Skip to main content
SpringerLink
Log in

CFCC: A Covert Flows Confinement Mechanism for Virtual Machine Coalitions

  • Conference paper
Systems and Virtualization Management. Standards and the Cloud (SVM 2009)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 71))

Included in the following conference series:

  • 544 Accesses

Abstract

Normally, virtualization technology is adopted to construct the infrastructure of cloud computing environment. Resources are managed and organized dynamically through virtual machine (VM) coalitions in accordance with the requirements of applications. Enforcing mandatory access control (MAC) on the VM coalitions will greatly improve the security of VM-based cloud computing. However, the existing MAC models lack the mechanism to confine the covert flows and are hard to eliminate the convert channels. In this paper, we propose a covert flows confinement mechanism for virtual machine coalitions (CFCC), which introduces dynamic conflicts of interest based on the activity history of VMs, each of which is attached with a label. The proposed mechanism can be used to confine the covert flows between VMs in different coalitions. We implement a prototype system, evaluate its performance, and show that our mechanism is practical.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Buyya, R., Yeo, C.S., Venugopal, S.: Market-oriented Cloud Computing: Vision, Hype, and Reality for Delivering IT Services as Computing Utilities. In: 10th IEEE Conference on High Performance Computing and Communications, pp. 5–13. IEEE Press, Dalian (2008)

    Chapter  Google Scholar 

  2. Armbrust, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Stoica, I., Zaharia, M.: Above the Clouds: A Berkeley View of Cloud Computing. Technical Report, EECS, University of California at Berkeley (2009)

    Google Scholar 

  3. Berger, S., Caceres, R., Pendarakis, D., Sailer, R., Valdez, E., Perez, R., Schildhauer, W., Srinivasan, D.: TVDc: Managing Security in the Trusted Virtual Datacenter. ACM SIGOPS Operating Systems Review 42, 40–47 (2008)

    Article  Google Scholar 

  4. Sailer, R., Jaeger, T., Valdez, E., Caceres, R., Perez, R., Berger, S., Griffin, J.L., Doorn, L.V.: Building a MAC-Based Security Architecture for the Xen Open-source Hypervisor. In: 21st Annual Computer Security Applications Conference, pp. 276–285. IEEE Press, Tucson (2005)

    Chapter  Google Scholar 

  5. Commercial Technology in High Assurance Applications, http://www.vmware.com/pdf/TechTrendNotes.pdf

  6. McCune, J.M., Jaeger, T., Berger, S., Caceres, R., Sailer, R.: Shamon: A System for Distributed Mandatory Access Control. In: 22nd Annual Computer Security Applications Conference, pp. 23–32. IEEE Press, Miami Beach (2006)

    Google Scholar 

  7. Griffin, J.L., Jaeger, T., Perez, R., Sailer, R., Doorn, L.V., Caceres, R.: Trusted Virtual Domains: Toward Secure Distributed Services. In: 1st IEEE Workshop on Hot Topics in System Dependability, Yokohama (2005)

    Google Scholar 

  8. Cabuk, S., Dalton, C.I., Ramasamy, H., Schunter, M.: Towards Automated Provisioning of Secure Virtualized Networks. In: 14th ACM conference on Computer and communications security, pp. 235–245. ACM, Alexandria (2007)

    Chapter  Google Scholar 

  9. Proctor, N.E., Neumann, P.G.: Architectural Implications of Covert Channels. In: 15th National Computer Security Conference, Baltimore, pp. 28–43 (1992)

    Google Scholar 

  10. Jaeger, T., Edwards, A., Zhang, X.: Consistency Analysis of Authorization Hook Placement in the Linux Security Modules Framework. ACM Transactions on Information and System Security 7, 175–205 (2004)

    Article  Google Scholar 

  11. Zhang, X., Edwards, A., Jaeger, T.: Using CQUAL for Static Analysis of Authorization Hook Placement. In: 11th USENIX Security Symposium, pp. 33–48. USENIX, San Francisco (2002)

    Google Scholar 

  12. Cheng, G., Jin, H., Zhou, D., Ohoussou, A.K., Zhao, F.: A Prioritized Chinese Wall Model for Managing the Covert Information Flows in Virtual Machine Systems. In: 9th International Conference for Young Computer Scientists, pp. 1481–1487. IEEE Press, Hunan (2008)

