JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE) ›› 2014, Vol. 49 ›› Issue (09): 135-141.doi: 10.6040/j.issn.1671-9352.2.2014.438

Previous Articles     Next Articles

Protection mechanism research of access control system in virtual domain

ZOU De-qing1, YANG Kai1, ZHANG Xiao-xu2, YUAN Bo-yang2, FENG Ming-lu2   

  1. 1. School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan 430074, Hubei, China;
    2. CECT-ChinaCOMM Communications Co., Ltd, Beijing 100022, China
  • Received:2014-06-24 Revised:2014-08-28 Online:2014-09-20 Published:2014-09-30

Abstract: In order to improve the safety level of the system effectively, a kind of mechanism scheme of access control system in virtual domain that uses hypervisors to protect kernel integrity and access control system in commodity operating systems was put forward. Access control system was separated into three parts: Policy Management (PM), Security Server (SS) and Policy Enforcement (PE). Prototype system SEVD (security-enhanced virtual domain) was implemented and evaluated by modified Xen hypervisor. Test results show that SEVD can secure the security of access control system in Guest OS and avoid popular rootkits attacks while it have no overhead comparing with SELinux. Our system also can centralized security policy for virtual domains in virtual machine environment.

Key words: memory protection, access control system, hypervisor, virtualization

CLC Number: 

  • TP316
[1] ENGLAND P, LAMPSON B, MANFERDELLI J,et al. A trusted open platform[J]. IEEE Computer Society, 2003, 36(7):55-62.
[2] TA-MIN R, LITTY L, LIE D. Splitting interfaces: making trust between applications and operating systems configurable [C]//Proceedings of the 7th Symposium on Operating Systems Design and Implementation.Berkeley: USENIX Association, 2006: 279-292.
[3] LIE D, THEKKATH C, Mitchell M. Architectural support for copy and tamper resistant software [C]//Proceedings of the 9th International Conference on Architectural Support for Programming Languages and Operating Systems.New York: ACM Press, 2000: 168-177.
[4] VEDVYAS S, RAVI S, UDAY S. Virtualization enabled integrity services (VIS) architecture overview[R]. Intel Corporation, 2008: 1-10.
[5] CHEN Xiaoxin,GARFINKEL T,LEWIS E,et al. Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems [C]//Proceedings of the 13th Conference on Architectural Support for Programming Languages and Operating Systems.New York: ACM Press, 2008: 2-13.
[6] TRENT J. EDWARDS A, ZHANG Xiaolan. Consistency analysis of authorization hook placement in the Linux security modules framework [C]//Proceedings of ACM Transactions on Information and System Security (TISSEC). New York: ACM Press, 2004: 175-205.
[7] ZHANG Xiaolan, Suzanne Mclntosh, Pankaj Rohatgi, et al. XenSocket: a high-throughput interdomain transport for virtual machines[C]//Proceedings of the ACM/IFIP/USENIX 2007 International Conference on Middleware. Newport Beach: Springer-Verlag, 2007: 184-203.
[8] KIM K, KIM C, JUNG S-I, et al. Inter-domain socket communications supporting high performance and full binary compatibility on Xen [C]//Proceedings of Virtual Execution Environments.New York: ACM Press, 2008: 11-20.
[9] WANG Jian, WRIGHT K-L, GOPALAN K. XenLoop: a transparent high performance inter-VM network loopback[C]//Proceedings of the 17th International Symposium on High Performance Distributed Computing.New York: ACM Press, 2008: 109-118.
[1] YANG Shu-mian, WANG Lian-hai, ZHANG Shu-hui, XU Shu-jiang, LIU Guang-qi. A real-time monitoring and forensics method under the IaaS model [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2017, 52(6): 84-91.
[2] CHEN Guang-rui, CHEN Xing-shu, WANG Yi-tong, GE Long. A software update mechanism for virtual machines in IaaS multi-tenant environment [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2017, 52(3): 60-67.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!