Managing the risk of covert information flows in virtual machine systems

Trent Ray Jaeger, Reiner Sailer, Yogesh Sreenivasan

Research output: Chapter in Book/Report/Conference proceedingConference contribution

26 Citations (Scopus)

Abstract

Flexible mandatory access control (MAC) enforcement is now available for virtual machine systems. For example, the sHype MAC system for the Xen virtual machine monitor is part of the mainline Xen distribution. Such systems offer the isolation of VM systems with the flexible security of MAC enforcement. A problem is that such MAC VM systems will only be assured at modest levels (e.g., Common Criteria EAL4), so they may contain covert channels. Covert channels are often difficult to identify and harder to remove, so we propose an approach to manage possible covert leakage to enable verification of security guarantees. Typically, covert channels are outside of access control policies, but we propose an approach that includes both overt flows and covert flows to assess the possible risk of information leakage due to their combination. We define the concept of a risk flow policy that describes the authorized risks due to covert flows. In this paper, we evaluate the ability of four policy models to express risk flow policies. Further, we examine how such policies will be enforced in VM systems. We find that variants of the Chinese Wall model and Bell-LaPadula model have features necessary to express risk flow policies. Further, we find that such policies can be enforced in the context of sHype's Type Enforcement model.

Original languageEnglish (US)
Title of host publicationSACMAT'07
Subtitle of host publicationProceedings of the 12th ACM Symposium on Access Control Models and Technologies
Pages81-90
Number of pages10
DOIs
StatePublished - Aug 24 2007
EventSACMAT'07: 12th ACM Symposium on Access Control Models and Technologies - Sophia Antipolis, France
Duration: Jun 20 2007Jun 22 2007

Publication series

NameProceedings of ACM Symposium on Access Control Models and Technologies, SACMAT

Other

OtherSACMAT'07: 12th ACM Symposium on Access Control Models and Technologies
CountryFrance
CitySophia Antipolis
Period6/20/076/22/07

Fingerprint

Access control
Control systems
Virtual machine

All Science Journal Classification (ASJC) codes

  • Computer Science(all)

Cite this

Jaeger, T. R., Sailer, R., & Sreenivasan, Y. (2007). Managing the risk of covert information flows in virtual machine systems. In SACMAT'07: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies (pp. 81-90). (Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT). https://doi.org/10.1145/1266840.1266853
Jaeger, Trent Ray ; Sailer, Reiner ; Sreenivasan, Yogesh. / Managing the risk of covert information flows in virtual machine systems. SACMAT'07: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies. 2007. pp. 81-90 (Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT).
@inproceedings{ce60029717a24d14b403f46824534e68,
title = "Managing the risk of covert information flows in virtual machine systems",
abstract = "Flexible mandatory access control (MAC) enforcement is now available for virtual machine systems. For example, the sHype MAC system for the Xen virtual machine monitor is part of the mainline Xen distribution. Such systems offer the isolation of VM systems with the flexible security of MAC enforcement. A problem is that such MAC VM systems will only be assured at modest levels (e.g., Common Criteria EAL4), so they may contain covert channels. Covert channels are often difficult to identify and harder to remove, so we propose an approach to manage possible covert leakage to enable verification of security guarantees. Typically, covert channels are outside of access control policies, but we propose an approach that includes both overt flows and covert flows to assess the possible risk of information leakage due to their combination. We define the concept of a risk flow policy that describes the authorized risks due to covert flows. In this paper, we evaluate the ability of four policy models to express risk flow policies. Further, we examine how such policies will be enforced in VM systems. We find that variants of the Chinese Wall model and Bell-LaPadula model have features necessary to express risk flow policies. Further, we find that such policies can be enforced in the context of sHype's Type Enforcement model.",
author = "Jaeger, {Trent Ray} and Reiner Sailer and Yogesh Sreenivasan",
year = "2007",
month = "8",
day = "24",
doi = "10.1145/1266840.1266853",
language = "English (US)",
isbn = "1595937455",
series = "Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT",
pages = "81--90",
booktitle = "SACMAT'07",

}

Jaeger, TR, Sailer, R & Sreenivasan, Y 2007, Managing the risk of covert information flows in virtual machine systems. in SACMAT'07: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies. Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT, pp. 81-90, SACMAT'07: 12th ACM Symposium on Access Control Models and Technologies, Sophia Antipolis, France, 6/20/07. https://doi.org/10.1145/1266840.1266853

Managing the risk of covert information flows in virtual machine systems. / Jaeger, Trent Ray; Sailer, Reiner; Sreenivasan, Yogesh.

SACMAT'07: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies. 2007. p. 81-90 (Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Managing the risk of covert information flows in virtual machine systems

AU - Jaeger, Trent Ray

AU - Sailer, Reiner

AU - Sreenivasan, Yogesh

PY - 2007/8/24

Y1 - 2007/8/24

N2 - Flexible mandatory access control (MAC) enforcement is now available for virtual machine systems. For example, the sHype MAC system for the Xen virtual machine monitor is part of the mainline Xen distribution. Such systems offer the isolation of VM systems with the flexible security of MAC enforcement. A problem is that such MAC VM systems will only be assured at modest levels (e.g., Common Criteria EAL4), so they may contain covert channels. Covert channels are often difficult to identify and harder to remove, so we propose an approach to manage possible covert leakage to enable verification of security guarantees. Typically, covert channels are outside of access control policies, but we propose an approach that includes both overt flows and covert flows to assess the possible risk of information leakage due to their combination. We define the concept of a risk flow policy that describes the authorized risks due to covert flows. In this paper, we evaluate the ability of four policy models to express risk flow policies. Further, we examine how such policies will be enforced in VM systems. We find that variants of the Chinese Wall model and Bell-LaPadula model have features necessary to express risk flow policies. Further, we find that such policies can be enforced in the context of sHype's Type Enforcement model.

AB - Flexible mandatory access control (MAC) enforcement is now available for virtual machine systems. For example, the sHype MAC system for the Xen virtual machine monitor is part of the mainline Xen distribution. Such systems offer the isolation of VM systems with the flexible security of MAC enforcement. A problem is that such MAC VM systems will only be assured at modest levels (e.g., Common Criteria EAL4), so they may contain covert channels. Covert channels are often difficult to identify and harder to remove, so we propose an approach to manage possible covert leakage to enable verification of security guarantees. Typically, covert channels are outside of access control policies, but we propose an approach that includes both overt flows and covert flows to assess the possible risk of information leakage due to their combination. We define the concept of a risk flow policy that describes the authorized risks due to covert flows. In this paper, we evaluate the ability of four policy models to express risk flow policies. Further, we examine how such policies will be enforced in VM systems. We find that variants of the Chinese Wall model and Bell-LaPadula model have features necessary to express risk flow policies. Further, we find that such policies can be enforced in the context of sHype's Type Enforcement model.

UR - http://www.scopus.com/inward/record.url?scp=34548023942&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=34548023942&partnerID=8YFLogxK

U2 - 10.1145/1266840.1266853

DO - 10.1145/1266840.1266853

M3 - Conference contribution

AN - SCOPUS:34548023942

SN - 1595937455

SN - 9781595937452

T3 - Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT

SP - 81

EP - 90

BT - SACMAT'07

ER -

Jaeger TR, Sailer R, Sreenivasan Y. Managing the risk of covert information flows in virtual machine systems. In SACMAT'07: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies. 2007. p. 81-90. (Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT). https://doi.org/10.1145/1266840.1266853