Retrofitting the IBM POWER Hypervisor to Support Mandatory Access Control

Server virtualization more readily enables the collocation of disparate workloads on a shared physical platform. When employed on systems across a data center, the result can be a dramatic increase in server utilization and a decrease in overall power, cooling and floor space requirements. However, in an environment where workloads share the underlying platforms, achieving other desirable workload goals, such as availability and security, becomes a challenge. In particular, enforcing isolation between workloads in a large, dynamic, and virtualized data center requires strong yet easily configurable controls on the sharing of resources at the virtualization layer. Commercial hypervisors usually offer reasonable isolation of individual virtual machines (VMs). However, on hypervisor-based platforms, one cannot currently define a single policy that automatically enforces restrictions on the sharing of resources between multiple VMs or request an air gap between workloads. In this paper, we describe the design and implementation of a Hypervisor-based Mandatory Access Control (MAC) that achieves policy-driven distributed workload isolation for the IBM Power Hypervisor (PHYP). We discuss our experiences and lessons learned and examine the implications and trade-offs involved in providing MAC on a production- level, commercially-available hypervisor. Our goal is to simplify the security management of data centers through centralized security management and policy- driven distributed access control and data protection.