Chinese Wall Isolation Mechanism and Its Implementation on VMM

Virtualization is achieving increasing popularity and there are some mandatory access control (MAC) mechanisms available which control overt communications among virtual machines (VM) in virtual machine systems. However such mechanisms cannot block covert channels. A strong isolation mechanism at hardware layer can benefit solutions to this problem. Hence, in this paper we propose an isolation mechanism based on Chinese Wall policy to make an air-gap among VMs which have conflict of interest, and implement it on a popular virtual machine monitor (VMM), Xen. It regulates the VMM allocating hardware resources like physical memory, CPUs and I/O adapters to VMs without many losses of system performance. Hence it provides stronger isolation among VMs than VMMs do.

[1]  Trent Jaeger,et al.  Managing the risk of covert information flows in virtual machine systems , 2007, SACMAT '07.

[2]  Paul A. Karger Securing virtual machine monitors: what is needed? , 2009, ASIACCS '09.

[3]  Stefan Berger,et al.  Building a MAC-based security architecture for the Xen open-source hypervisor , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[4]  Eliza Varney Distributed Management Task Force, Inc , 2010 .

[5]  Ruby B. Lee,et al.  Covert and Side Channels Due to Processor Architecture , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[6]  Hai Jin,et al.  A Prioritized Chinese Wall Model for Managing the Covert Information Flows in Virtual Machine Systems , 2008, 2008 The 9th International Conference for Young Computer Scientists.

[7]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.