In this work, we show how the abstraction layer created by a hypervisor, or virtual machine monitor, can be leveraged to reduce the complexity of mandatory access control policies throughout the system. Policies governing access control decisions in today's systems are complex and monolithic. Achieving strong security guarantees often means restricting usability across the entire system, which is a primary reason why mandatory access controls are rarely deployed. Our architecture uses a hypervisor and multiple virtual machines to decompose policies into multiple layers. This simplifies the policies and their enforcement, while minimizing the overall impact of security on the system. We show that the overhead of decomposing system policies into distinct policies for each layer can be negligible. Our initial implementation confirms that such layering leads to simpler security policies and enforcement mechanisms as well as a more robust layered trusted computing base. We hope that this work serves to start a dialog regarding the use of mandatory access controls within a hypervisor for both increasing security and improving manageability.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Common criteria for information technology security evaluation version 2.1. http://www.commoncriteria.org/docs/index.html, 1999.
	2	Flexible file system benchmark (FFSB) version 5.1. http://sourceforge.net/projects/ffsb, 2006.
	3	W. J. Armstrong , R. L. Arndt , D. C. Boutcher , R. G. Kovacs , D. Larson , K. A. Lucke , N. Nayar , R. C. Swanberg, Advanced virtualization capabilities of POWER5 systems, IBM Journal of Research and Development, v.49 n.4/5, p.523-532, July 2005
	4	J. Athey, C. Ashworth, F. Mayer, and D. Miner. Towards intuitive tools for managing SELinux: Hiding the details but retaining the power. In Proceedings of the 2007 Security Enhanced Linux Symposium, March 2007.
	5	Paul Barham , Boris Dragovic , Keir Fraser , Steven Hand , Tim Harris , Alex Ho , Rolf Neugebauer , Ian Pratt , Andrew Warfield, Xen and the art of virtualization, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
	6	Victor R. Basili , Barry T. Perricone, Software errors and complexity: an empirical investigation0, Communications of the ACM, v.27 n.1, p.42-52, Jan. 1984  [doi>10.1145/69605.2085]
	7	D. E. Bell and L. J. La Padula. Secure computer system: Unified exposition and multics interpretation. Technical Report ESD-TR-75-306, The MITRE Corporation, Bedford, MA, 1976.
	8	Steven M. Bellovin, Virtual machines, virtual security?, Communications of the ACM, v.49 n.10, October 2006  [doi>10.1145/1164394.1164414]
	9	A. Bennett. Hole-in-the-chroot. http://clyde.concordia.ca/security/hole-in-the-chroot-v1/.
	10	Elisa Bertino , Barbara Catania , Elena Ferrari , Paolo Perlasca, A logical framework for reasoning about access control models, Proceedings of the sixth ACM symposium on Access control models and technologies, p.41-52, May 2001, Chantilly, Virginia, United States  [doi>10.1145/373256.373261]
	11	Richard S. Cox , Steven D. Gribble , Henry M. Levy , Jacob Gorm Hansen, A Safety-Oriented Platform for Web Applications, Proceedings of the 2006 IEEE Symposium on Security and Privacy, p.350-364, May 21-24, 2006  [doi>10.1109/SP.2006.4]
	12	Edsger W. Dijkstra, The structure of the “THE”-multiprogramming system, Communications of the ACM, v.11 n.5, p.341-346, May 1968  [doi>10.1145/363095.363143]
	13	DoD. Trusted computer system evaluation criteria. Technical Report DoD 5200.28-STD, Department of Defense, 1985.
	14	Petros Efstathopoulos , Maxwell Krohn , Steve VanDeBogart , Cliff Frey , David Ziegler , Eddie Kohler , David Mazières , Frans Kaashoek , Robert Morris, Labels and event processes in the asbestos operating system, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
	15	R. J. Feiertag and P. G. Neumann. The foundations of a provably secure operating system (PSOS). In Proceedings of the National Computer Conference, pages 329--334, Menlo Park, CA, 1979.
	16	Tal Garfinkel , Ben Pfaff , Jim Chow , Mendel Rosenblum , Dan Boneh, Terra: a virtual machine-based platform for trusted computing, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
	17	T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed Systems Security Symposium, February 2003.
	18	T. J. Gibson. An architecture for flexible, high assurance, multi-security domain networks. In Network and Distributed System Security Symposium, San Diego, CA, February 2001.
	19	Trent Jaeger , Reiner Sailer , Xiaolan Zhang, Analyzing integrity protection in the SELinux example policy, Proceedings of the 12th conference on USENIX Security Symposium, p.5-5, August 04-08, 2003, Washington, DC
	20	T. R. Jaeger, S. Hallyn, and J. Latten. Leveraging IPsec for mandatory access control of linux network commmunications. In Proceedings of ACSAC, 2005.
