Secure IVSHMEM: End-to-End Shared-Memory Protocol with Hypervisor-CA Handshake and In-Kernel Access Control

• URL: http://arxiv.org/abs/2505.19004v2
• Date: Fri, 26 Sep 2025 13:20:41 GMT
• Title: Secure IVSHMEM: End-to-End Shared-Memory Protocol with Hypervisor-CA Handshake and In-Kernel Access Control
• Authors: Hyunwoo Kim, Jaeseong Lee, Sunpyo Hong, Changmin Han,
• Abstract summary: This paper presents Secure IVSHMEM, a protocol that provides end-to-end mutual authentication and fine-grained access enforcement with negligible performance cost.<n>In microbenchmarks, Secure IVSHMEM completes its one-time handshake in under 200ms and sustains data-plane round-trip latencies within 5% of the unmodified baseline.<n>We believe this design is ideally suited for safety and latency-critical in-host domains, such as automotive systems, where both performance and security are paramount.
• Score: 6.340823095250312
• License: http://creativecommons.org/publicdomain/zero/1.0/
• Abstract: In-host shared memory (IVSHMEM) enables high-throughput, zero-copy communication between virtual machines, but today's implementations lack any security control, allowing any application to eavesdrop or tamper with the IVSHMEM region. This paper presents Secure IVSHMEM, a protocol that provides end-to-end mutual authentication and fine-grained access enforcement with negligible performance cost. We combine three techniques to ensure security: (1) channel separation and kernel module access control, (2)hypervisor-mediated handshake for end-to-end service authentication, and (3)application-level integration for abstraction and performance mitigation. In microbenchmarks, Secure IVSHMEM completes its one-time handshake in under 200ms and sustains data-plane round-trip latencies within 5\% of the unmodified baseline, with negligible bandwidth overhead. We believe this design is ideally suited for safety and latency-critical in-host domains, such as automotive systems, where both performance and security are paramount.

