Building a MAC-Based Security Architecture for the Xen Open-Source Hypervisor
- 5 January 2006
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE)
- p. 10 pp.-285
- https://doi.org/10.1109/csac.2005.13
Abstract
We present the sHype hypervisor security architecture and examine in detail its mandatory access control facilities. While existing hypervisor security approaches aiming at high assurance have been proven useful for high-security environments that prioritize security over performance and code reuse, our approach aims at commercial security where near-zero performance overhead, non-intrusive implementation, and usability are of paramount importance. sHype enforces strong isolation at the granularity of a virtual machine, thus providing a robust foundation on which higher software layers can enact finer-grained controls. We provide the rationale behind the sHype design and describe and evaluate our implementation for the Xen open-source hypervisorKeywords
This publication has 13 references indexed in Scilit:
- The Chinese Wall security policyPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2003
- TerraPublished by Association for Computing Machinery (ACM) ,2003
- Xen and the art of virtualizationPublished by Association for Computing Machinery (ACM) ,2003
- Authenticating Mandatory Access Controls and Preserving Privacy for a High-Assurance Smart CardLecture Notes in Computer Science, 2003
- A separation model for virtual machine monitorsPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2002
- EROSPublished by Association for Computing Machinery (ACM) ,1999
- ExokernelPublished by Association for Computing Machinery (ACM) ,1995
- A retrospective on the VAX VMM security kernelIEEE Transactions on Software Engineering, 1991
- Proof of separability A verification technique for a class of security kernelsLecture Notes in Computer Science, 1982
- Application and analysis of the virtual machine approach to information system security and isolationPublished by Association for Computing Machinery (ACM) ,1973