Hosted or Type-II hypervisors (e.g., KVM) are being widely deployed. One key
reason is that they can effectively take advantage of various mature features and broad user bases
of commodity operating systems, However, they are not immune to exploitable software vulnerabilities.
Particularly, due to the close integration with the host and the unique presence underneath guest
virtual machines, a hosted hypervisor – if compromised – can immediately jeopardize the host system and
completely take over all guests in the same physical machine.

In this paper, we present HyperLock, a systematic approach to strictly isolate privileged, but potentially 
vulnerable hosted hypervisors from compromising the host OSs. Specifically, we provide a secure
hypervisor isolation runtime with its own separated address space and a restricted instruction set for safe
execution. Moreover, we also propose a technique, i.e., hypervisor shadowing, to efficiently create a
separate shadow hypervisor and pair it with each guest (without additional resource overhead) so that a
compromised hypervisor can affect only the paired guest, not others. We have built a proof-of-concept
HyperLock prototype for the popular KVM hypervisor on Linux. Our results show that HyperLock
is 88% smaller than the KVM’s code base. Furthermore, our system completely removes QEMU, the
KVM’s companion user program (with > 531K SLOC), from the trusted computing base (TCB). The
security experiments and performance measurements also demonstrated the practicality and effectiveness 
of our approach.