Related papers

• PiTPM: Partially Interactive Signatures for Multi-Device TPM Operations [0.4125187280299247]
  This paper presents PiTPM, an Aggregator Framework built upon Schnorr's digital signature.<n>Our protocol eliminates the interactive requirement using a hybrid trust architecture.<n>Results show a possible paradigm shift in TPM-based cryptographic system design.
  arXiv  Detail & Related papers  (2026-02-10T12:09:05Z)
• Securing Cross-Domain Internet of Drones: An RFF-PUF Allied Authenticated Key Exchange Protocol With Over-the-Air Enrollment [22.842391212425184]
  Internet of Drones (IoD) is an emerging and crucial paradigm enabling advanced applications that require seamless, secure communication.<n>Access control and the transmission of sensitive data pose significant security challenges for IoD systems.<n>We propose a lightweight mutual authentication mechanism that integrates Radio Frequency Fingerprint (RFF) and Physical Unclonable Function (PUF) technologies for secure drone-to-drone (D2D) and drone-to-ground station server (D2G) communication.
  arXiv  Detail & Related papers  (2025-12-26T02:04:24Z)
• From See to Shield: ML-Assisted Fine-Grained Access Control for Visual Data [40.12543056558646]
  This work presents a system architecture for trusted data sharing with policy-driven access control.<n>The proposed architecture integrates automated detection of sensitive regions, post-correction, key management, and access control.<n>We show that our system provides effective PSO detection, increases macro-averaged F1 score (5%) and mean Average Precision (10%), and maintains an average policy-enforced decryption time of less than 1 second per image.
  arXiv  Detail & Related papers  (2025-10-22T09:41:31Z)
• TPM-Based Continuous Remote Attestation and Integrity Verification for 5G VNFs on Kubernetes [0.8427427828815586]
  We present a TPM 2.0-based continuous remote attestation solution for core 5G components deployed on runtime.<n>We integrate the open-source Keylime framework with a custom IMA template that isolates pod-level measurements, allowing per-pod integrity verification.<n>The experimental results show that the system detects unauthorized modifications in real time, labels each pod's trust state, and generates detailed audit logs.
  arXiv  Detail & Related papers  (2025-10-03T17:54:15Z)
• Towards Reliable Service Provisioning for Dynamic UAV Clusters in Low-Altitude Economy Networks [48.73244147035607]
  Unmanned Aerial Vehicle (UAV) cluster services are crucial for promoting the low-altitude economy by enabling scalable, flexible, and adaptive aerial networks.<n>We propose a Lightweight and Privacy-Preserving Cluster Authentication and Session Key Update (LP2-CA) scheme for dynamic UAV clusters in low-altitude economy networks.
  arXiv  Detail & Related papers  (2025-09-07T15:54:11Z)
• Collusion-Resilient Hierarchical Secure Aggregation with Heterogeneous Security Constraints [42.80769898523078]
  Motivated by federated learning (FL), secure aggregation aims to securely compute, as efficiently as possible, the sum of a set of inputs distributed across many users.<n>We study weakly-secure HSA (WS-HSA) with collusion resilience.<n>We characterize the optimal total key rate, i.e., the total number of independent key symbols required to ensure both server and relay security.
  arXiv  Detail & Related papers  (2025-07-19T23:09:57Z)
• DTHA: A Digital Twin-Assisted Handover Authentication Scheme for 5G and Beyond [28.91525941008347]
  We propose a secure and efficient handover authentication scheme by utilizing digital twin.<n>Digital twin can handle computations and assist the corresponding MD in performing secure mutual authentication and key negotiation.<n>Performance evaluation shows that the proposed scheme outperforms most related schemes in terms of signaling, computation, and communication overheads.
  arXiv  Detail & Related papers  (2025-06-13T10:59:14Z)
• Zero-Trust Mobility-Aware Authentication Framework for Secure Vehicular Fog Computing Networks [0.0]
  This paper presents a novel Zero-Trust Mobility-Aware Authentication Framework (ZTMAF) for secure communication in VFC networks.<n>The framework employs context-aware authentication with lightweight cryptographic primitives, a decentralized trust evaluation system, and fog node-assisted session validation to combat spoofing, replay, and impersonation attacks.
  arXiv  Detail & Related papers  (2025-05-21T17:03:39Z)
• SAFE-SiP: Secure Authentication Framework for System-in-Package Using Multi-party Computation [0.0]
  Chiplet-based heterogeneous integration is transforming the semiconductor, AI, and high-performance computing industries.<n>Current solutions often depend on dedicated security chiplets or changes to the timing flow, which assume a trusted SiP integrator.<n>We present SAFE-SiP, a scalable authentication framework that garbles chiplet signatures and uses MPC for verifying integrity.
  arXiv  Detail & Related papers  (2025-05-13T22:36:17Z)
• Fundamental Limits of Hierarchical Secure Aggregation with Cyclic User Association [93.46811590752814]
  Hierarchical secure aggregation is motivated by federated learning.<n>In this paper, we consider HSA with a cyclic association pattern where each user is connected to $B$ consecutive relays.<n>We propose an efficient aggregation scheme which includes a message design for the inputs inspired by gradient coding.
  arXiv  Detail & Related papers  (2025-03-06T15:53:37Z)
• ACRIC: Securing Legacy Communication Networks via Authenticated Cyclic Redundancy Integrity Check [98.34702864029796]
  Recent security incidents in safety-critical industries exposed how the lack of proper message authentication enables attackers to inject malicious commands or alter system behavior.<n>These shortcomings have prompted new regulations that emphasize the pressing need to strengthen cybersecurity.<n>We introduce ACRIC, a message authentication solution to secure legacy industrial communications.
  arXiv  Detail & Related papers  (2024-11-21T18:26:05Z)
• BULKHEAD: Secure, Scalable, and Efficient Kernel Compartmentalization with PKS [16.239598954752594]
  Kernel compartmentalization is a promising approach that follows the least-privilege principle. We present BULKHEAD, a secure, scalable, and efficient kernel compartmentalization technique. We implement a prototype system on Linux v6.1 to compartmentalize loadable kernel modules.
  arXiv  Detail & Related papers  (2024-09-15T04:11:26Z)
• A Survey and Comparative Analysis of Security Properties of CAN Authentication Protocols [92.81385447582882]
  The Controller Area Network (CAN) bus leaves in-vehicle communications inherently non-secure. This paper reviews and compares the 15 most prominent authentication protocols for the CAN bus. We evaluate protocols based on essential operational criteria that contribute to ease of implementation.
  arXiv  Detail & Related papers  (2024-01-19T14:52:04Z)
• HasTEE+ : Confidential Cloud Computing and Analytics with Haskell [50.994023665559496]
  Confidential computing enables the protection of confidential code and data in a co-tenanted cloud deployment using specialized hardware isolation units called Trusted Execution Environments (TEEs) TEEs offer low-level C/C++-based toolchains that are susceptible to inherent memory safety vulnerabilities and lack language constructs to monitor explicit and implicit information-flow leaks. We address the above with HasTEE+, a domain-specific language (cla) embedded in Haskell that enables programming TEEs in a high-level language with strong type-safety.
  arXiv  Detail & Related papers  (2024-01-17T00:56:23Z)
• Madtls: Fine-grained Middlebox-aware End-to-end Security for Industrial Communication [5.854487755768922]
  Middlebox-aware DTLS (Madtls) is a middlebox-aware end-to-end security protocol tailored to the needs of industrial networks. Madtls provides bit-level read and write access control of middleboxes to communicated data with minimal bandwidth and processing overhead, even on constrained hardware.
  arXiv  Detail & Related papers  (2023-12-15T09:52:04Z)
• Establishing Dynamic Secure Sessions for ECQV Implicit Certificates in Embedded Systems [0.0]
  We present a design that utilizes the Station to Station (STS) protocol with implicit certificates. We show that with a slight computational increase of 20% compared to a static ECDSA key derivation, we are able to mitigate many session-related security vulnerabilities.
  arXiv  Detail & Related papers  (2023-11-19T22:40:21Z)
• SOCI^+: An Enhanced Toolkit for Secure OutsourcedComputation on Integers [50.608828039206365]
  We propose SOCI+ which significantly improves the performance of SOCI. SOCI+ employs a novel (2, 2)-threshold Paillier cryptosystem with fast encryption and decryption as its cryptographic primitive. Compared with SOCI, our experimental evaluation shows that SOCI+ is up to 5.4 times more efficient in computation and 40% less in communication overhead.
  arXiv  Detail & Related papers  (2023-09-27T05:19:32Z)
• Secure Byzantine-Robust Machine Learning [61.03711813598128]
  We propose a secure two-server protocol that offers both input privacy and Byzantine-robustness. In addition, this protocol is communication-efficient, fault-tolerant and enjoys local differential privacy.
  arXiv  Detail & Related papers  (2020-06-08T16:55:15Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.