Verifying the Safety of Xen Security Modules

In virtualization environment, the communication and resource sharing between virtual machines can be protected by mandatory access control mechanism to guarantee the isolation of the virtual machines. The safety of the mandatory access control framework depends on whether the security sensitive operations are protected by the security check functions completely. In this paper, we present a novel method to verify the safety of the Xen security modules framework. We implement our method on the Xen 4.01 source code and evaluate the results. While our work in this paper focuses on the verification of Xen security modules, which can be used to analyze other mandatory access control framework analogous with it as well.

[1]  Xiao Ma,et al.  AutoISES: Automatically Inferring Security Specification and Detecting Violations , 2008, USENIX Security Symposium.

[2]  Stefan Berger,et al.  Building a MAC-based security architecture for the Xen open-source hypervisor , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[3]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[4]  William A. Arbaugh,et al.  Applying flow-sensitive CQUAL to verify MINIX authorization check placement , 2006, PLAS '06.

[5]  Trent Jaeger,et al.  Using CQUAL for Static Analysis of Authorization Hook Placement , 2002, USENIX Security Symposium.

[6]  Trent Jaeger,et al.  Consistency analysis of authorization hook placement in the Linux security modules framework , 2004, TSEC.

[7]  Somesh Jha,et al.  Automatic placement of authorization hooks in the linux security modules framework , 2005, CCS '05.

[8]  Alexander Aiken,et al.  A theory of type qualifiers , 1999, PLDI '99.

[9]  Alexander Aiken,et al.  How is aliasing used in systems software? , 2006, SIGSOFT '06/FSE-14.

[10]  R. Sailer,et al.  sHype : Secure Hypervisor Approach to Trusted Virtualized Systems , 2005 .

[11]  Alexander Aiken,et al.  Saturn: A scalable framework for error detection using Boolean satisfiability , 2007, TOPL.

[12]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[13]  Alexander Aiken,et al.  Verifying the Safety of User Pointer Dereferences , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[14]  Isil Dillig,et al.  An overview of the saturn project , 2007, PASTE '07.

[15]  Alexander Aiken,et al.  Context- and path-sensitive memory leak detection , 2005, ESEC/FSE-13.