article

A layered approach to simplified access control in virtualized systems

Authors:

Bryan D. Payne,

Ramón Cáceres,

Wenke LeeAuthors Info & Claims

ACM SIGOPS Operating Systems Review, Volume 41, Issue 4

Pages 12 - 19

https://doi.org/10.1145/1278901.1278905

Published: 01 July 2007 Publication History

Abstract

In this work, we show how the abstraction layer created by a hypervisor, or virtual machine monitor, can be leveraged to reduce the complexity of mandatory access control policies throughout the system. Policies governing access control decisions in today's systems are complex and monolithic. Achieving strong security guarantees often means restricting usability across the entire system, which is a primary reason why mandatory access controls are rarely deployed. Our architecture uses a hypervisor and multiple virtual machines to decompose policies into multiple layers. This simplifies the policies and their enforcement, while minimizing the overall impact of security on the system. We show that the overhead of decomposing system policies into distinct policies for each layer can be negligible. Our initial implementation confirms that such layering leads to simpler security policies and enforcement mechanisms as well as a more robust layered trusted computing base. We hope that this work serves to start a dialog regarding the use of mandatory access controls within a hypervisor for both increasing security and improving manageability.

References

[1]

Common criteria for information technology security evaluation version 2.1. http://www.commoncriteria.org/docs/index.html, 1999.

[2]

Flexible file system benchmark (FFSB) version 5.1. http://sourceforge.net/projects/ffsb, 2006.

[3]

W. J. Armstrong, R. L. Arndt, D. C. Boutcher, R. G. Kovacs, D. Larson, K. A. Lucke, N. Nayar, and R. C. Swanberg. Advanced virtualization capabilities of POWER5 systems. IBM Journal of Research and Development, 49(4/5), 2005.

Digital Library

[4]

J. Athey, C. Ashworth, F. Mayer, and D. Miner. Towards intuitive tools for managing SELinux: Hiding the details but retaining the power. In Proceedings of the 2007 Security Enhanced Linux Symposium, March 2007.

[5]

P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In Proceedings of the Symposium on Operating System Principles, October 2003.

Digital Library

[6]

V. R. Basili and B. T. Perricone. Software errors and complexity: An empirical investigation. Communications of the ACM, 27(1):42--52, January 1984.

Digital Library

[7]

D. E. Bell and L. J. La Padula. Secure computer system: Unified exposition and multics interpretation. Technical Report ESD-TR-75-306, The MITRE Corporation, Bedford, MA, 1976.

[8]

S. Bellovin. Virtual machines, virtual security. Communications of the ACM, 49(10), October 2006.

Digital Library

[9]

A. Bennett. Hole-in-the-chroot. http://clyde.concordia.ca/security/hole-in-the-chroot-v1/.

[10]

E. Bertino, B. Catania, E. Ferrari, and P. Perlasca. A logical framework for reasoning about access control models. In SACMAT '01: Proceedings of the sixth ACM symposium on Access control models and technologies, pages 41--52, New York, NY, USA, 2001. ACM Press.

Digital Library

[11]

R. S. Cox, J. G. Hansen, S. D. Gribble, and H. M. Levy. A safety-oriented platform for web applications. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, May 2006.

Digital Library

[12]

E. W. Dijkstra. The structure of the "THE" -multiprogramming system. Communications of the ACM, 2(5):341--346, November 1968.

Digital Library

[13]

DoD. Trusted computer system evaluation criteria. Technical Report DoD 5200.28-STD, Department of Defense, 1985.

[14]

P. Efstathopoulos, M. Krohn, S. VanDeBogart, C. Frey, D. Ziegler, E. Kohler, D. Mazières, F. Kaashoek, and R. Morris. Labels and event processes in the asbestos operating system. In Proceedings of ACM Symposium on Operating Systems Principles (SOSP), October 2005.

Digital Library

[15]

R. J. Feiertag and P. G. Neumann. The foundations of a provably secure operating system (PSOS). In Proceedings of the National Computer Conference, pages 329--334, Menlo Park, CA, 1979.

[16]

T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A virtual machine-based platform for trusted computing. In Proceedings of ACM Symposium on Operating Systems Principles (SOSP), October 2003.

Digital Library

[17]

T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed Systems Security Symposium, February 2003.

[18]

T. J. Gibson. An architecture for flexible, high assurance, multi-security domain networks. In Network and Distributed System Security Symposium, San Diego, CA, February 2001.

[19]

T. Jaeger, R. Sailer, and X. Zhang. Analyzing integrity protection in the SELinux example policy. In Proceedings of the 12th USENIX Security Symposium, August 2003.

Digital Library

[20]

T. R. Jaeger, S. Hallyn, and J. Latten. Leveraging IPsec for mandatory access control of linux network commmunications. In Proceedings of ACSAC, 2005.

