Confining Windows Inter-Process Communications for OS-Level Virtual Machine

TL;DR

This paper introduces a novel mechanism for confining Windows Inter-Process Communications in OS-level virtual machines, enabling secure and efficient virtualization of critical services like RPCSS and IIS with minimal performance impact.

Contribution

It proposes three general principles and a new confinement mechanism for Windows IPC, successfully virtualizing key services on Feather-weight Virtual Machine with low overhead.

Findings

Successfully virtualized RPC System Service (RPCSS) and IIS on FVM

Multiple IIS instances run concurrently with low performance overhead

Provides a foundation for dependable Windows-based virtualization

Abstract

As OS-level virtualization technology usually imposes little overhead on virtual machine start-up and running, it provides an excellent choice for building intrusion/fault tolerant applications that require redundancy and frequent invocation. When developing Windows OS-level virtual machine, however, people will inevitably face the challenge of confining Windows Inter-Process Communications (IPC). As IPC on Windows platform is more complex than UNIX style OS and most of the programs on Windows are not open-source, it is difficult to discover all of the performed IPCs and confine them. In this paper, we propose three general principles to confine IPC on Windows OS and a novel IPC confinement mechanism based on the principles. With the mechanism, for the first time from the literature, we successfully virtualized RPC System Service (RPCSS) and Internet Information Server (IIS) on Feather-weight Virtual Machine (FVM). Experimental results demonstrate that multiple IIS web server instances can simultaneously run on single Windows OS with much less performance overhead than other popular VM technology, offering a good basis for constructing dependable system.