中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 软件所图书馆  > 会议论文
Title:
improving flask implementation using hardware assisted in-vm isolation
Author: Ding Baozeng ; Yao Fufeng ; Wu Yanjun ; He Yeping
Source: IFIP Advances in Information and Communication Technology
Conference Name: 27th IFIP TC 11 Information Security and Privacy Conference, SEC 2012
Conference Date: June 4, 2012 - June 6, 2012
Issued Date: 2012
Conference Place: Heraklion, Crete, Greece
Keyword: Computer hardware ; Hardware ; Managers ; Security of data ; Separation
Indexed Type: EI
ISSN: 1868-4238
ISBN: 9783642304354
Department: (1) Institute of Software Chinese Academy of Sciences Beijing 100190 China; (2) Graduate University Chinese Academy of Sciences Beijing 100049 China
Abstract: The Flask architecture, which mainly contains object manager (OM) and security server (SS), is widely used to support flexible security policies in operating system. In nature, OM and SS should be isolated from each other to separate decision from enforcement. However, current implementation of Flask, such as SELinux and SEBSD, puts both OM and SS in the same address space. If one component is subverted, the whole system will be exposed to the attacker. In this paper, we present hardware assisted in-VM isolation to improve the security of the Flask implementation. The key of our approach is the separation of SS from other parts of guest OS by constructing hardware assisted page tables at the hypervisor level. In this way SS can execute in a strongly isolated address space with respect to its associated guest OS, and therefore can provide a trustworthy and centralized repository for policy and decision-making. Our experiment shows that our method introduces moderate performance overhead. © 2012 IFIP International Federation for Information Processing.
English Abstract: The Flask architecture, which mainly contains object manager (OM) and security server (SS), is widely used to support flexible security policies in operating system. In nature, OM and SS should be isolated from each other to separate decision from enforcement. However, current implementation of Flask, such as SELinux and SEBSD, puts both OM and SS in the same address space. If one component is subverted, the whole system will be exposed to the attacker. In this paper, we present hardware assisted in-VM isolation to improve the security of the Flask implementation. The key of our approach is the separation of SS from other parts of guest OS by constructing hardware assisted page tables at the hypervisor level. In this way SS can execute in a strongly isolated address space with respect to its associated guest OS, and therefore can provide a trustworthy and centralized repository for policy and decision-making. Our experiment shows that our method introduces moderate performance overhead. © 2012 IFIP International Federation for Information Processing.
Language: 英语
Content Type: 会议论文
URI: http://ir.iscas.ac.cn/handle/311060/15786
Appears in Collections:软件所图书馆_会议论文

Files in This Item:

There are no files associated with this item.


Recommended Citation:
Ding Baozeng,Yao Fufeng,Wu Yanjun,et al. improving flask implementation using hardware assisted in-vm isolation[C]. 见:27th IFIP TC 11 Information Security and Privacy Conference, SEC 2012. Heraklion, Crete, Greece. June 4, 2012 - June 6, 2012.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[Ding Baozeng]'s Articles
[Yao Fufeng]'s Articles
[Wu Yanjun]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[Ding Baozeng]‘s Articles
[Yao Fufeng]‘s Articles
[Wu Yanjun]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2019  中国科学院软件研究所 - Feedback
Powered by CSpace