher-assurance open source separation kernel based on the Xen open source hypervisor. Just as the Xen open source hypervisor was initially developed from the open source Linux operating system, by simplifying Linux and modifying its design, the Xenon separation kernel is being developed from Xen. The primary goal of the Xenon project is to investigate issues in creating an open source software product with higher security assurance than conventional open source software. The Xenon project is also focused on (1) problems relating to separation kernels that support unmodified uninterpreted commercial off the shelf (COTS) guests and (2) distinctions between these kinds of separation kernels and hypervisors. This paper explains the Xenon project's approach to re-engineering Xen's internal structure into a higher-assurance form. If conventional open source software cannot be brought into this form with moderate amounts of re-engineering then higher-assurance open source software is probably not practical. Our results indicate that moderate amounts of re-engineering will be sufficient for all but a small part of the code. The remaining code is small enough to be addressed in a reasonable time, even though more effort is required.