	21	Paul A. Karger , Mary Ellen Zurko , Douglas W. Bonin , Andrew H. Mason , Clifford E. Kahn, A Retrospective on the VAX VMM Security Kernel, IEEE Transactions on Software Engineering, v.17 n.11, p.1147-1165, November 1991  [doi>10.1109/32.106971 ]
	22	Samuel T. King , Peter M. Chen , Yi-Min Wang , Chad Verbowski , Helen J. Wang , Jacob R. Lorch, SubVirt: Implementing malware with virtual machines, Proceedings of the 2006 IEEE Symposium on Security and Privacy, p.314-327, May 21-24, 2006  [doi>10.1109/SP.2006.38]
	23	Butler W. Lampson, A note on the confinement problem, Communications of the ACM, v.16 n.10, p.613-615, Oct. 1973  [doi>10.1145/362375.362389]
	24	Barbara H. Liskov, The design of the Venus operating system, Communications of the ACM, v.15 n.3, p.144-149, March 1972  [doi>10.1145/361268.361272]
	25	Peter Loscocco , Stephen Smalley, Integrating Flexible Support for Security Policies into the Linux Operating System, Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, p.29-42, June 25-30, 2001
	26	T. F. Lunt , D. E. Denning , R. R. Schell , M. Heckman , W. R. Shockley, The SeaView Security Model, IEEE Transactions on Software Engineering, v.16 n.6, p.593-607, June 1990  [doi>10.1109/32.55088 ]
	27	Stuart E. Madnick , John J. Donovan, Application and analysis of the virtual machine approach to information system security and isolation, Proceedings of the workshop on virtual computer systems, p.210-224, March 26-27, 1973, Cambridge, Massachusetts, United States  [doi>10.1145/800122.803961]
	28	Jonathan M. McCune , Trent Jaeger , Stefan Berger , Ramon Caceres , Reiner Sailer, Shamon: A System for Distributed Mandatory Access Control, Proceedings of the 22nd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference, p.23-32, December 11-15, 2006  [doi>10.1109/ACSAC.2006.47]
	29	Aravind Menon , Jose Renato Santos , Yoshio Turner , G. (John) Janakiraman , Willy Zwaenepoel, Diagnosing performance overheads in the xen virtual machine environment, Proceedings of the 1st ACM/USENIX international conference on Virtual execution environments, June 11-12, 2005, Chicago, IL, USA  [doi>10.1145/1064979.1064984]
	30	R. Meushaw and D. Simard. Nettop: A network on your desktop. Tech Trend Notes (National Security Agency), 9(4):3--11, Fall 2000.
	31	National Security Agency. Security-Enhanced Linux. http://www.nsa.gov/selinux/.
	32	C. J. PeBenito, F. Mayer, and K. MacMillan. Reference policy for security enhanced linux. In Proceedings of the 2006 Security Enhanced Linux Symposium, March 2006.
	33	N. E. Proctor and P. G. Neumann. Architectural implications of covert channels. In Proceedings of the 15th National Computer Security Conference, pages 28--43, Baltimore, Maryland, 1992.
	34	J. Rutkowska. Subverting Vista kernel for fun and profit. In Proceedings of Black Hat USA 2006, 2006.
	35	Reiner Sailer , Trent Jaeger , Enriquillo Valdez , Ramon Caceres , Ronald Perez , Stefan Berger , John Linwood Griffin , Leendert van Doorn, Building a MAC-Based Security Architecture for the Xen Open-Source Hypervisor, Proceedings of the 21st Annual Computer Security Applications Conference, p.276-285, December 05-09, 2005  [doi>10.1109/CSAC.2005.13]
	36	Jerome H. Saltzer, Protection and the control of information sharing in multics, Communications of the ACM, v.17 n.7, p.388-402, July 1974  [doi>10.1145/361011.361067]
	37	Marvin Schaefer , Barry Gold , Richard Linde , John Scheid, Program confinement in KVM/370, Proceedings of the 1977 annual conference, p.404-410, January 1977  [doi>10.1145/800179.1124633]
	38	Gerhard Schellhorn , Wolfgang Reif , Axel Schairer , Paul A. Karger , Vernon Austel , David Toll, Verification of a Formal Security Model for Multiapplicative Smart Cards, Proceedings of the 6th European Symposium on Research in Computer Security, p.17-36, October 04-06, 2000
	39	B. Schneier. The process of security. Information Security Magazine, April, 2000.
	40	Lenin Singaravelu , Calton Pu , Hermann Härtig , Christian Helmuth, Reducing TCB complexity for security-sensitive applications: three case studies, Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006, April 18-21, 2006, Leuven, Belgium
	41	Mahesh V. Tripunitara , Ninghui Li, Comparing the expressive power of access control models, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA  [doi>10.1145/1030083.1030093]