    Chapter  Google Scholar 

  13. Jaeger, T., Sailer, R., Sreenivasan, Y.: Managing the Risk of Covert Information Flows in Virtual Machine Systems. In: 12th ACM symposium on Access control Models and Technologies, pp. 81–90. ACM, Sophia Antipolis (2007)

    Chapter  Google Scholar 

  14. Boeboert, W.E., Kain, R.Y.: A Practical Alternative to Hierarchical Integrity Policies. In: 8th National Computer Security Conference, Gaithersburg (1985)

    Google Scholar 

  15. Sadeghi, A.R., Stuble, C.: Towards Multilateral-Secure DRM Platforms. In: Deng, R.H., Bao, F., Pang, H., Zhou, J. (eds.) ISPEC 2005. LNCS, vol. 3439, pp. 326–337. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  16. Trusted Computing Group, https://www.trustedcomputinggroup.org

  17. Berger, S., Cáceres, R., Goldman, K., Perez, R., Sailer, R., Doorn, L.V.: vTPM: Virtualizing the Trusted Platform Module. In: 15th USENIX Security Symposium, Vancouver (2006)

    Google Scholar 

  18. Jaeger, T., Sailer, R., Shankar, U.: PRIMA: Policy-Reduced Integrity Measurement Architecture. In: 11th ACM Symposium on Access Control Models and Technologies, pp. 19–28. ACM, Lake Tahoe (2006)

    Google Scholar 

  19. Sailer, R., Zhang, X., Jaeger, T., Doorn, L.V.: Design and Implementation of a TCG-based Integrity Measurement Architecture. In: 13th conference on USENIX Security Symposium, pp. 16–31. USENIX, San Diego (2004)

    Google Scholar 

  20. Valdez, E., Sailer, R., Perez, R.: Retrofitting the IBM POWER Hypervisor to Support Mandatory Access Control. In: 23rd Annual Computer Security Applications Conference, pp. 221–231. IEEE Press, Miami Beach (2007)

    Google Scholar 

  21. Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the Art of Virtualization. In: 19th ACM symposium on Operating systems principles, pp. 164–177. ACM, Bolton Landing (2003)

    Chapter  Google Scholar 

  22. Schellhorn, G., Reif, W., Schairer, A., Karger, P., Austel, V., Toll, D.: Verification of a Formal Security Model for Multiapplicative Smart Cards. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds.) ESORICS 2000. LNCS, vol. 1895, pp. 17–36. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  23. Brewer, D.F.C., Nash, M.J.: The Chinese Wall Security Policy. In: 1989 IEEE Symposium on Security and Privacy, pp. 206–214. IEEE Press, Oakland (1989)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Services Computing Technology and System Lab, Cluster and Grid Computing Lab, School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan, 430074, China

    Ge Cheng, Hai Jin, Deqing Zou, Lei Shi & Alex K. Ohoussou

Authors
  1. Ge Cheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hai Jin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Deqing Zou
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Lei Shi
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Alex K. Ohoussou
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Leibniz-Rechenzentrum LRZ, Boltzmannstraße 1, 85748, Garching, Germany

    Latifa Boursas

  2. Oracle, 80021, Broomfield, CO, USA

    Mark Carlson

  3. Services Computing Technology and System Lab, Cluster and Grid Computing Lab, School of Computer Science and Technology, Huazhong University of Science and Technology, 430074, Wuhan, China

    Hai Jin

  4. IRIT, Université Paul Sabatier, 118 Route de Narbonne, 31062, TOULOUSE CEDEX 9, France

    Michelle Sibilla

  5. Distributed Management Task Force, Inc., 1001 SW 5th Avenue #1100, , Portland, 97204, Oregon, USA

    Kes Wold

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Cheng, G., Jin, H., Zou, D., Shi, L., Ohoussou, A.K. (2010). CFCC: A Covert Flows Confinement Mechanism for Virtual Machine Coalitions. In: Boursas, L., Carlson, M., Jin, H., Sibilla, M., Wold, K. (eds) Systems and Virtualization Management. Standards and the Cloud. SVM 2009. Communications in Computer and Information Science, vol 71. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14944-3_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-14944-3_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-14943-6

  • Online ISBN: 978-3-642-14944-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation