Building a MAC-based security architecture for the Xen open-source hypervisor

Author

Sailer, Reiner ; Jaeger, Trent ; Valdez, Enriquillo ; Cáceres, Ramón ; Perez, Ronald ; Berger, Stefan ; Griffin, John Linwood ; Van Doorn, Leendert

Author_Institution

IBM T. J. Watson Res. Center, Hawthorne, NY

fYear

2005

fDate

5-9 Dec. 2005

Lastpage

285

Abstract

We present the sHype hypervisor security architecture and examine in detail its mandatory access control facilities. While existing hypervisor security approaches aiming at high assurance have been proven useful for high-security environments that prioritize security over performance and code reuse, our approach aims at commercial security where near-zero performance overhead, non-intrusive implementation, and usability are of paramount importance. sHype enforces strong isolation at the granularity of a virtual machine, thus providing a robust foundation on which higher software layers can enact finer-grained controls. We provide the rationale behind the sHype design and describe and evaluate our implementation for the Xen open-source hypervisor

Keywords

authorisation; public domain software; virtual machines; MAC-based security architecture; Medium Access Control; Xen open source hypervisor; mandatory access control facility; sHype hypervisor security architecture; virtual machine granularity; Buildings; Communication system control; Hardware; Open source software; Resource virtualization; Security; Virtual machine monitors; Virtual machining; Virtual manufacturing; Voice mail;

fLanguage

English

Publisher

ieee

Conference_Titel

Computer Security Applications Conference, 21st Annual

Conference_Location

Tucson, AZ

ISSN

1063-9527

Print_ISBN

0-7695-2461-3

Type

conf

DOI

10.1109/CSAC.2005.13

Filename

1565255