Managing the risk of covert information flows in virtual machine systems

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Managing the risk of covert information flows in virtual machine systems

Full text

Pdf (352 KB)

Source

Symposium on Access Control Models and Technologies archive
Proceedings of the 12th ACM symposium on Access control models and technologies table of contents

Sophia Antipolis, France

SESSION: Secure operating systems table of contents

Pages: 81 - 90

Year of Publication: 2007

ISBN:978-1-59593-745-2

Authors

Trent Jaeger	Penn State University, University Park, PA
Reiner Sailer	IBM Research -- Watson, Hawthorne, NY
Yogesh Sreenivasan	Penn State University, University Park, PA

Sponsors

ACM: Association for Computing Machinery
SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 17, Downloads (12 Months): 264, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTex EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1266840.1266853 What is a DOI?

ABSTRACT

Flexible mandatory access control (MAC) enforcement is now available for virtual machine systems. For example, the sHype MAC system for the Xen virtual machine monitor is part of the mainline Xen distribution. Such systems offer the isolation of VM systems with the flexible security of MAC enforcement. A problem is that such MAC VM systems will only be assured at modest levels (e.g., Common Criteria EAL4), so they may contain covert channels. Covert channels are often difficult to identify and harder to remove, so we propose an approach to manage possible covert leakage to enable verification of security guarantees. Typically, covert channels are outside of access control policies, but we propose an approach that includes both overt flows and covert flows to assess the possible risk of information leakage due to their combination. We define the concept of a risk flow policy that describes the authorized risks due to covert flows. In this paper, we evaluate the ability of four policy models to express risk flow policies. Further, we examine how such policies will be enforced in VM systems. We find that variants of the Chinese Wall model and Bell-LaPadula model have features necessary to express risk flow policies. Further, we find that such policies can be enforced in the context of sHype's Type Enforcement model.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Paul Barham , Boris Dragovic , Keir Fraser , Steven Hand , Tim Harris , Alex Ho , Rolf Neugebauer , Ian Pratt , Andrew Warfield, Xen and the art of virtualization, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
	2	D. E. Bell and L. J. LaPadula. Secure computer system: Unified exposition and Multics interpretation. Technical Report ESD-TR-75-306, Deputy for Command and Management Systems, HQ Electronic Systems Division (AFSC), L. G. Hanscom Field, Bedford, MA, March 1976.
	3	W. E. Boebert and R. Y. Kain. A practical alternative to hierarchical integrity policies. In Proceedings of the 8th National Computer Security Conference, 1985.
	4	D. F. C. Brewer and M. J. Nash. The Chinese Wall Security Policy. In Proceedings of the 1989 IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 1989.
	5	Common criteria portal. http://www.commoncriteriaportal.org/, 2007.
	6	S. W. Devine, E. Bugnion, and M. Rosenblum. Virtualization system including a virtual machine monitor for a computer with a segmented architecture. VMWare, Inc., October 1998. US Patent No. 6397242.
	7	Pedro Dias , Carlos Ribeiro , Paulo Ferreira, Enforcing History-Based Security Policies in Mobile Agent Systems, Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks, p.231, June 04-06, 2003
	8	P. W. L. Fong. Access control by tracking shallow execution history. In Proceedings of the 2004 IEEE Symposium on Security and Privacy, pages 43--55, 2004.
	9	A. L. Herzog, J. D. Guttman, D. R. Harris, J. D. Ramsdell, A. E. Segall, and B. T. Sniffen. Policy analysis and generation work at MITRE. In Proceedings of the first Annual Security-enhanced Linux Symposium, March 2005.
	10	W-M. Hu. Reducing timing charmers with fuzzy time. In Proc. of the 1991 IEEE Symposium on Security and Privacy., pages 8--20, 1991.
	11	atsec and IBM to make Red Hat Linux a government certified trusted operating system. http://lwn.net/Articles/156140/, 2005.
	12	Trent Jaeger , Antony Edwards , Xiaolan Zhang, Consistency analysis of authorization hook placement in the Linux security modules framework, ACM Transactions on Information and System Security (TISSEC), v.7 n.2, p.175-205, May 2004 [doi>10.1145/996943.996944]