[21]

P. A. Karger, M. E. Zurko, D. W. Bonin, A. H. Mason, and C. E. Kahn. A retrospective on the VAX VMM security kernel. IEEE Transactions on Software Engineering, 17(11):1147--1165, November 1991.

Digital Library

[22]

S. T. King, P. M. Chen, Y.-M. Wang, C. Verbowski, H. J. Wang, and J. R. Lorch. Subvirt: Implementing malware with virtual machines. In IEEE Symposium on Security and Privacy, 2006.

Digital Library

[23]

B. W. Lampson. A note on the confinement problem. Communications of the ACM, 16(10):613--615, October 1973.

Digital Library

[24]

B. Liskov. The design of the venus operating system. Communications of the ACM, 15(3):144--149, March 1972.

Digital Library

[25]

P. Loscocco and S. Smalley. Integrating flexible support for security policies into the linux operating system. In Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference (FREENIX '01), June 2001.

Digital Library

[26]

T. F. Lunt, D. E. Denning, R. R. Schell, M. Heckman, and W. R. Shockley. The SeaView security model. IEEE Transactions on Software Engineering, 16(6):593--607, June 1990.

Digital Library

[27]

S. E. Madnick and J. J. Donovan. Application and analysis of the virtual machine approach to information system security and isolation. In Proceedings of the Workshop on Virtual Computer Systems, pages 210--224, March 1973.

Digital Library

[28]

J. M. McCune, S. Berger, R. Caceres, T. Jaeger, and R. Sailer. Shamon - a system for distributed mandatory access control. In 22nd Annual Computer Security Applications Conference (ACSAC), Miami Beach, Florida, December 2006.

Digital Library

[29]

A. Menon, J. R. Santos, Y. Turner, G. Janakiraman, and W. Zwaenepoel. Diagnosing performance overheads in the Xen virtual machine environment. In ACM/USENIX 1st International Conference on Virtual Execution Enviroinments, pages 13--23, 2005.

Digital Library

[30]

R. Meushaw and D. Simard. Nettop: A network on your desktop. Tech Trend Notes (National Security Agency), 9(4):3--11, Fall 2000.

[31]

National Security Agency. Security-Enhanced Linux. http://www.nsa.gov/selinux/.

[32]

C. J. PeBenito, F. Mayer, and K. MacMillan. Reference policy for security enhanced linux. In Proceedings of the 2006 Security Enhanced Linux Symposium, March 2006.

[33]

N. E. Proctor and P. G. Neumann. Architectural implications of covert channels. In Proceedings of the 15th National Computer Security Conference, pages 28--43, Baltimore, Maryland, 1992.

[34]

J. Rutkowska. Subverting Vista kernel for fun and profit. In Proceedings of Black Hat USA 2006, 2006.

[35]

R. Sailer, T. Jaeger, E. Valdez, R. Caceres, R. Perez, S. Berger, J. Griffin, and L. van Doorn. Building a MAC-based Security Architecture for the Xen Opensource Hypervisor. In Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC), December 2005.

Digital Library

[36]

J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Communications of the ACM, 17(7), July 1974.

Digital Library

[37]

M. Schaefer, B. Gold, R. Linde, and J. Scheid. Program confinement in KVM/370. In Proceedings of the 1977 ACM Annual Conference, pages 404--410, October 1977.

Digital Library

[38]

G. Schellhorn, W. Reif, A. Schairer, P. A. Karger, V. Austel, and D. Toll. Verification of a formal security model for multiapplicative smart cards. In ESORICS 2000, 2000.

Digital Library

[39]

B. Schneier. The process of security. Information Security Magazine, April, 2000.

[40]

L. Singaravelu, C. Pu, H. Hartig, and C. Helmuth. Reducing TCB complexity for security-sensitive applications: Three case studies. In Proceedings of the 1st EuroSys, April 2006.

Digital Library

[41]

M. V. Tripunitara and N. Li. Comparing the expressive power of access control models. In Proceedings of the 11th ACM conference on Computer and communications security, pages 62--71, Washington, DC, 2004.

