Mandatory Access Protection Within Cloud Systems

  • M. Blanc
  • A. Bousquet
  • J. Briffaut
  • L. Clevy
  • D. Gros
  • A. Lefray
  • J. Rouzaud-Cornabas
  • C. Toinard
  • B. Venelle
Chapter

Abstract

In order to guarantee security properties, such as confidentiality and integrity, cryptographic mechanisms provide encryption and signature of data, but protection is required to control the data accesses. The recent attacks on Facebook and Twitter show that the protection must not be limited to the infrastructure i.e. the hosts and the guest virtual machines.

References

  1. 1.
    Smalley S, Vance C, Salamon W (2001) Implementing selinux as a linux security module. NAI Labs Report 1:43Google Scholar
  2. 2.
    Morris J (2009) sVirt: Hardening linux virtualization with mandatory access control. Linux.conf.au conference, InGoogle Scholar
  3. 3.
    Briffaut J, Lefebvre E, Rouzaud-Cornabas J, Toinard C, (2011) Piga-virt: an advanced distributed macprotection of virtual systems. In: VHPC, (2011) 6th workshop on virtualization and high-performance cloud computing. Bordeaux, France 2011Google Scholar
  4. 4.
    Sotomayor B, Montero RS, Llorente IM, Foster I (2009) Virtual infrastructure management in private and hybrid clouds. IEEE Internet Comput 13(5):14–22CrossRefGoogle Scholar
  5. 5.
    Pearson S, Benameur A (2010) Privacy, security and trust issues arising from cloud computing. In Proceedings of the 2010 IEEE second international conference on cloud computing technology and science, CLOUDCOM ’10, Washington, DC, USA, 2010. IEEE Computer Society, pp 693–702.Google Scholar
  6. 6.
    Jaeger T, Schiffman J (2010) Outlook: cloudy with a chance of security challenges and improvements. IEEE Secu Priv Mag 8(1):77–80CrossRefGoogle Scholar
  7. 7.
    Vaquero LM, Rodero-Merino L, Morán D (2011) Locking the sky: a survey on iaas cloud security. Computing 91:93–118CrossRefMATHGoogle Scholar
  8. 8.
    Sandhu R, Boppana R, Krishnan R, Reich J, Wolff T, Zachry J (2010) Towards a discipline of mission-aware cloud computing. In: Proceedings of the 2010 ACM workshop on Cloud computing security workshop, CCSW ’10, New York, NY, USA, 2010. ACM, pp 13–18.Google Scholar
  9. 9.
    Briffaut J, Perès M, Rouzaud-Cornabas J, Solanki TC, Venelle B (2011) Piga-os: Retour sur le système d’exploitation vainqueur du défi sécurité. In 8ième Conférence Francophone sur les Systèmes d’Exploitation, 2011.Google Scholar
  10. 10.
    Takabi H, Joshi JBD, Ahn G (2010) Security and privacy challenges in cloud computing environments. IEEE Secur Priv 8(6):24–31CrossRefGoogle Scholar
  11. 11.
    Harrison MA, Ruzzo WL, Ullman JD (1976) Protection in operating systems. Commun ACM 19(8):461–471MathSciNetCrossRefMATHGoogle Scholar
  12. 12.
    Lampson BW (1971) Protection. In: The 5th symposium on information sciences and systems, Princeton University, March 1971, pp 437–443.Google Scholar
  13. 13.
    Hicks B, Rueda S, King D, Moyer T, Schiffman J, Sreenivasan Y, McDaniel P, Jaeger T (2010) An architecture for enforcing end-to-end access control over web applications. In Proceedings of the 15th ACM symposium on Access control models and technologies, SACMAT ’10, New York, NY, USA, 2010. ACM, pp 163–172.Google Scholar
  14. 14.
    Jérémy B (2007) Formalisation et garantie de propriétés de sécurité système : application à la détection d’intrusions. PhD thesis, Thèse de doctorat en informatique, Université d’Orléans, 13 décembre 2007.Google Scholar
  15. 15.
    Loscocco P, Smalley S (2001) Integrating flexible support for security policies into the linux operating system. In: 2001 USENIX annual technical conference (FREENIX ’01), Boston, Massachusets, United-States, 2001. USENIX Association.Google Scholar
  16. 16.
    Boebert WE, Kain RY (1985) A practical alternative to hierarchical integrity policies. In: The 8th national computer security conference, Gaithersburg, MD, USA, October 1985, pp 18–27.Google Scholar
  17. 17.
    Core Labs. Core force user’s guide. October 2005, pp 1–2.Google Scholar
  18. 18.
