improving flask implementation using hardware assisted in-vm isolation
文献类型:会议论文
| 作者 | Ding Baozeng ; Yao Fufeng ; Wu Yanjun ; He Yeping |
| 出版日期 | 2012 |
| 会议名称 | 27th IFIP TC 11 Information Security and Privacy Conference, SEC 2012 |
| 会议日期 | June 4, 2012 - June 6, 2012 |
| 会议地点 | Heraklion, Crete, Greece |
| 关键词 | Computer hardware Hardware Managers Security of data Separation |
| 页码 | 115-125 |
| 中文摘要 | The Flask architecture, which mainly contains object manager (OM) and security server (SS), is widely used to support flexible security policies in operating system. In nature, OM and SS should be isolated from each other to separate decision from enforcement. However, current implementation of Flask, such as SELinux and SEBSD, puts both OM and SS in the same address space. If one component is subverted, the whole system will be exposed to the attacker. In this paper, we present hardware assisted in-VM isolation to improve the security of the Flask implementation. The key of our approach is the separation of SS from other parts of guest OS by constructing hardware assisted page tables at the hypervisor level. In this way SS can execute in a strongly isolated address space with respect to its associated guest OS, and therefore can provide a trustworthy and centralized repository for policy and decision-making. Our experiment shows that our method introduces moderate performance overhead. © 2012 IFIP International Federation for Information Processing. |
| 英文摘要 | The Flask architecture, which mainly contains object manager (OM) and security server (SS), is widely used to support flexible security policies in operating system. In nature, OM and SS should be isolated from each other to separate decision from enforcement. However, current implementation of Flask, such as SELinux and SEBSD, puts both OM and SS in the same address space. If one component is subverted, the whole system will be exposed to the attacker. In this paper, we present hardware assisted in-VM isolation to improve the security of the Flask implementation. The key of our approach is the separation of SS from other parts of guest OS by constructing hardware assisted page tables at the hypervisor level. In this way SS can execute in a strongly isolated address space with respect to its associated guest OS, and therefore can provide a trustworthy and centralized repository for policy and decision-making. Our experiment shows that our method introduces moderate performance overhead. © 2012 IFIP International Federation for Information Processing. |
| 收录类别 | EI |
| 会议录 | IFIP Advances in Information and Communication Technology
 |
| 语种 | 英语 |
| ISSN号 | 1868-4238 |
| ISBN号 | 9783642304354 |
| 源URL | [http://ir.iscas.ac.cn/handle/311060/15786]  |
| 专题 | 软件研究所_软件所图书馆_会议论文 |
| 推荐引用方式 GB/T 7714 | Ding Baozeng,Yao Fufeng,Wu Yanjun,et al. improving flask implementation using hardware assisted in-vm isolation[C]. 见:27th IFIP TC 11 Information Security and Privacy Conference, SEC 2012. Heraklion, Crete, Greece. June 4, 2012 - June 6, 2012. |
入库方式: OAI收割
来源:软件研究所
浏览0
下载0
收藏0
其他版本
除非特别说明,本系统中所有内容都受版权保护,并保留所有权利。