Building a MAC-based security architecture for the Xen open-source hypervisor

We present the sHype hypervisor security architecture and examine in detail its mandatory access control facilities. While existing hypervisor security approaches aiming at high assurance have been proven useful for high-security environments that prioritize security over performance and code reuse, our approach aims at commercial security where near-zero performance overhead, non-intrusive implementation, and usability are of paramount importance. sHype enforces strong isolation at the granularity of a virtual machine, thus providing a robust foundation on which higher software layers can enact finer-grained controls. We provide the rationale behind the sHype design and describe and evaluate our implementation for the Xen open-source hypervisor

[1]  Barry D. Gold,et al.  KVM/370 in Retrospect , 1984, 1984 IEEE Symposium on Security and Privacy.

[2]  Mary Ellen Zurko,et al.  A Retrospective on the VAX VMM Security Kernel , 1991, IEEE Trans. Software Eng..

[3]  Dawson R. Engler,et al.  Exokernel: an operating system architecture for application-level resource management , 1995, SOSP.

[4]  Jochen Liedtke,et al.  On micro-kernel construction , 1995, SOSP.

[5]  Richard J. Feiertag,et al.  A separation model for virtual machine monitors , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[6]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[7]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[8]  Butler W. Lampson,et al.  A Trusted Open Platform , 2003, Computer.

[9]  Mike Hibler,et al.  The Flask Security Architecture: System Support for Diverse Security Policies , 1999, USENIX Security Symposium.

[10]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[11]  Roger R. Schell,et al.  Designing the GEMSOS security kernel for security and performance , 1985 .

[12]  John M. Rushby,et al.  Proof of separability: A verification technique for a class of a security kernels , 1982, Symposium on Programming.

[13]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[14]  Trent Jaeger,et al.  Analyzing Integrity Protection in the SELinux Example Policy , 2003, USENIX Security Symposium.

[15]  Jonathan M. Smith,et al.  EROS: a fast capability system , 1999, SOSP.

[16]  J. Liedtke On -Kernel Construction , 1995 .

[17]  Robert P. Goldberg,et al.  Survey of virtual machine research , 1974, Computer.

[18]  R. P. Goldberg,et al.  Virtual Machine Technology: A Bridge From Large Mainframes To Networks Of Small Computers , 1979 .

[19]  Mary Ellen Zurko,et al.  A VMM security kernel for the VAX architecture , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[20]  Hugo Krawczyk,et al.  Authenticating Mandatory Access Controls and Preserving Privacy for a High-Assurance Smart Card , 2003, ESORICS.

[21]  Stuart E. Madnick,et al.  Application and analysis of the virtual machine approach to information system security and isolation , 1973, Workshop on Virtual Computer Systems.

[22]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[23]  E. J. McCauley,et al.  KSOS - The design of a secure operating system , 1899 .

[24]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[25]  Paul A. Karger,et al.  Thirty years later: lessons from the Multics security evaluation , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..