A practical Chinese wall security model in cloud computing

Virtualization technology is widely adopted in clouds to meet the requirements of rapid provision and on-demand scalability in cloud computing. Although virtualization improves the usage of hardware devices and flexibility, it brings new security challenges. Users face a new type of attacks, called inter-VM attack, which targets at the VMs running on the same physical machine. To eliminate the possible inter-VM attacks from competitors, we propose a centralized control mechanism based on the Chinese Wall security policy to forbid deploying and running the competitors' VMs on the same physical machines so that physical isolation is achieved. We build the Chinese Wall Central Management System (CWCMS) with the proposed centralized control mechanism in an internal-built experimental cloud. CWCMS effectively manages the VMs and enforce the Chinese Wall security policy in the cloud. Furthermore, CWCMS employs the graph coloring algorithm to achieve the better utilization of cloud resources.

[1]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[2]  Tsau Young Lin,et al.  Managing information flows on discretionary access control models , 2006, 2006 IEEE International Conference on Systems, Man and Cybernetics.

[3]  A. Kivity,et al.  kvm : the Linux Virtual Machine Monitor , 2007 .

[4]  Tsau Young Lin,et al.  Chinese wall security policy-an aggressive model , 1989, [1989 Proceedings] Fifth Annual Computer Security Applications Conference.

[5]  Stefan Berger,et al.  Building a MAC-based security architecture for the Xen open-source hypervisor , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[6]  M. Trick,et al.  Cliques, Coloring, and Satisfiability: Second DIMACS Implementation Challenge, Workshop, October 11-13, 1993 , 1996 .

[7]  Martin S. Olivier,et al.  A Chinese Wall approach to privacy policies for the Web , 2002, Proceedings 26th Annual International Computer Software and Applications.

[8]  Rajkumar Buyya,et al.  Cost of Virtual Machine Live Migration in Clouds: A Performance Evaluation , 2009, CloudCom.

[9]  Michael A. Trick,et al.  A Column Generation Approach for Graph Coloring , 1996, INFORMS J. Comput..

[10]  Patrick C. K. Hung,et al.  Implementing conflict of interest assertions for Web services matchmaking process , 2003, EEE International Conference on E-Commerce, 2003. CEC 2003..

[11]  Gwan-Hwan Hwang,et al.  Implementing the Chinese Wall Security Model in Workflow Management Systems , 2010, International Symposium on Parallel and Distributed Processing with Applications.