Abstract
Normally, virtualization technology is adopted to construct the infrastructure of cloud computing environment. Resources are managed and organized dynamically through virtual machine (VM) coalitions in accordance with the requirements of applications. Enforcing mandatory access control (MAC) on the VM coalitions will greatly improve the security of VM-based cloud computing. However, the existing MAC models lack the mechanism to confine the covert flows and are hard to eliminate the convert channels. In this paper, we propose a covert flows confinement mechanism for virtual machine coalitions (CFCC), which introduces dynamic conflicts of interest based on the activity history of VMs, each of which is attached with a label. The proposed mechanism can be used to confine the covert flows between VMs in different coalitions. We implement a prototype system, evaluate its performance, and show that our mechanism is practical.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Buyya, R., Yeo, C.S., Venugopal, S.: Market-oriented Cloud Computing: Vision, Hype, and Reality for Delivering IT Services as Computing Utilities. In: 10th IEEE Conference on High Performance Computing and Communications, pp. 5–13. IEEE Press, Dalian (2008)
Armbrust, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Stoica, I., Zaharia, M.: Above the Clouds: A Berkeley View of Cloud Computing. Technical Report, EECS, University of California at Berkeley (2009)
Berger, S., Caceres, R., Pendarakis, D., Sailer, R., Valdez, E., Perez, R., Schildhauer, W., Srinivasan, D.: TVDc: Managing Security in the Trusted Virtual Datacenter. ACM SIGOPS Operating Systems Review 42, 40–47 (2008)
Sailer, R., Jaeger, T., Valdez, E., Caceres, R., Perez, R., Berger, S., Griffin, J.L., Doorn, L.V.: Building a MAC-Based Security Architecture for the Xen Open-source Hypervisor. In: 21st Annual Computer Security Applications Conference, pp. 276–285. IEEE Press, Tucson (2005)
Commercial Technology in High Assurance Applications, http://www.vmware.com/pdf/TechTrendNotes.pdf
McCune, J.M., Jaeger, T., Berger, S., Caceres, R., Sailer, R.: Shamon: A System for Distributed Mandatory Access Control. In: 22nd Annual Computer Security Applications Conference, pp. 23–32. IEEE Press, Miami Beach (2006)
Griffin, J.L., Jaeger, T., Perez, R., Sailer, R., Doorn, L.V., Caceres, R.: Trusted Virtual Domains: Toward Secure Distributed Services. In: 1st IEEE Workshop on Hot Topics in System Dependability, Yokohama (2005)
Cabuk, S., Dalton, C.I., Ramasamy, H., Schunter, M.: Towards Automated Provisioning of Secure Virtualized Networks. In: 14th ACM conference on Computer and communications security, pp. 235–245. ACM, Alexandria (2007)
Proctor, N.E., Neumann, P.G.: Architectural Implications of Covert Channels. In: 15th National Computer Security Conference, Baltimore, pp. 28–43 (1992)
Jaeger, T., Edwards, A., Zhang, X.: Consistency Analysis of Authorization Hook Placement in the Linux Security Modules Framework. ACM Transactions on Information and System Security 7, 175–205 (2004)
Zhang, X., Edwards, A., Jaeger, T.: Using CQUAL for Static Analysis of Authorization Hook Placement. In: 11th USENIX Security Symposium, pp. 33–48. USENIX, San Francisco (2002)
Cheng, G., Jin, H., Zhou, D., Ohoussou, A.K., Zhao, F.: A Prioritized Chinese Wall Model for Managing the Covert Information Flows in Virtual Machine Systems. In: 9th International Conference for Young Computer Scientists, pp. 1481–1487. IEEE Press, Hunan (2008)
Jaeger, T., Sailer, R., Sreenivasan, Y.: Managing the Risk of Covert Information Flows in Virtual Machine Systems. In: 12th ACM symposium on Access control Models and Technologies, pp. 81–90. ACM, Sophia Antipolis (2007)
Boeboert, W.E., Kain, R.Y.: A Practical Alternative to Hierarchical Integrity Policies. In: 8th National Computer Security Conference, Gaithersburg (1985)
Sadeghi, A.R., Stuble, C.: Towards Multilateral-Secure DRM Platforms. In: Deng, R.H., Bao, F., Pang, H., Zhou, J. (eds.) ISPEC 2005. LNCS, vol. 3439, pp. 326–337. Springer, Heidelberg (2005)
Trusted Computing Group, https://www.trustedcomputinggroup.org
Berger, S., Cáceres, R., Goldman, K., Perez, R., Sailer, R., Doorn, L.V.: vTPM: Virtualizing the Trusted Platform Module. In: 15th USENIX Security Symposium, Vancouver (2006)
Jaeger, T., Sailer, R., Shankar, U.: PRIMA: Policy-Reduced Integrity Measurement Architecture. In: 11th ACM Symposium on Access Control Models and Technologies, pp. 19–28. ACM, Lake Tahoe (2006)
Sailer, R., Zhang, X., Jaeger, T., Doorn, L.V.: Design and Implementation of a TCG-based Integrity Measurement Architecture. In: 13th conference on USENIX Security Symposium, pp. 16–31. USENIX, San Diego (2004)
Valdez, E., Sailer, R., Perez, R.: Retrofitting the IBM POWER Hypervisor to Support Mandatory Access Control. In: 23rd Annual Computer Security Applications Conference, pp. 221–231. IEEE Press, Miami Beach (2007)
Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the Art of Virtualization. In: 19th ACM symposium on Operating systems principles, pp. 164–177. ACM, Bolton Landing (2003)
Schellhorn, G., Reif, W., Schairer, A., Karger, P., Austel, V., Toll, D.: Verification of a Formal Security Model for Multiapplicative Smart Cards. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds.) ESORICS 2000. LNCS, vol. 1895, pp. 17–36. Springer, Heidelberg (2000)
Brewer, D.F.C., Nash, M.J.: The Chinese Wall Security Policy. In: 1989 IEEE Symposium on Security and Privacy, pp. 206–214. IEEE Press, Oakland (1989)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Cheng, G., Jin, H., Zou, D., Shi, L., Ohoussou, A.K. (2010). CFCC: A Covert Flows Confinement Mechanism for Virtual Machine Coalitions. In: Boursas, L., Carlson, M., Jin, H., Sibilla, M., Wold, K. (eds) Systems and Virtualization Management. Standards and the Cloud. SVM 2009. Communications in Computer and Information Science, vol 71. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14944-3_6
Download citation
DOI: https://doi.org/10.1007/978-3-642-14944-3_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-14943-6
Online ISBN: 978-3-642-14944-3
eBook Packages: Computer ScienceComputer Science (R0)