A layered approach to simplified access control in virtualized systems-Reference-Cited by-同舟云学术

A layered approach to simplified access control in virtualized systems

Published:2007-07 Issue:4 Volume:41 Page:12-19
ISSN:0163-5980
Container-title:ACM SIGOPS Operating Systems Review
language:en
Short-container-title:SIGOPS Oper. Syst. Rev.

Author:

Payne Bryan D.¹,Sailer Reiner²,Cáceres Ramón²,Perez Ron²,Lee Wenke¹

Affiliation:

1. Georgia Institute of Technology, Atlanta, GA

2. IBM T.J. Watson Research Center, Hawthorne, NY

Abstract

In this work, we show how the abstraction layer created by a hypervisor, or virtual machine monitor, can be leveraged to reduce the complexity of mandatory access control policies throughout the system. Policies governing access control decisions in today's systems are complex and monolithic. Achieving strong security guarantees often means restricting usability across the entire system, which is a primary reason why mandatory access controls are rarely deployed. Our architecture uses a hypervisor and multiple virtual machines to decompose policies into multiple layers. This simplifies the policies and their enforcement, while minimizing the overall impact of security on the system. We show that the overhead of decomposing system policies into distinct policies for each layer can be negligible. Our initial implementation confirms that such layering leads to simpler security policies and enforcement mechanisms as well as a more robust layered trusted computing base. We hope that this work serves to start a dialog regarding the use of mandatory access controls within a hypervisor for both increasing security and improving manageability.

Publisher

Association for Computing Machinery (ACM)

Link

https://dl.acm.org/doi/pdf/10.1145/1278901.1278905

Reference40 articles.

1. Common criteria for information technology security evaluation version 2.1. http://www.commoncriteria.org/docs/index.html 1999. Common criteria for information technology security evaluation version 2.1. http://www.commoncriteria.org/docs/index.html 1999.

2. Flexible file system benchmark (FFSB) version 5.1. http://sourceforge.net/projects/ffsb 2006. Flexible file system benchmark (FFSB) version 5.1. http://sourceforge.net/projects/ffsb 2006.

3. Advanced virtualization capabilities of POWER5 systems;Armstrong W. J.;IBM Journal of Research and Development,2005

4. Xen and the art of virtualization

Cited by 18 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Credentials Safety and System Security Pay-off and Trade-off: Comfort Level Security Assurance Framework;Strategic System Assurance and Business Analytics;2020

2. Timing Channel in IaaS: How to Identify and Investigate;IEEE Access;2019

3. Exploring Granular flow Integrity for Interconnected Trusted Platforms;2017 IEEE Trustcom/BigDataSE/ICESS;2017-08

4. VirtusCap: Capability-Based Access Control for Unikernels;2017 IEEE International Conference on Cloud Engineering (IC2E);2017-04

5. vmOS: A virtualization-based, secure desktop system;Computers & Security;2017-03