Abstract
Efficient Mandatory Access Control of Virtual Machines remains an open problem for protecting efficiently Cloud Systems. For example, the MAC protection must allow some information flows between two virtual machines while preventing other information flows between those two machines. For solving these problems, the virtual environment must guarantee an in-depth protection in order to control the information flows that starts in a Virtual Machine (vm) and finishes in another one. In contrast with existing MAC approaches, PIGA-Virt is a MAC protection controlling the different levels of a virtual system. It eases the management of the required security objectives. The PIGA-Virt approach guarantees the required security objectives while controlling efficiently the information flows. PIGA-Virt supports a large range of predefined protection canvas whose efficiency has been demonstrated during the ANR Sec&SiĀ security challenge. The paper shows how the PIGA-Virt approach guarantees advanced confidentiality and integrity properties by controlling complex combinations of transitive information flows passing through intermediate resources. As far as we know, PIGA-Virt is the first operational solution providing in-depth MAC protection, addressing advanced security requirements and controlling efficiently information flows inside and between virtual machines. Moreover, the solution is independent of the underlying hypervisor. Performances and protection scenarios are given for protecting KVM virtual machines.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
BitVisor 1.1 Reference Manual (2010), http://www.bitvisor.org/
Carbone, M., Zamboni, D., Lee, W.: Taming virtualization. IEEE Security and PrivacyĀ 6(1), 65ā67 (2008)
Chen, X., Garfinkel, T., Christopher Lewis, E., Subrahmanyam, P., Waldspurger, C.A., Boneh, D., Dwoskin, J., Ports, D.R.K.: Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. SIGOPS Oper. Syst. Rev.Ā 42, 2ā13 (2008)
Jaeger, T., Schiffman, J.: Outlook: Cloudy with a chance of security challenges and improvements. IEEE Security and PrivacyĀ 8, 77ā80 (2010)
Briffaut, C.T.J., Peres, M.: A dynamic end-to-end security for coordinating multiple protections within a linux desktop. In: Proceedings of the 2010 IEEE Workshop on Collaboration and Security (COLSEC 2010), pp. 509ā515. IEEE Computer Society, Chicago (2010)
Loscocco, P.A., Smalley, S.D., Muckelbauer, P.A., Taylor, R.C., Turner, S.J., Farrell, J.F.: The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments. In: Proceedings of the 21st National Information Systems Security Conference, Arlington, Virginia, USA, pp. 303ā314 (October 1998)
McCune, J.M., Jaeger, T., Berger, S., Caceres, R., Sailer, R.: Shamon: A system for distributed mandatory access control. In: Proceedings of the 22nd Annual Computer Security Applications Conference, pp. 23ā32. IEEE Computer Society, Washington, DC (2006)
Payne, B.D., Sailer, R., CĆ”ceres, R., Perez, R., Lee, W.: A layered approach to simplified access control in virtualized systems. SIGOPS Oper. Syst. Rev.Ā 41, 12ā19 (2007)
Pearson, S., Benameur, A.: Privacy, security and trust issues arising from cloud computing. In: Proceedings of the 2010 IEEE Second International Conference on Cloud Computing Technology and Science, CLOUDCOM 2010, pp. 693ā702. IEEE Computer Society, Washington, DC (2010)
Quynh, N.A., Takefuji, Y.: A real-time integrity monitor for xen virtual machine. In: ICNS 2006: Proceedings of the International Conference on Networking and Services, p. 90. IEEE Computer Society, Washington, DC (2006)
Rueda, S., Vijayakumar, H., Jaeger, T.: Analysis of virtual machine system policies. In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, SACMAT 2009, pp. 227ā236. ACM, New York (2009)
Sailer, R., Jaeger, T., Valdez, E., Caceres, R., Perez, R., Berger, S., Griffin, J.L., Van Doorn, L., Center, I.B.M.T.J.W.R., Hawthorne, N.Y.: Building a MAC-based security architecture for the Xen open-source hypervisor. In: 21st Annual Computer Security Applications Conference, p. 10 (2005)
Sandhu, R., Boppana, R., Krishnan, R., Reich, J., Wolff, T., Zachry, J.: Towards a discipline of mission-aware cloud computing. In: Proceedings of the 2010 ACM Workshop on Cloud Computing Security Workshop, CCSW 2010, pp. 13ā18. ACM, New York (2010)
Wojtczuk, R.: Subverting the Xen hypervisor. BlackHat USA (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
Ā© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Briffaut, J., Lefebvre, E., Rouzaud-Cornabas, J., Toinard, C. (2012). PIGA-Virt: An Advanced Distributed MAC Protection of Virtual Systems. In: Alexander, M., et al. Euro-Par 2011: Parallel Processing Workshops. Euro-Par 2011. Lecture Notes in Computer Science, vol 7156. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29740-3_47
Download citation
DOI: https://doi.org/10.1007/978-3-642-29740-3_47
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-29739-7
Online ISBN: 978-3-642-29740-3
eBook Packages: Computer ScienceComputer Science (R0)