一种虚拟机系统下关于多级安全的强制访问控制框架II:实现

This paper is a continuation of our last paper [1] which describes the theory of Virt-BLP model. Based on Virt-BLP model, this paper implements a mandatory access control (MAC) framework applicable to multi-level security (MLS) in Xen. The Virt-BLP model is the theoretical basis of this MAC framework, and this MAC framework is the implementation of Virt-BLP model. Our last paper focuses on Virt-BLP model, while this paper concentrates on the design and implementation of MAC framework. For there is no MAC framework applicable to MLS in virtual machine system at present, our MAC framework fills the blank by applying Virt-BLP model to Xen, which is better than current researches to guarantee the security of communication between virtual machines (VMs). The experimental results show that our MAC framework is effective to manage the communication between VMs.     

一种虚拟机系统中关于多级安全的强制访问控制框架Ⅰ：理论

At present, there are few security models which control the communication between virtual machines (VMs). Moreover, these models are not applicable to multi-level security (MLS). In order to implement mandatory access control (MAC) and MLS in virtual machine system, this paper designs Virt-BLP model, which is based on BLP model. For the distinction between virtual machine system and nonvirtualized system, we build elements and security axioms of Virt-BLP model by modifying those of BLP. Moreover, comparing with BLP, the number of state transition rules of Virt-BLP is reduced accordingly and some rules can only be enforced by trusted subject. As a result, Virt-BLP model supports MAC and partial discretionary access control (DAC), well satisfying the requirement of MLS in virtual machine system.As space is limited, the implementation of our MAC framework will be shown in a continuation.