Title :
Building a MAC-based security architecture for the Xen open-source hypervisor
Author :
Sailer, Reiner ; Jaeger, Trent ; Valdez, Enriquillo ; Cáceres, Ramón ; Perez, Ronald ; Berger, Stefan ; Griffin, John Linwood ; Van Doorn, Leendert
Author_Institution :
IBM T. J. Watson Res. Center, Hawthorne, NY
Abstract :
We present the sHype hypervisor security architecture and examine in detail its mandatory access control facilities. While existing hypervisor security approaches aiming at high assurance have been proven useful for high-security environments that prioritize security over performance and code reuse, our approach aims at commercial security where near-zero performance overhead, non-intrusive implementation, and usability are of paramount importance. sHype enforces strong isolation at the granularity of a virtual machine, thus providing a robust foundation on which higher software layers can enact finer-grained controls. We provide the rationale behind the sHype design and describe and evaluate our implementation for the Xen open-source hypervisor
Keywords :
authorisation; public domain software; virtual machines; MAC-based security architecture; Medium Access Control; Xen open source hypervisor; mandatory access control facility; sHype hypervisor security architecture; virtual machine granularity; Buildings; Communication system control; Hardware; Open source software; Resource virtualization; Security; Virtual machine monitors; Virtual machining; Virtual manufacturing; Voice mail;
Conference_Titel :
Computer Security Applications Conference, 21st Annual
Conference_Location :
Tucson, AZ
Print_ISBN :
0-7695-2461-3
DOI :
10.1109/CSAC.2005.13
