Advertisement

A Performance Analysis of ARM Virtual Machines Secured Using SELinux

Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 470)

Abstract

Virtualization of the ARM architecture is becoming increasingly popular in several domains. Thus security is one of the main concerns in modern virtualized embedded platforms. An effective way to enhance the security of these platforms is through a combination of virtualization and Mandatory Access Control (MAC) security policies. The aim of this paper is to discuss the performance overhead of MAC-secured virtual machines. We compare the I/O performance of a KVM/ARM guest running on a SELinux host with the one of a non-secured VM. The result of the comparison is unexpected, since the performance of the SELinux based VM is better than the non-secured VM. We present a detailed analysis based on a modified version of SELinux running on an ARM core, and highlight the main causes of the observed performance improvement.

Keywords

ARM virtualization SELinux KVM ARM VM security MAC virtual machines Mandatory access control (MAC) 

Notes

Acknowledgment

This research work has been supported by the FP7 TRESCCA project under the grant number 318036.

References

  1. 1.
    Barr, J.: The Flask Security Architecture. Comput. Sci. 574, 6 (2002)Google Scholar
  2. 2.
    Coker, G.: Xen security modules (XSM). Xen Summit, pp. 1–33 (2006)Google Scholar
  3. 3.
    Coker, R.: Porting NSA security enhanced linux to hand-held devices. In: Proceedings of the Linux Symposium, Ottawa Linux Symposium (2003)Google Scholar
  4. 4.
    Fiorin, L., Ferrante, A., Padarnitsas, K., Regazzoni, F.: Security enhanced linux on embedded systems: a hardware-accelerated implementation. In: 17th Asia and South Pacific Design Automation Conference (ASP-DAC), pp. 29–34. IEEE (2012)Google Scholar
  5. 5.
    Lepreau, J., Spencer, R., Smalley, S., Loscocco, P., Hibler, M., Andersen, D.: The flask security architecture: system support for diverse security policies. In: SSYM’99 Proceedings of the 8th conference on USENIX Security Symposium (2006)Google Scholar
  6. 6.
    Lindqvist, H.: Mandatory access control. Master’s Thesis in Computing Science, Umea University, Department of Computing Science, SE-901 87 (2006)Google Scholar
  7. 7.
    Mayer, F., Caplan, D., MacMillan, K.: SELinux by Example: Using Security Enhanced Linux. Pearson Education, Prentice Hall (2006)Google Scholar
  8. 8.
    Nahari, H.: Trusted secure embedded linux. In: Proceedings of 2007 Linux Symposium, pp. 79–85. Citeseer, Ottawa Ontario, Canada:[sn] (2007)Google Scholar
  9. 9.
    Nakamura, Y., Sameshima, Y.: SELinux for consumer electronics devices. In: Proceedings of Linux Symposium, pp. 125–133 (2008)Google Scholar
  10. 10.
    Paolino, M.: sVirt Security for KVM Virtualization on OMAP5 uEVM. http://www.virtualopensystems.com/en/solutions/guides/kvm-svirt-omap5/
  11. 11.
    Park, J., Kim, B., Kim, S.R., Yoon, J.H., Cho, Y.: Performance analysis of security enforcement on android operating system. In: Proceedings of the 2011 ACM Symposium on Research in Applied Computation, pp. 282–286. ACM (2011)Google Scholar
  12. 12.
    Pék, G., Bencsáth, B., et al.: A survey of security issues in hardware virtualization. ACM Comput. Surv. (CSUR) 45(3), 40 (2013)CrossRefGoogle Scholar
  13. 13.
    Pék, G., Lanzi, A., Srivastava, A., Balzarotti, D., Francillon, A., Neumann, C.: On the feasibility of software attacks on commodity virtual machine monitors via direct device assignment. In: ACM Symposium on Information, Computer and Communications Security (ASIACCS) (2014)Google Scholar
  14. 14.
    Reuben, J.S.: A survey on virtual machine security. Helsinki University of Technology (2007)Google Scholar
  15. 15.
    Sailer, R., Jaeger, T., Valdez, E., Caceres, R., Perez, R., Berger, S., Griffin, J.L., van Doorn, L.: Building a MAC-based security architecture for the xen open-source hypervisor. In: 21st Annual Computer Security Applications Conference, 10 pp. IEEE (2005)Google Scholar
  16. 16.
    Sailer, R., Valdez, E., Jaeger, T., Perez, R., Van Doorn, L., Griffin, J.L., Berger, S., Sailer, R., Valdez, E., Jaeger, T., et al.: sHype: secure hypervisor approach to trusted virtualized systems. Technical report, RC23511 (2005)Google Scholar
  17. 17.
    Schreuders, Z.C., McGill, T., Payne, C.: Empowering end users to confine their own applications: the results of a usability study comparing SELinux, AppArmor, and FBAC-LSM. ACM Trans. Inf. Syst. Secur. (TISSEC) 14(2), 19 (2011)CrossRefGoogle Scholar
  18. 18.
    Shabtai, A., Fledel, Y., Elovici, Y.: Securing android-powered mobile devices using SELinux. IEEE Secur. Priv. 8(3), 36–44 (2010)CrossRefGoogle Scholar
  19. 19.
    Smalley, S., Vance, C., Salamon, W.: Implementing SELinux as a linux security module. NAI Labs Rep. 1, 43 (2001)Google Scholar
  20. 20.
    Thapliyal, M., Mandoria, H.L., Garg, N.: Data security analysis in cloud environment: a review. Int. J. Innovations Adv. Comput. Sci. 2(1), 14–19 (2014)Google Scholar
  21. 21.
    Vogel, B., Steinke, B.: Using SELinux security enforcement in linux-based embedded devices. In: Proceedings of the 1st international Conference on MOBILe Wireless MiddleWARE, Operating Systems, and Applications, ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), p. 15 (2008)Google Scholar
  22. 22.
    Vollmar, W., Harris, T., Long Jr., L., Green, R.: Hypervisor security in cloud computing systems. ACM Comput. Surv., 1–22 (2014)Google Scholar
  23. 23.
    Weiß, M., Heinz, B., Stumpf, F.: A cache timing attack on AES in virtualization environments. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 314–328. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  24. 24.
    Wright, C., Cowan, C., Morris, J., Smalley, S., Kroah-Hartman, G.: Linux security module framework. In: Ottawa Linux Symposium. vol. 8032 (2002)Google Scholar
  25. 25.
    Wright, C., Morris, J., Kroah-Hartman, G., Cowan, C., Smalley, S.: Linux security modules: general security support for the linux kernel. In: Foundations of Intrusion Tolerant Systems (OASIS’03), p. 213. IEEE Computer Society (2003)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Virtual Open SystemsGrenobleFrance

Personalised recommendations