Building a mac-based security architecture for the Xen open-source hypervisor
Mediating security-critical operations
Download 220.31 Kb. Pdf ko'rish
|
Building a MAC based security architecture for the Xen open source
|
Mediating security-critical operations. A security-
critical operation is one that requires MAC policy authoriza- tion. If such an operation is not authorized against the MAC policy, the system security guarantees can be circumvented. For example, if the mapping of memory among VMs is not authorized, then a VM in one coalition can leak its data to other VMs. We identify security-critical operations in terms of re- sources whose use must be controlled in order to imple- ment MAC policies. We also identify the location of the mediation points for these resources. The combination of resources to be controlled and their mediation points forms the reference monitor interface. We discuss only virtual resources, because real resources can only be used exclu- sively by one VM or shared in the form of virtual resources. The following resources must be controlled in a typical Xen VMM environment: • Sharing of virtual resources between VMs controlled by the Xen hypervisor (e.g., event channels, shared memory, and domain operations). • Sharing of local virtual resources between local VMs con- trolled by MAC domains (e.g. local vLANs and virtual disks). • Sharing of distributed virtual resources between VMs in multiple hypervisor systems controlled by MAC-bridging domains (e.g., vLANs spanning multiple hypervisor sys- tems). The hypervisor reference monitor enforces access control and isolation on virtual resources in the Xen hypervisor. While sHype enforces mandatory access control on MAC domains regarding their participation in multiple coalitions, it relies on MAC domains to isolate the different virtual resources from each other and allow access to virtual re- sources only to domains that belong to the same coalition as the virtual resource. A good example of a MAC domain is the device domain in Fig. 2, which participates in both the Order and the Advertising coalition. MAC do- mains become part of the Trusted Computing Base (TCB) 4 Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC 2005) 1063-9527/05 $20.00 © 2005 IEEE Authorized licensed use limited to: Tashkent University of Information Technologies. Downloaded on April 06,2023 at 09:07:42 UTC from IEEE Xplore. Restrictions apply. and should therefore be of minimal size (e.g., secure micro- kernel design). Since MAC domains are generic, the cost of making them secure will amortize as they are used in many application environments. We sketch the implementation of MAC domains in Section 4.4. If coalitions are distributed over multiple systems, we need MAC-bridging domains to control their interaction. The virtual resource that enables co-operation among VMs on multiple systems is typically a vLAN. Mac-bridging do- mains build bridges between their hypervisor systems over untrusted terrain to connect vLANs on multiple systems. To do so, they first establish trust into required security proper- ties of the peer MAC Bridging domains and their underlying virtualization infrastructure (e.g., using TPM-based attesta- tion). Afterwards, they build secure tunnels between each other, and can from now on be considered as forming a sin- gle (distributed) MAC domain spanning multiple systems. Requirements on the resulting distributed MAC domain are akin the requirements described above for local MAC do- mains. MAC Bridging domains become part of the TCB, similarly to MAC domains. Download 220.31 Kb. Do'stlaringiz bilan baham: 
|