Enforcing MAC policies across different machines

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Enforcing MAC policies across different machines

Daniele Sgandurra
Hello everyone,
I've read a recent thread
(http://lists.xensource.com/archives/html/xense-devel/2006-04/msg00001.html)
and a very interesting document
(http://domino.research.ibm.com/library/cyberdig.nsf/papers?SearchView&Query=RC23865&SearchMax=10)
and I would like to know if the concept of a distributed reference
monitor for enforcing MAC policies is something on which you are
working on, and in what areas of security is possible (if possible) to
help in the development of Xen.
Thank you very much!

_______________________________________________
Xense-devel mailing list
[hidden email]
http://lists.xensource.com/xense-devel
Reply | Threaded
Open this post in threaded view
|

Re: Enforcing MAC policies across different machines

Reiner Sailer

Daniele,

we are glad you like our write-up and we are looking forward to involve more people in the plentiful rewarding work that aims at robust and usable security in virtualized environments.

The Xen mandatory access control framework is being completed with resource controls (largely submitted and committed into the Xen-devel tree) and local network controls (to be submitted very soon).  A simple policy creation GUI and the Xen user guide chapter will follow promptly and aim at making it easy to experiment with this framework by August.

You assume correctly that we are pursuing research and development related to a distributed reference monitor. We are pretty far into this topic and have existing collaborations with Universities.

However, there are many interesting open topics. I have quickly put together the following list of topics that seem both critical for Xen security and interesting from a development and  research perspective. I think that those topics are good starting points for interested people to become familiar with Xen and security and to contribute to Xen in the security area:

* secure services, e.g., monitoring of user domains (anti virus, IDS), auditing, etc. --> there are existing monitoring projects, e.g., Xen Introspection Library (http://www.bryanpayne.org/3_software.php), Xen/Snort (http://www.xensource.com) and certainly many that I am not aware of
* creating minimal domains (not necessarily Linux) to (i) safely host hardware devices (e.g., storage) and share it among different workloads or (ii) to host secure services mentioned above
* applications leveraging the sHype/Xen mandatory access controls
* building Trusted Virtual Domains on top of the Xen virtualization (for an overview of TVD concepts, see for example  http://www.research.ibm.com/ssd_tvd)  -- this one might be a little heavy to lift for a single person but appropriate for small collaboration groups

We are pursuing some of these topics ourselves. However,  we depend on the community to help make these things happen. Therefore, we are very open to consulting others who work in these areas and we are open to collaborations. I encourage readers of this list to contribute topics in any Xen security area where they are looking for help.

Finally, we are very interested in knowing about any projects around Xen security (sHype/ACM, vTPM, and secure services) and will help where we can to ensure that Xen security services matter to users and distributions.

Best Regards
Reiner
__________________________________________________________
Reiner Sailer, Research Staff Member, Secure Systems Department
IBM T J Watson Research Ctr, 19 Skyline Drive, Hawthorne NY 10532
Phone: 914 784 6280  (t/l 863)  Fax: 914 784 6205, [hidden email]  
http://www.research.ibm.com/people/s/sailer/



"Daniele Sgandurra" <[hidden email]>
Sent by: [hidden email]

07/11/2006 09:38 AM

To
[hidden email]
cc
Subject
[Xense-devel] Enforcing MAC policies across different machines





Hello everyone,
I've read a recent thread
(http://lists.xensource.com/archives/html/xense-devel/2006-04/msg00001.html)
and a very interesting document
(http://domino.research.ibm.com/library/cyberdig.nsf/papers?SearchView&Query=RC23865&SearchMax=10)
and I would like to know if the concept of a distributed reference
monitor for enforcing MAC policies is something on which you are
working on, and in what areas of security is possible (if possible) to
help in the development of Xen.
Thank you very much!

_______________________________________________
Xense-devel mailing list
[hidden email]
http://lists.xensource.com/xense-devel


_______________________________________________
Xense-devel mailing list
[hidden email]
http://lists.xensource.com/xense-devel
Reply | Threaded
Open this post in threaded view
|

Re: Enforcing MAC policies across different machines

Bryan D. Payne
> * secure services, e.g., monitoring of user domains (anti virus,  
> IDS), auditing, etc. --> there are existing monitoring projects,  
> e.g., Xen Introspection Library (http://www.bryanpayne.org/ 
> 3_software.php)

I can add a little more on the XenAccess introspection project.  
Right now there are two key areas that I see as being most valuable  
and most useful to a large number of people.

* First is expanding the data that XenAccess can collect.  Currently  
it only looks at memory, but other items such as disk and network  
monitoring would be useful.

* Second is creating higher level abstractions for access to the  
data.  Currently it only returns a single memory page with a pointer  
to the requested data structure.  It would be nice to automatically  
return the entire data structure including handling wraps over memory  
page boundaries when needed.  In addition, it would be especially  
nice to integrate a kernel debugger (or something similar) to provide  
for simplified access to kernel memory data without the need to  
maintain offsets and such inside XenAccess.

Beyond expanding the capabilities of XenAccess, there's also interest  
in building applications that use XenAccess.  These could include any  
type of monitoring and/or response application.  A first step would  
be to implement adapters for existing tools (e.g., network IDS and  
host IDS) to work through introspection.  The next step would be to  
think about new applications of the introspection technology.

I'm always happy to discuss any of the above with people that are  
interested :-)

Cheers,
bryan


-
Bryan D. Payne
Graduate Student, Computer Science
Georgia Tech Information Security Center
http://www.bryanpayne.org




_______________________________________________
Xense-devel mailing list
[hidden email]
http://lists.xensource.com/xense-devel

smime.p7s (3K) Download Attachment