Research On The Non-interference Security Policy Model And Security Mechanisms For Xen

Along with the development of computer technology, virtualization which is the mostimportant technology to support the cloud computing becomes the hot topic to research.Particularly, Xen gains more and more attention than other virtual machine monitors for itsopen-source character and surprising performance. Xen, which is a kind of System VirtualMachines (SVM) can manage all the software and hardware in a real computer system, andpartition a solo real machine into several isolated execution environments to support theconcurrent execution of multiple virtual machines (VMs). But once Xen is destroyed, all theVMs under the control of virtual machine monitor will be broke in and further losses will becaused. Therefore, the most important aim is to assure the security of Xen.The dissertation does profound research on the security policy model and securitymechanisms for Xen hypervisor. The main contributions of the dissertation are summarized asfollows:1. The Non-interference Security Policy Model with Least Privilege (LPNIM) for Xenhypervisor is proposed. LPNIM is described formally by the Roscoe’s non-interference theoryand formal language called Communicating Sequential Processes (CSP). Based on the work ofRoscoe.’s concepts of lazy abstraction and determinism in non-interference security policymodel and Schneider’s rank function, the separation policy and sharing policy for LPNIM areformally proved. By introducing the conception of the least privilege principle, LPNIM canexecute the policies on partition level and subject-resource level, then the confidentialitynon-interference security policy model and the integrality non-interference security policy modelare integrated in LPNIM and it meets the requirements of system on confidentiality, integralityand least privilege.2. The architecture of security-enhanced Xen (SEXen) for Xen hypervisor is established.Based on the LPNIM, SEXen adds three components into the architecture of Xen, they arenetwork domain, Trusted Launch Module (TLM) and Finer-grained Mandatory Access ControlModule (FMACM). SEXen, which simplifies the operations inside Dom0, meets therequirements of system on the abilities of trusted measurement and finer-grained informationflow control.3. The trusted launch mechanism is designed. Based on the technology of dynamic root oftrust for measurement, the launch control policy is designed to assure that the virtual machinecan’t be launched unless the measurements indicate permission and the correct key is provided.The mechanism can provide the protection of integrality for initialization and prevent the attack of system management mode (SMM) bypass.4. The finer-grained mandatory access control mechanism is designed. By modifying thekernels of Xen Hypervisor and Guest OS, the operations of intra VM and inter VMs are undercontrolled, and the operations can’t be executed unless the security policies of the virtualmachine level and subject-resource level are all satisfied. The mechanism can realize thefiner-grained information flow control and centralize the security policies into a consistentmanagement.