| In traditional framework, Mandatory access control (MAC) systems run in kernel mode. Rootkits and other kernel-level attacks, which are also run in kernel mode, can stop MAC systems to be started and make it do invalid. This problem cannot be solved under the traditional framework if the operating system is comprised since malwares are running in ring0 level.Recently, cloud computing is becoming the hottest pot of research in academia and industry. Virtualization, as one of the essential techniques in cloud computing, is increa-singly utilized in modern computer systems, ranging from PCs to web servers and data centers,from client to server.. Apart from applications for testing and energy conserva-tion, hypervisors are also becoming a popular target for implementing many security systems, since they provide a small and easy-to-secure trusted computing base.In our solution, access control system is separated into three parts: Policy Manage-ment (PM), Security Server (SS) and Policy Enforcement (PE). PM and SS reside in se-curity domain to protect them against malware and the isolation feather of hypervisor can make them away from attacks. Access Vector Cache (AVC) is added between SS and PE in Guest OS, in order to speed up communication between the Guest OS and security domain. The policy enforcement module is remained in the Guest OS for performance. The security of AVC and PE can be assured by memory protection mechanism.Prototype system SEVD (Security-Enhanced Virtual Domain, SEVD for short) is im-plemented and evaluated by modified Xen hypervisor, results shows that SEVD can se-cure the security of access control system in Guest OS and avoid popular rootkits attacks while it have no overhead comparing with SELinux. Our system also can centralized se-curity policy for virtual domains in virtual machine environment. |
PDF Full Text Request