MAC protection of the OpenNebula Cloud environment

Mandatory Access Control is really poorly supported by Cloud environments. Our paper proposes extensions of the OpenNebula Cloud software in order to provide an advanced MAC protection of the virtual machines hosted by the different nodes of the Cloud. Thus, unique SELinx security labels are associated with the virtual machines and their resources. The instantiations and migrations of the virtual machines maintain those unique security labels. Moreover, PIGA-Virt provides an unified way to control the information flows within a virtual machine but also between multiple virtual machines. SELinux controls the direct flows. PIGA-Virt adds advanced controls. Thus, a PIGA protection rule can control several direct and indirect flows and allows the administrator to express high level security properties. The benchmarks of PIGA-Virt show that our Trusted OpenNebula Cloud is efficient regarding the quality of the protection.

[1]  Ravi S. Sandhu,et al.  Towards a discipline of mission-aware cloud computing , 2010, CCSW '10.

[2]  Trent Jaeger,et al.  Analysis of virtual machine system policies , 2009, SACMAT '09.

[3]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[4]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[5]  Wenke Lee,et al.  A layered approach to simplified access control in virtualized systems , 2007, OPSR.

[6]  Jonathan Rouzaud-Cornabas,et al.  PIGA-Virt: An Advanced Distributed MAC Protection of Virtual Systems , 2011, Euro-Par Workshops.

[7]  Luis Miguel Vaquero Gonzalez,et al.  Locking the sky: a survey on IaaS cloud security , 2010, Computing.

[8]  Peng Ning,et al.  SICE: a hardware-level strongly isolated computing environment for x86 multi-core platforms , 2011, CCS '11.

[9]  Siani Pearson,et al.  Privacy, Security and Trust Issues Arising from Cloud Computing , 2010, 2010 IEEE Second International Conference on Cloud Computing Technology and Science.

[10]  Trent Jaeger,et al.  An architecture for enforcing end-to-end access control over web applications , 2010, SACMAT '10.

[11]  Gail-Joon Ahn,et al.  Security and Privacy Challenges in Cloud Computing Environments , 2010, IEEE Security & Privacy.

[12]  Haibo Chen,et al.  CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization , 2011, SOSP.

[13]  Trent Jaeger,et al.  Outlook: Cloudy with a Chance of Security Challenges and Improvements , 2010, IEEE Security & Privacy.