XMHF is an eXtensible and Modular Hypervisor Framework that strives to be a comprehensible and flexible platform for performing hypervisor research and development. The framework allows others to build custom (security-sensitive) hypervisor-based solutions (called "hypapps").
XMHF is designed to achieve three goals – modular extensibility, automated verification, and high performance. XMHF includes a core that provides functionality common to many hypervisor-based security architectures and supports extensions that augment the core with additional security or functional properties while preserving the fundamental hypervisor security property of memory integrity (i.e., ensuring that the hypervisor’s memory is not modified by software running at a lower privilege level).
XMHF advocates a "rich" single-guest execution model where the hypervisor framework supports only a single-guest and allows the guest direct access to all performance-critical system devices and device interrupts.
XMHF currently runs on recent multicore x86 hardware virtualized platforms with support for dynamic root of trust and nested (2-dimensional) paging. The framework is capable of running unmodified legacy multiprocessor capable OSes such as Windows and Linux.
The XMHF project includes the hypervisor framework and supporting libraries along with several example hypapps:
XMHF: The eXtensible and Modular Hypervisor Framework supporting custom hypervisor-based solutions (called "hypapps").
XMHF includes several example hypapps including full-fledged hypapps such as TrustVisor and Lockdown:
TrustVisor: A special-purpose hypapp that provides code integrity as well as data integrity and secrecy for userspace Pieces of Application Logic (PALs).
Lockdown: A hypapp that provides the user with a red/green system: an isolated and constrained environment for performing online transactions, as well as a high-performance, general-purpose environment for all other (non-security-sensitive) applications. An external device verifies which environment is active and allows the user to securely learn which environment is active and to switch between them.
The XMHF project comprises code from multiple sources, under multiple open source licenses. See COPYING.md.html for details.
There are a substantial number of known technical issues with this codebase, many of them with implications for security. Please see the ticket tracker for full details. This absolutely remains EXPERIMENTAL software. Do not trust important data to this software.
For bug reports, feature requests, etc., please use the sourceforge tickets tool.
For other discussion and questions, please use the sourceforge discussion tool. Note that the discussion tool can also be used much like a traditional mailing list, if you prefer. You will still need a sourceforge account. You can subscribe to all messages or to individual message threads through the web interface, after which you will receive corresponding posts through email. You can also post by responding to such notification messages, and start new threads by sending mail to . Posts via email must originate from a sourceforge account's primary email address.
We are open to contributions. The easiest mechanism is probably to
fork our git repository through the web UI, make the changes on your fork, and then issue a
merge request through the sourceforge web UI.
Maintainers: Amit Vasudevan (XMHF, libbaremetal and Lockdown), Zongwei Zhou (TrustVisor and tee-sdk)
Other contributors: Jonathan McCune, James Newsome, Ning Qu, and Yanlin Li
Design, Implementation and Verification of an eXtensible and Modular Hypervisor Framework. Amit Vasudevan, Sagar Chaki, Limin Jia, Jonathan M. McCune, James Newsome, and Anupam Datta. IEEE Symposium on Security and Privacy, May 2013. pdf
Building Verifiable Trusted Path on Commodity x86 Computers. Zongwei Zhou, Virgil Gligor, James Newsome, and Jonathan M. McCune. IEEE Symposium on Security and Privacy (IEEE S&P), 2012. pdf
"It's an app. It's a hypervisor. It's a hypapp.": Design and Implementation of an eXtensible and Modular Hypervisor Framework. Amit Vasudevan, Jonathan M. McCune, and James Newsome. Technical Report CMU-CyLab-12-014, June 2012. pdf
TrustVisor: Efficient TCB Reduction and Attestation. Jonathan M. McCune, Yanlin Li, Ning Qu, Zongwei Zhou, Anupam Datta, Virgil Gligor, and Adrian Perrig. IEEE Symposium on Security and Privacy, May 2010. pdf
Lockdown: Towards a Safe and Practical Architecture for Security Applications on Commodity Platforms. Amit Vasudevan and Bryan Parno and Ning Qu and Virgil D. Gligor and Adrian Perrig. Proceedings of the 5th International Conference on Trust and Trustworthy Computing (TRUST), June 2012. pdf
Lockdown: A Safe and Practical Environment for Security Applications (CMU-CyLab-09-011) Amit Vasudevan and Bryan Parno and Ning Qu and Virgil D. Gligor and Adrian Perrig. Technical Report CMU-CyLab-09-011, June 2009. pdf