LISA '06 Abstract
Pp. 79–87 of the Proceedings
Centralized Security Policy Support for Virtual Machine
Nguyen Anh Quynh, Ruo Ando, and Yoshiyasu Takefuji, Keio University
For decades, researchers have pointed out that Mandatory Access
Control (MAC) is an effective method to protect computer systems from
being misused. Unfortunately, MAC is still not widely deployed because
of its complexity. The problem is even worse in a virtual machine
environment, because the current architecture is not designed to
support MAC in a site-wide manner: machines with multiple virtual
hosts needs to have multiple MAC security policies, and each of these
policies must be updated and managed separately inside each virtual
In order to ease the burden on administrators when deploying
security policies in a virtual environment, this paper proposes an
architecture named Virtual Mandatory Access Control
(VMAC) to centralize security policies, so that all policy
management can easily be done from a central machine. VMAC securely
centralizes the security logging information from all virtual hosts
into a central machine so intrusion detection analysis on the logging
data is straightforward.
To arrive at the architecture presented here, we have investigated
various popular MAC schemes, and implemented several schemes with VMAC
on the Xen Virtual Machine. This paper presents our experiences in the
- View the full text of this paper in HTML and PDF. Listen to the presentation in MP3 format.
Until December 2007, you will need your USENIX membership identification in order to access the full papers.
The Proceedings are published as a collective work, © 2006 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.