Tree [2514e5] master /

File Date Author Commit
hypapps 2013-10-21 Zongwei Zhou Zongwei Zhou [8d6cbd] update newlib download website information in i...
tools 2013-10-18 Zongwei Zhou Zongwei Zhou [27a5ce] Merge branch 'core/features/v0.3-milestone' of ...
xmhf 2014-02-10 Amit Vasudevan Amit Vasudevan [990934] cleanup and successful tests on both Intel and ... 2013-10-22 Amit Vasudevan Amit Vasudevan [6185b9] de-tabify CHANGELOG and README 2013-10-21 Zongwei Zhou Zongwei Zhou [bc0c27] Merge branch 'fixes/0.2.2-cleanup' into release...
LICENSE 2012-06-29 Driver On squid Driver On squid [306467] Merge branch 'master' of git:// 2013-10-21 Amit Vasudevan Amit Vasudevan [7bc43b] decouple install-dev and install-bin on build t... 2013-10-22 Amit Vasudevan Amit Vasudevan [6185b9] de-tabify CHANGELOG and README 2013-09-20 Amit Vasudevan Amit Vasudevan [aea730] Merge branch 'core/features/staging/build-refac... 2013-10-07 Amit Vasudevan Amit Vasudevan [bfe539] Merge branch 'core/fixes/build-harness-fixes' i...

Read Me


XMHF is an eXtensible and Modular Hypervisor Framework
that strives to be a
comprehensible and flexible platform for performing
hypervisor research and development. The framework allows others to
build custom (security-sensitive) hypervisor-based solutions
(called "hypapps").

XMHF is designed to achieve three goals – modular extensibility,
automated verification, and high performance. XMHF includes a
core that provides functionality common to many hypervisor-based security
architectures and supports extensions that augment the core with
additional security or functional properties while preserving the
fundamental hypervisor security property of memory integrity
(i.e., ensuring that the hypervisor’s memory is not modified by
software running at a lower privilege level).

XMHF advocates a "rich" single-guest execution model where the
hypervisor framework supports only a single-guest and allows the
guest direct access to all performance-critical system devices and
device interrupts.

XMHF currently runs on recent multicore x86 hardware
virtualized platforms with support for dynamic root of trust
and nested (2-dimensional) paging. The framework is capable of
running unmodified legacy multiprocessor capable OSes such as
Windows and Linux.

Included modules

The XMHF project includes the hypervisor framework and supporting
libraries along with several example hypapps:

  • XMHF: The eXtensible and Modular Hypervisor Framework
    supporting custom hypervisor-based solutions (called "hypapps").

    • libbaremetal: Utility functions used across modules,
      including minimal libc functionality, error-handling, TPM functions,
      cryptographic routines, etc. As the name implies, this library is intended primarily for
      use in "bare metal" environments.

XMHF includes several example hypapps including
full-fledged hypapps such as TrustVisor and Lockdown:

  • TrustVisor: A special-purpose hypapp that provides
    code integrity as well as data integrity and secrecy for userspace
    Pieces of Application Logic (PALs).

    • tee-sdk: The Trusted Execution Environment Software
      Development Kit. This is a set of tools and APIs for developing
      PALs and applications that use them.
  • Lockdown: A hypapp that provides the user with a red/green
    system: an isolated and constrained environment for performing
    online transactions, as well as a high-performance, general-purpose
    environment for all other (non-security-sensitive) applications. An
    external device verifies which environment is active and allows the
    user to securely learn which environment is active and to switch
    between them.


The XMHF project comprises code from multiple sources, under multiple
open source licenses. See for details.

Contact and support

There are a substantial number of known technical issues with this
codebase, many of them with implications for security. Please see the
ticket tracker for full
details. This absolutely remains EXPERIMENTAL software. Do not trust
important data to this software.

For bug reports, feature requests, etc., please use the sourceforge
tickets tool.

For other discussion and questions, please use the sourceforge
discussion tool. Note
that the discussion tool can also be used much like a traditional
mailing list, if you prefer. You will still need a sourceforge
account. You can subscribe to all messages or to individual message
threads through the web interface, after which you will receive
corresponding posts through email. You can also post by responding to
such notification messages, and start new threads by sending mail to Posts via email must
originate from a sourceforge account's primary email address


We are open to contributions. The easiest mechanism is probably to
fork our git repository
through the web UI, make the changes on your fork, and then issue a
merge request through the sourceforge web UI.


