TY - GEN
T1 - Analysis of virtual machine system policies
AU - Rueda, Sandra
AU - Vijayakumar, Hayawardh
AU - Jaeger, Trent
PY - 2009
Y1 - 2009
N2 - The recent emergence of mandatory access (MAC) enforcement for virtual machine monitors (VMMs) presents an opportunity to enforce a security goal over all its virtual machines (VMs). However, these VMs also have MAC enforcement, so to determine whether the overall system (VM-system) is secure requires an evaluation of whether this combination of MAC policies, as a whole, complies with a given security goal. Previous MAC policy analyses either consider a single policy at a time or do not represent the interaction between different policy layers (VMM and VM). We observe that we can analyze the VMM policy and the labels used for communications between VMs to create an inter-VM flow graph that we use to identify safe, unsafe, and ambiguous VM interactions. A VM with only safe interactions is compliant with the goal, a VM with any unsafe interaction violates the goal. For a VM with ambiguous interactions we analyze its local MAC policy to determine whether it is compliant or not with the goal. We used this observation to develop an analytical model of a VM-system, and evaluate if it is compliant with a security goal. We implemented the model and an evaluation tool in Prolog. We evaluate our implementation by checking whether a VM-system running XSM/Flask policy at the VMM layer and SELinux policies at the VM layer satisfies a given integrity goal. This work is the first step toward developing layered, multi-policy analyses.
AB - The recent emergence of mandatory access (MAC) enforcement for virtual machine monitors (VMMs) presents an opportunity to enforce a security goal over all its virtual machines (VMs). However, these VMs also have MAC enforcement, so to determine whether the overall system (VM-system) is secure requires an evaluation of whether this combination of MAC policies, as a whole, complies with a given security goal. Previous MAC policy analyses either consider a single policy at a time or do not represent the interaction between different policy layers (VMM and VM). We observe that we can analyze the VMM policy and the labels used for communications between VMs to create an inter-VM flow graph that we use to identify safe, unsafe, and ambiguous VM interactions. A VM with only safe interactions is compliant with the goal, a VM with any unsafe interaction violates the goal. For a VM with ambiguous interactions we analyze its local MAC policy to determine whether it is compliant or not with the goal. We used this observation to develop an analytical model of a VM-system, and evaluate if it is compliant with a security goal. We implemented the model and an evaluation tool in Prolog. We evaluate our implementation by checking whether a VM-system running XSM/Flask policy at the VMM layer and SELinux policies at the VM layer satisfies a given integrity goal. This work is the first step toward developing layered, multi-policy analyses.
UR - http://www.scopus.com/inward/record.url?scp=70450278760&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=70450278760&partnerID=8YFLogxK
U2 - 10.1145/1542207.1542243
DO - 10.1145/1542207.1542243
M3 - Conference contribution
AN - SCOPUS:70450278760
SN - 9781605585376
T3 - Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT
SP - 227
EP - 236
BT - SACMAT'09 - Proceedings of the 14th ACM Symposium on Access Control Models and Technologies
T2 - 14th ACM Symposium on Access Control Models and Technologies, SACMAT 2009
Y2 - 3 June 2009 through 5 June 2009
ER -