Research And Implementation Of BLP Based Network Access Control Mechanism On Virtualization Platform

With the development of the Internet, especially cloud computing and distributed systems applications, the security demand of people on the network data have become increasing. At the same time, virtualization, as key technologies of cloud infrastructure, provides a more open network environment. It has become a serious problem that how to ensure the network resources in the virtual environment can be fully shared, and meanwhile, to achieve strict access control to prevent malicious intrusion and damage.Systems that have higher security demand, such as the file manager system in government departments, banks, etc., usually classify their resources in the form of different security levels, and then enforce strictly access policies to protect the security and integrity of the data. BLP (Bell-La Padula) model is the first security policy model that can provide multi-level confidentiality protection, which is based on an information flow policy, by allowing one-way flow of information that from low security level system to high level security system, to achieve multi-level mandatory access control. Meanwhile, The BLP model is well known as the fundamental security axiom, which is the basis of the multilevel security policy in the computer system. Because of its versatility and theoretical security, BLP model has been widely studied and applied in a variety of security systems.In this paper, a novel network access control model named N-BLP is proposed by extending the traditional BLP model, and the control of communication behavior between subjects is achieved by defining network elements and constructing new states transition rules, and then the security validation of the model is given. Compared to other network access control model, N-BLP model is fully consistent with the safety of traditional justice, and also provides fine-grained control on connection establishment and network data flow to ensure the security transmission between entities with different security classifications.Then, we reference to Xen as a research environment, and apply the N-BLP model to a virtualized environment. Considering the access control between virtual machine alliances on multiple machines and the access control through shared memory on one machine, we provide a more complete access control mechanism for virtual environment. For the virtual machine alliances, we proposed D-BLP model and use it to control the information exchange between coalitions. The access control mechanism proposed in this paper also takes into account all the ways used to share resources in the virtual environment, and provide fine-grained control on them respectively. The mechanism is suitable for distributed network systems such as e-government, large data center.We propose a system to implement the access control mechanism and describe the key technologies in detail in the implementation process, including policy configuration based on UEFI, exchange of the subjects'security labels based on Netfilter, the application layer data check based on LSM and the access control on shared memory based on XSM in Xen Hypervisor.