Amit Vasudevan (XMHF, libbaremetal and Lockdown), Zongwei Zhou (TrustVisor and tee-sdk)

Other contributors: Jonathan McCune, James Newsome, Ning Qu, and Yanlin Li

Related Publications

  • Design, Implementation and Verification of an eXtensible and
    Modular Hypervisor Framework. Amit Vasudevan, Sagar Chaki, Limin Jia,
    Jonathan M. McCune, James Newsome, and Anupam Datta.
    IEEE Symposium on Security and Privacy,
    May 2013. pdf

  • Building Verifiable Trusted Path on Commodity x86 Computers.
    Zongwei Zhou, Virgil Gligor, James Newsome, and Jonathan M. McCune.
    IEEE Symposium on Security and Privacy (IEEE S&P), 2012.

  • "It's an app. It's a hypervisor. It's a hypapp.": Design and
    Implementation of an eXtensible and Modular Hypervisor
    Framework. Amit Vasudevan, Jonathan M. McCune, and James
    Newsome. Technical Report CMU-CyLab-12-014, June 2012.

  • TrustVisor: Efficient TCB Reduction and Attestation. Jonathan
    M. McCune, Yanlin Li, Ning Qu, Zongwei Zhou, Anupam Datta, Virgil
    Gligor, and Adrian Perrig. IEEE Symposium on Security and Privacy,
    May 2010. pdf

  • Lockdown: Towards a Safe and Practical Architecture for Security
    Applications on Commodity Platforms. Amit Vasudevan and Bryan Parno
    and Ning Qu and Virgil D. Gligor and Adrian Perrig. Proceedings of
    the 5th International Conference on Trust and Trustworthy Computing
    (TRUST), June 2012.

  • Lockdown: A Safe and Practical Environment for Security Applications
    (CMU-CyLab-09-011) Amit Vasudevan and Bryan Parno and Ning Qu and
    Virgil D. Gligor and Adrian Perrig. Technical Report
    CMU-CyLab-09-011, June 2009.


  • 0.1 Initial Release
  • 0.1.1
    • Added TPM performance profiling.
    • Stability improvements (ticket-28 fixed).
    • Intercept handling now serialized in the core.
    • XMHF now builds and runs on Ubuntu 12.04 (precise).
    • Replaced LGPL tlsf implementation with public domain implementation.
    • Added design-documents.
  • 0.1.2
    • xmhf-core: stability improvements (ticket-73 fixed) - we can now handle guest NMIs gracefully
    • xmhf-core: stability improvements (ticket-10 fixed) - we now support stock MTRR-enabled (linux) guest kernels on Intel platforms
    • test-bed fixes, refactoring and improvements - now supporting 3.2.0-27-generic (and below) with ubuntu
    • added documentation generator which takes in-tree markdown files and generates html output
    • fixed build target install-bin to include correct destination path
  • 0.2
    • xmhf-core: clarify documentation and add description for build configuration options and verification
    • xmhf-core: add build configuration options --with-target-platform and --with-target-arch to choose target platform and CPU arch.
    • xmhf-core: restructure core components and general cleanup
    • xmhf-core: add XMHF/hypapp verification harness for verifying core memory integrity
    • xmhf-core: fix build error with --enable-debug-vga configure option
  • 0.2.1
    • tools: add scripts to deal with release tasks
    • xmhf-core: refactor runtime build harness
    • xmhf-core: add build debug information within generated binaries
    • xmhf-core: segregate Dynamic Root-of-Trust and DMA protection logic and build configuration options
    • xmhf-core: add support for upto 8 CPU cores (ticket-74)
    • xmhf-core: add XSETBV intercept handling on Intel platforms for CPUs with XSAVE capabilities (ticket-74)
    • xmhf-core: fix MTRR logic on Intel platforms to obtain required variable range MTRRs (ticket-74)
    • xmhf-core: fix issue related to physical/virtual address overlap for runtime (ticket-31)
  • 0.2.2
    • various general documentation fixes and cleanup
    • tee-sdk: added patches for newlib and openssl libraries and removed deprecated/non-working examples
    • re-organized framework components and revised configuration/build harness and related documentation
    • fixed build errors with gcc 4.6.3
    • xmhf-core: re-factored verification harness and added support for 64-bit CBMC