    Gros D, Toinard C, Briffaut J (2012) Contrôle d’accès mandataire pour Windows 7. In: SSTIC 2012, Rennes, France, June 2012, pp 266–291.Google Scholar
  19. 19.
    Keller E, Szefer J, Rexford J, Lee RB (2010) Nohype: virtualized cloud infrastructure without the virtualization. SIGARCH Comput Archit News 38(3):350–361CrossRefGoogle Scholar
  20. 20.
    Szefer J, Keller E (2011) Lee RB (2011) Eliminating the hypervisor attack surface for a more secure cloud. ACM conference on computer and communications security, InGoogle Scholar
  21. 21.
    BitVisor 1.1 Reference Manual. http://www.bitvisor.org/, 2010
  22. 22.
    Carbone M, Zamboni D, Lee W (2008) Taming virtualization. IEEE Secur Priv 6(1):65–67CrossRefGoogle Scholar
  23. 23.
    Quynh NA, Takefuji Y (2006) A real-time integrity monitor for xen virtual machine. In: ICNS ’06: Proceedings of the international conference on networking and services, Washington, DC, USA, 2006. IEEE computer society, p 90.Google Scholar
  24. 24.
    Sailer R, Jaeger T, Valdez E, Caceres R, Perez R, Berger S, Griffin JL, Van Doorn L, Center IBMTJWR, Hawthorne NY (2005) Building a MAC-based security architecture for the Xen open-source hypervisor. In: Computer security applications conference, 21st Annual, 2005, p 10.Google Scholar
  25. 25.
    Raj H, Nathuji R, Singh A (2009) Resource management for isolation enhanced cloud services. CCSW ’09 Proceedings of the 2009 ACM workshop on Cloud computing, security, 2009, p 77.Google Scholar
  26. 26.
    Abadi M, Fournet C (2003) Access control based on execution history. In: Proceedings of the 10th annual network and distributed system security, symposium pp 107–121, 2003.Google Scholar
  27. 27.
    Pistoia M (2007) Beyond stack inspection: a unified access-control and information-flow security model. In: SP: security and privacy. IEEE 2007:149–163Google Scholar
  28. 28.
    Vivek H, Deepak C (2005) Michael F (2005) Dynamic taint propagation for java. Department of Information and Computer Science - University of California, Technical report Google Scholar
  29. 29.
    Vivek H, Deepak C (2005) Michael F (2005) Practical, dynamic information-flow for virtual machines. Department of Information and Computer Science - University of California, September, Technical report Google Scholar
  30. 30.
    Nair S, Simpson P, Crispo B, Tanenbaum A (2008) Trishul: a policy enforcement architecture for java virtual machines. In: Technical, Report IR-CS-045, May 2008.Google Scholar
  31. 31.
    Rouzaud-Cornabas J (2010) Formalisation de propriétés de sécurité pour la protection des systèmes d’exploitation. PhD thesis, Thèse de doctorat en informatique, Université d’Orléans, 2 décembre 2010.Google Scholar
  32. 32.
    Almutairi A, Sarfraz M, Basalamah S, Aref W, Ghafoor A (2012) A distributed access control architecture for cloud computing. IEEE Softw 29(2):36–44CrossRefGoogle Scholar
  33. 33.
    Calero JMA, Edwards N, Kirschnick J, Wilcock L, Wray M (2010) Toward a multi-tenancy authorization system for cloud services. IEEE Secur Priv 8(6):48–55CrossRefGoogle Scholar
  34. 34.
    Briffaut J, Toinard C, Gros D (2012) Contrôle d’accès mandataire pour windows 7. In: Symposium sur la sécurité des technologies de l’information et des, communications, 2012, pp 266–291.Google Scholar
  35. 35.
    Rueda S, Vijayakumar H, Jaeger T (2009) Analysis of virtual machine system policies. In: Proceedings of the 14th ACM symposium on Access control models and technologies, SACMAT ’09, New York, NY, USA, 2009. ACM, pp 227–236.Google Scholar
  36. 36.
    Payne BD, Sailer R, Cáceres R, Perez R, Lee W (2007) A layered approach to simplified access control in virtualized systems. SIGOPS Oper Syst Rev 41:12–19CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • M. Blanc
    • 2
  • A. Bousquet
    • 1
  • J. Briffaut
    • 1
  • L. Clevy
    • 3
  • D. Gros
    • 2
  • A. Lefray
    • 4
  • J. Rouzaud-Cornabas
    • 4
  • C. Toinard
    • 1
  • B. Venelle
    • 3
  1. 1.ENSI-LIFOBourgesFrance
  2. 2.CEA, DAM, DIFArpajonFrance
  3. 3.Alcatel-Lucent Bell LabsNozayFrance
  4. 4.ENS Lyon-LIP-AvalonLyon Cedex 07France

Personalised recommendations