TY - GEN
T1 - Managing the risk of covert information flows in virtual machine systems
AU - Jaeger, Trent
AU - Sailer, Reiner
AU - Sreenivasan, Yogesh
PY - 2007
Y1 - 2007
N2 - Flexible mandatory access control (MAC) enforcement is now available for virtual machine systems. For example, the sHype MAC system for the Xen virtual machine monitor is part of the mainline Xen distribution. Such systems offer the isolation of VM systems with the flexible security of MAC enforcement. A problem is that such MAC VM systems will only be assured at modest levels (e.g., Common Criteria EAL4), so they may contain covert channels. Covert channels are often difficult to identify and harder to remove, so we propose an approach to manage possible covert leakage to enable verification of security guarantees. Typically, covert channels are outside of access control policies, but we propose an approach that includes both overt flows and covert flows to assess the possible risk of information leakage due to their combination. We define the concept of a risk flow policy that describes the authorized risks due to covert flows. In this paper, we evaluate the ability of four policy models to express risk flow policies. Further, we examine how such policies will be enforced in VM systems. We find that variants of the Chinese Wall model and Bell-LaPadula model have features necessary to express risk flow policies. Further, we find that such policies can be enforced in the context of sHype's Type Enforcement model.
AB - Flexible mandatory access control (MAC) enforcement is now available for virtual machine systems. For example, the sHype MAC system for the Xen virtual machine monitor is part of the mainline Xen distribution. Such systems offer the isolation of VM systems with the flexible security of MAC enforcement. A problem is that such MAC VM systems will only be assured at modest levels (e.g., Common Criteria EAL4), so they may contain covert channels. Covert channels are often difficult to identify and harder to remove, so we propose an approach to manage possible covert leakage to enable verification of security guarantees. Typically, covert channels are outside of access control policies, but we propose an approach that includes both overt flows and covert flows to assess the possible risk of information leakage due to their combination. We define the concept of a risk flow policy that describes the authorized risks due to covert flows. In this paper, we evaluate the ability of four policy models to express risk flow policies. Further, we examine how such policies will be enforced in VM systems. We find that variants of the Chinese Wall model and Bell-LaPadula model have features necessary to express risk flow policies. Further, we find that such policies can be enforced in the context of sHype's Type Enforcement model.
UR - http://www.scopus.com/inward/record.url?scp=34548023942&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=34548023942&partnerID=8YFLogxK
U2 - 10.1145/1266840.1266853
DO - 10.1145/1266840.1266853
M3 - Conference contribution
AN - SCOPUS:34548023942
SN - 1595937455
SN - 9781595937452
T3 - Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT
SP - 81
EP - 90
BT - SACMAT'07
T2 - SACMAT'07: 12th ACM Symposium on Access Control Models and Technologies
Y2 - 20 June 2007 through 22 June 2007
ER -