ISCAS OpenIR
improving flask implementation using hardware assisted in-vm isolation
Ding Baozeng; Yao Fufeng; Wu Yanjun; He Yeping
2012
会议名称27th IFIP TC 11 Information Security and Privacy Conference, SEC 2012
会议录名称IFIP Advances in Information and Communication Technology
页码115-125
会议日期June 4, 2012 - June 6, 2012
会议地点Heraklion, Crete, Greece
收录类别EI
ISSN1868-4238
ISBN9783642304354
部门归属(1) Institute of Software Chinese Academy of Sciences Beijing 100190 China; (2) Graduate University Chinese Academy of Sciences Beijing 100049 China
摘要The Flask architecture, which mainly contains object manager (OM) and security server (SS), is widely used to support flexible security policies in operating system. In nature, OM and SS should be isolated from each other to separate decision from enforcement. However, current implementation of Flask, such as SELinux and SEBSD, puts both OM and SS in the same address space. If one component is subverted, the whole system will be exposed to the attacker. In this paper, we present hardware assisted in-VM isolation to improve the security of the Flask implementation. The key of our approach is the separation of SS from other parts of guest OS by constructing hardware assisted page tables at the hypervisor level. In this way SS can execute in a strongly isolated address space with respect to its associated guest OS, and therefore can provide a trustworthy and centralized repository for policy and decision-making. Our experiment shows that our method introduces moderate performance overhead. © 2012 IFIP International Federation for Information Processing.; The Flask architecture, which mainly contains object manager (OM) and security server (SS), is widely used to support flexible security policies in operating system. In nature, OM and SS should be isolated from each other to separate decision from enforcement. However, current implementation of Flask, such as SELinux and SEBSD, puts both OM and SS in the same address space. If one component is subverted, the whole system will be exposed to the attacker. In this paper, we present hardware assisted in-VM isolation to improve the security of the Flask implementation. The key of our approach is the separation of SS from other parts of guest OS by constructing hardware assisted page tables at the hypervisor level. In this way SS can execute in a strongly isolated address space with respect to its associated guest OS, and therefore can provide a trustworthy and centralized repository for policy and decision-making. Our experiment shows that our method introduces moderate performance overhead. © 2012 IFIP International Federation for Information Processing.
关键词Computer Hardware Hardware Managers Security Of Data Separation
语种英语
内容类型会议论文
URI标识http://ir.iscas.ac.cn/handle/311060/15786
专题中国科学院软件研究所
推荐引用方式
GB/T 7714
Ding Baozeng,Yao Fufeng,Wu Yanjun,et al. improving flask implementation using hardware assisted in-vm isolation[C],2012:115-125.
条目包含的文件
条目无相关文件。
个性服务
推荐该条目
保存到收藏夹
查看访问统计
导出为Endnote文件
谷歌学术
谷歌学术中相似的文章
[Ding Baozeng]的文章
[Yao Fufeng]的文章
[Wu Yanjun]的文章
百度学术
百度学术中相似的文章
[Ding Baozeng]的文章
[Yao Fufeng]的文章
[Wu Yanjun]的文章
必应学术
必应学术中相似的文章
[Ding Baozeng]的文章
[Yao Fufeng]的文章
[Wu Yanjun]的文章
相关权益政策
暂无数据
收藏/分享
所有评论 (0)
暂无评论
 

除非特别说明,本系统中所有内容都受版权保护,并保留所有权利。