DVM-MAC: A Mandatory Access Control System in Distributed Virtual Computing Environment

We design and implement a Mandatory Access Control (MAC) system in distributed virtual computing environment, named DVM-MAC, aiming to provide distributed trust through enforcing MAC policies. In DVM-MAC, Prioritized Chinese Wall (PCW) model is implemented to control potential covert channels between VMs in both single node and distributed environment. A policy enforcement module locates inside Xen VMM for better enforcing MAC locally rather than outside the VMM. DVM-MAC adopts centralized architecture for multi-level management and secure transmission of inter-node policy information. For performance consideration, a specific policy decision and enforcement module for controlling inter-node behaviors is moved out of Xen VMM and up to user space. DVM-MAC authorizes a specific center node named Central Security Server (CSS) to be responsible for the decision making between the nodes as well as leaves the inter-node policy enforcement module in each node. Through our experiments and data analysis, we verify the correctness, effectiveness, and efficiency in our prototype when implementing PCW model.