1. Technical Field
The present invention relates generally to security in a computer system, and particularly to limiting vulnerability to attacks on a partitioned computer system.
2. Description of Related Art
As security issues become a greater concern, the IT industry is undergoing a rapid transformation to enhance security in all aspects. Currently a number of nations have embraced the Common Criteria Evaluation methodologies, a rigorous and expensive methodology used to evaluate the security assurance level that a IT system possesses. This methodology encompasses all aspects of IT product development, ranging from building security where development activities take place, CM systems, development activities, and up to and including secure delivery of the product to prevent tampering. Currently the US government requires this evaluation to be completed for all IT equipment used in national security, critical infrastructure and Homeland Defense systems. Additionally the financial and healthcare industries are embracing these evaluations as part of the proposed requirements for their systems to be purchased.
Current hypervisor designs have exposed external interfaces to provide general services (non-hardware specific) to the operating systems loaded such as interrupt management, Page Table Entry (PTE) management, Translation Control Entry (TCE) management as well as specialized interfaces to handle specialized hardware resources such as Federation or InfiniBand (IB) adapters.
FIG. 3 shows a known system for platform firmware, such as Hypervisor. Hypervisor is available from International Business Machines Corporation. Hypervisor 302 includes Hypervisor I/F 304 which allows access to Hypervisor calls (H_calls) for various partitions 310, 312, 314. Depending on the particular adapter hardware, some calls are hardware dependent 308 while some calls are non-hardware dependent 306. All types of partitions are presented with both types of interface.
Currently International Business Machines is introducing the first of a converged hypervisor design that supports multiple different simultaneous operating systems on a single platform. In this hypervisor design, multiple operating systems are allowed to access all hypervisor calls, H_CALLS, through hypervisor interface. In the current design there are more than 350 hypervisor calls, some dedicated to RPA partitions (of the RS/6000 platform architecture), some dedicated to OS/400 partitions and some shared.
In the current product plans it is well understood that the majority of systems will only support RPA partitions because the industry is moving away from proprietary OSs like OS/400. The majority of delivered systems will only use AIX or Linux partitions and therefore the exposed hypervisor interfaces specific to OS/400 partitions represent vulnerable attack points that have no product value in RPA only systems. Conversely the customers needing OS/400 partitions most likely will not use RPA partitions at the same time, those customers using both RPA and non-RPA partitions on the same system is only a very small percentage of the overall market.
In the current systems only a few platforms support the Federation adapter and plans for the InfiniBand adapter are for a small percentage of system, however all platforms have hypervisor calls for these adapters exposed. In the p6xx series, from the p625, p630, p640, p650, p655, p670, and p690, only the p670 and p690 provide hardware support for the Federation adapters and only a very small percentage of p670 and p690 systems are shipped with the Federation adapters. These interfaces represent unused unnecessary attack points when the adapters are not installed.
An analysis of the security of a system shows that the exposed external interfaces are the attack points for external threats, increase the number of interfaces and vulnerability increases. Additionally analysis has shown and is well documented in many publications that there is approximately one security flaw in every KLOC (thousand lines of code) of delivered code.
According to an excerpt taken from the Trusted Computing Group's Backgrounder of May 2003:
A critical problem being addressed by creation and use of these specifications is the increasing threat of software attack due to a combination of increasingly sophisticated and automated attack tools, the rapid increase in the number of vulnerabilities being discovered, and the increasing mobility of users. The large number of vulnerabilities is due, in part, to the incredible complexity of modern systems. For example, a typical Unix or Windows system, including major applications, represents on the order of 100 million lines of code. Recent studies have shown that typical product level software has roughly one security related bug per thousand of lines of source code. Thus, a typical system will potentially have one hundred thousand security bugs.
Current plans for the POWER5 LPAR platform are to undergo a complete security evaluation to meet the EAL4+ Common Criteria requirements. In review of the previous platform evaluation, two critical areas are interpartition protection and access control between partitions. The exposure of additional unused interfaces represents a significant increase in vulnerability during the use of these systems as well as an increase in the testing efforts.
Current solutions to this problem is to include code in each and every H_CALL (hypervisor call) dedicated to the specialized hardware that looks for adapter presence and/or checks to see if the adapter has been initialized. This requires code in many routines as opposed to having a single immediate exit point.
Therefore, it would be advantageous to have an improved method and apparatus for enhancing access security to hypervisor calls by partitioned systems.