	13	Trent Jaeger , Patrick McDaniel , Luke St. Clair , Ramón Cáceres , Reiner Sailer, Shame on trust in distributed systems, Proceedings of the 1st conference on USENIX Workshop on Hot Topics in Security, p.4-4, July 31, 2006, Vancouver, B.C., Canada
	14	Trent Jaeger , Reiner Sailer , Xiaolan Zhang, Analyzing integrity protection in the SELinux example policy, Proceedings of the 12th conference on USENIX Security Symposium, p.5-5, August 04-08, 2003, Washington, DC
	15	Trent Jaeger , Reiner Sailer , Xiaolan Zhang, Resolving constraint conflicts, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA [doi>10.1145/990036.990053]
	16	Trent Jaeger , Xiaolan Zhang , Antony Edwards, Policy management using access control spaces, ACM Transactions on Information and System Security (TISSEC), v.6 n.3, p.327-364, August 2003 [doi>10.1145/937527.937528]
	17	Butler W. Lampson, A note on the confinement problem, Communications of the ACM, v.16 n.10, p.613-615, Oct. 1973 [doi>10.1145/362375.362389]
	18	Frans A. Lategan , Martin S. Olivier, A Chinese Wall Approach to Privacy Policies for the Web, Proceedings of the 26th International Computer Software and Applications Conference on Prolonging Software Life: Development and Redevelopment, p.940-944, August 26-19, 2002
	19	J. Ligatti, L. Bauer, and D. Walker. Edit automata: Enforcement mechanisms for run-time security policies. International Journal of Information Security, 4(1-2):2--16, February 2005. (Published online 26 Oct 2004.).
	20	T. Y. Lin. Chinese wall security policy - an aggressive model. In Proceedings Fifth Annual Computer Security Applications Conference, pages 282--289, Tucson, AZ, 1989.
	21	T. F. Lunt , D. E. Denning , R. R. Schell , M. Heckman , W. R. Shockley, The SeaView Security Model, IEEE Transactions on Software Engineering, v.16 n.6, p.593-607, June 1990 [doi>10.1109/32.55088 ]
	22	Jonathan M. McCune , Trent Jaeger , Stefan Berger , Ramon Caceres , Reiner Sailer, Shamon: A System for Distributed Mandatory Access Control, Proceedings of the 22nd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference, p.23-32, December 11-15, 2006 [doi>10.1109/ACSAC.2006.47]
	23	R. Meushaw and D. Simard. NetTop: Commercial technology in high assurance applications. Available at: http://www.vmware.com/pdf/TechTrendNotes.pdf, 2000.
	24	Naoyuki Nagatou , Takuo Watanabe, Run-Time Detection of Covert Channels, Proceedings of the First International Conference on Availability, Reliability and Security (ARES'06), p.577-584, April 20-22, 2006 [doi>10.1109/ARES.2006.114]
	25	N. E. Proctor and P. G. Neumann. Architectural implications of covert channels. In Proceedings of the Fifteenth National Computer Security Conference, pages 28--43, October 1992.
	26	Reiner Sailer , Trent Jaeger , Enriquillo Valdez , Ramon Caceres , Ronald Perez , Stefan Berger , John Linwood Griffin , Leendert van Doorn, Building a MAC-Based Security Architecture for the Xen Open-Source Hypervisor, Proceedings of the 21st Annual Computer Security Applications Conference, p.276-285, December 05-09, 2005 [doi>10.1109/CSAC.2005.13]
	27	Ravi S. Sandhu, Lattice-based enforcement of Chinese Walls, Computers and Security, v.11 n.9, p.753-763, Dec. 1992
	28	Ravi S. Sandhu, Lattice-Based Access Control Models, Computer, v.26 n.11, p.9-19, November 1993 [doi>10.1109/2.241422 ]
	29	Gerhard Schellhorn , Wolfgang Reif , Axel Schairer , Paul A. Karger , Vernon Austel , David Toll, Verification of a Formal Security Model for Multiapplicative Smart Cards, Proceedings of the 6th European Symposium on Research in Computer Security, p.17-36, October 04-06, 2000
	30	Fred B. Schneider, Enforceable security policies, ACM Transactions on Information and System Security (TISSEC), v.3 n.1, p.30-50, Feb. 2000 [doi>10.1145/353323.353382]
	31	J. Sobel and A. Alves-Foss. A trace-based model of the Chinese Wall security policy. In Proceedings of the 1999 National Information System Security Conference, 1999.
	32	Trusted Computing Group. http://www.trustedcomputinggroup.org/, March 2005.
	33	Tresys technology, SETools policy tools for SELinux. http://www.tresys.com/selinux/selinux\_policy\_tools.shtml.
	34	Jonathan T. Trostle, Modelling a Fuzzy Time System, Proceedings of the 1993 IEEE Symposium on Security and Privacy, p.82, May 24-26, 1993
	35	Xiaolan Zhang , Antony Edwards , Trent Jaeger, Using CQUAL for Static Analysis of Authorization Hook Placement, Proceedings of the 11th USENIX Security Symposium, p.33-48, August 05-09, 2002