Analysis of virtual machine system policies

Sandra Rueda, Hayawardh Vijayakumar, Trent Jaeger

Research output: Chapter in Book/Report/Conference proceedingConference contribution

13 Scopus citations


The recent emergence of mandatory access (MAC) enforcement for virtual machine monitors (VMMs) presents an opportunity to enforce a security goal over all its virtual machines (VMs). However, these VMs also have MAC enforcement, so to determine whether the overall system (VM-system) is secure requires an evaluation of whether this combination of MAC policies, as a whole, complies with a given security goal. Previous MAC policy analyses either consider a single policy at a time or do not represent the interaction between different policy layers (VMM and VM). We observe that we can analyze the VMM policy and the labels used for communications between VMs to create an inter-VM flow graph that we use to identify safe, unsafe, and ambiguous VM interactions. A VM with only safe interactions is compliant with the goal, a VM with any unsafe interaction violates the goal. For a VM with ambiguous interactions we analyze its local MAC policy to determine whether it is compliant or not with the goal. We used this observation to develop an analytical model of a VM-system, and evaluate if it is compliant with a security goal. We implemented the model and an evaluation tool in Prolog. We evaluate our implementation by checking whether a VM-system running XSM/Flask policy at the VMM layer and SELinux policies at the VM layer satisfies a given integrity goal. This work is the first step toward developing layered, multi-policy analyses.

Original languageEnglish (US)
Title of host publicationSACMAT'09 - Proceedings of the 14th ACM Symposium on Access Control Models and Technologies
Number of pages10
StatePublished - 2009
Event14th ACM Symposium on Access Control Models and Technologies, SACMAT 2009 - Stresa, Italy
Duration: Jun 3 2009Jun 5 2009

Publication series

NameProceedings of ACM Symposium on Access Control Models and Technologies, SACMAT


Other14th ACM Symposium on Access Control Models and Technologies, SACMAT 2009

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality
  • Information Systems


Dive into the research topics of 'Analysis of virtual machine system policies'. Together they form a unique fingerprint.

Cite this