Research And Implementation Of Firmware Based Integrated Access Control Mechanism On Virtualization System

With the development of system virtualization technology, especially itswidespread use in cloud computing and server consolidation, the securitydemand of virtualization system have become increasing. In virtualizationsystem, each virtual machine can access the system and use shared resourcesindependently, also vitual machines in different physical platforms may haveresource sharing requirements, which all present challenges to the security ofvirtualization system. Currently researchers deploy access control mechanismin hypervisor and apply various security models to enhance the security ofvirtualization system. However, there are at least two shortcomings of thecurrent solutions. First, the lack of unified access control policy managementwill lead to the difficulty of ensuring the safety of vitualization system as awhole. Second, the safety of access control mechanism itself is unsure, whichleads to the security of virtualization sytem in an uncertain state. Therefore,how to provide a policy flexible and trusted access control mechanism hasbecome an emergent issue for development of virtualization technology.In this paper, a firmware based policy management mechanism forvirtualization system is proposed, which takes advantage of the independenceto virtualization solution applied and hardware-based security of newgeneration firmware, and refers to the policy-based management solution indistributed environments. We choose XACML policy description language todescripe system access control policies in this mechanism, which is generaland transportable. The policy management mechanism is composed of a GUI policy configure tool and an integrated access control manager (IAM). Theformer enables policy configuration in firmware environment, while the latterprovides unified and trusted policy management service for virtualizationsystems with the help of runtime services.Then, we refer to KVM as the researching environment, and propose afirmware based integrated access control mechanism for virtualization system.Using IAM as the policy provider and virtual machine reference monitor asthe policy enforcement point, we build a policy flexible and trusted integratedaccess control mechanism for virtualization system with the technology ofaccess control proxy. In order to meet the requirement of multi-level resourcesharing environment, we apply BLP security model and show how it is usedin real environment, taking information sharing in military for example.Finally, a prototype of this novel firmware based integrated access controlmechanism is build on the KVM virtualization platform. Using systemperformance, system boot and resource access time delay as criteria, wecompare with the traditional access control mechanism in KVM and analyzethe results, which show the availability and efficiency of this firmware basedintegrated access control mechanism.