Digital Library

Cited By

Rehman HNazir MMustafa K(2020)Credentials Safety and System Security Pay-off and Trade-off: Comfort Level Security Assurance FrameworkStrategic System Assurance and Business Analytics10.1007/978-981-15-3647-2_19(255-274)Online publication date: 20-Jun-2020
https://doi.org/10.1007/978-981-15-3647-2_19
Fu XYang RDu XLuo BGuizani M(2019)Timing Channel in IaaS: How to Identify and InvestigateIEEE Access10.1109/ACCESS.2018.28761467(1-11)Online publication date: 2019
https://doi.org/10.1109/ACCESS.2018.2876146
Shaw AAttak H(2017)Exploring Granular flow Integrity for Interconnected Trusted Platforms2017 IEEE Trustcom/BigDataSE/ICESS10.1109/Trustcom/BigDataSE/ICESS.2017.289(594-601)Online publication date: Aug-2017
https://doi.org/10.1109/Trustcom/BigDataSE/ICESS.2017.289
Show More Cited By

Index Terms

A layered approach to simplified access control in virtualized systems
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Configuring role-based access control to enforce mandatory and discretionary access control policies

Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Transparently bridging semantic gap in CPU management for virtualized environments

Consolidated environments are progressively accommodating diverse and unpredictable workloads in conjunction with virtual desktop infrastructure and cloud computing. Unpredictable workloads, however, aggravate the semantic gap between the virtual ...
A Lightweight Security Isolation Approach for Virtual Machines Deployment
Information Security and Cryptology
Abstract
Cloud computing has changed the way of IT services; virtualization technology is the foundation of it, which directly affects the security and reliability of the cloud computing platform. From the point of virtualization technology security, we ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGOPS Operating Systems Review

ACM SIGOPS Operating Systems Review Volume 41, Issue 4

July 2007

86 pages

ISSN:0163-5980

DOI:10.1145/1278901

Issue’s Table of Contents

Copyright © 2007 Authors.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 July 2007

Published in SIGOPS Volume 41, Issue 4

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

30
Total Citations
View Citations
913
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)1

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Rehman HNazir MMustafa K(2020)Credentials Safety and System Security Pay-off and Trade-off: Comfort Level Security Assurance FrameworkStrategic System Assurance and Business Analytics10.1007/978-981-15-3647-2_19(255-274)Online publication date: 20-Jun-2020
https://doi.org/10.1007/978-981-15-3647-2_19
Fu XYang RDu XLuo BGuizani M(2019)Timing Channel in IaaS: How to Identify and InvestigateIEEE Access10.1109/ACCESS.2018.28761467(1-11)Online publication date: 2019
https://doi.org/10.1109/ACCESS.2018.2876146
Shaw AAttak H(2017)Exploring Granular flow Integrity for Interconnected Trusted Platforms2017 IEEE Trustcom/BigDataSE/ICESS10.1109/Trustcom/BigDataSE/ICESS.2017.289(594-601)Online publication date: Aug-2017
https://doi.org/10.1109/Trustcom/BigDataSE/ICESS.2017.289
Sfyrakis IGrosB T(2017)VirtusCap: Capability-Based Access Control for Unikernels2017 IEEE International Conference on Cloud Engineering (IC2E)10.1109/IC2E.2017.34(226-237)Online publication date: Apr-2017
https://doi.org/10.1109/IC2E.2017.34
Liang HLi MXu JHu WPei XJia XSong Y(2017)vmOSComputers and Security10.1016/j.cose.2016.10.00865:C(329-343)Online publication date: 1-Mar-2017
https://dl.acm.org/doi/10.1016/j.cose.2016.10.008
Shetty SYuchi XSong MShetty SYuchi XSong M(2016)Moving Target Defense in Distributed SystemsMoving Target Defense for Distributed Systems10.1007/978-3-319-31032-9_1(1-11)Online publication date: 21-Apr-2016
https://doi.org/10.1007/978-3-319-31032-9_1
Joe-Uzuegbu CIwuchukwu UEzema L(2015)Application virtualization techniques for malware forensics in social engineering2015 International Conference on Cyberspace (CYBER-Abuja)10.1109/CYBER-Abuja.2015.7360508(45-56)Online publication date: Nov-2015
https://doi.org/10.1109/CYBER-Abuja.2015.7360508
Garrison WLee A(2015)Decomposing, Comparing, and Synthesizing Access Control Expressiveness SimulationsProceedings of the 2015 IEEE 28th Computer Security Foundations Symposium10.1109/CSF.2015.9(18-32)Online publication date: 13-Jul-2015
https://dl.acm.org/doi/10.1109/CSF.2015.9
Wu JWu YGuan BLin YKhan SMin-Allah NWang Y(2015)C2Hunter: Detection and Mitigation of Covert Channels in Data CentersHandbook on Data Centers10.1007/978-1-4939-2092-1_32(961-996)Online publication date: 17-Mar-2015
https://doi.org/10.1007/978-1-4939-2092-1_32
Luo YXia CLv LWei ZLi Y(2015)Modeling, conflict detection, and verification of a new virtualization role-based access control frameworkSecurity and Communication Networks10.1002/sec.10258:10(1904-1925)Online publication date: 10-Jul-2015
https://dl.acm.org/doi/10.1002/sec.1025
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents