Weitere ähnliche Inhalte
Ähnlich wie sVirt: Hardening Linux Virtualization with Mandatory Access Control (20)
Mehr von James Morris (17)
Kürzlich hochgeladen (20)
sVirt: Hardening Linux Virtualization with Mandatory Access Control
- 5. Host Userspace
Guest Guest Guest
Userspace Userspace Userspace
Guest Guest Guest
Kernel Kernel Kernel
Host Kernel
Host Hardware
- 7. DAC is not enough:
Subjects can modify own security
policy
- 13. Host Userspace Host Userspace
Web Server DNS Server
Host Kernel Host Kernel
Host Hardware Host Hardware
Attack
Local Network
- 15. Host Userspace
Guest Userspace Guest Userspace
Guest
Web Server Guest
DNS Server
Userspace Userspace
Guest
Guest local Guest
Guest
Kernel
Kernel exploits Kernel
Kernel
Host Kernel
Host Hardware memory,
storage, etc.
- 18. sVirt in a nutshell:
Isolate guests using MAC security
policy
Contain hypervisor breaches
- 22. sVirt design:
Security “driver” manages MAC
labeling of guests and resources
MAC policy enforced by host kernel
- 23. Simplified libvirt architecture w/ SVirt
drivers host
node
hypervisors storage security hypervisor
Xen iSCSI SELinux *
KVM NFS etc. guest
OpenVZ logical guest
LXC fs
guest
UML disk
*
API
* security labels
* *
storage
virsh virt-manager
- 24. sVirt design:
Reuse of proven code and security
models
Coherent and complete system
policy
Reduced complexity and cost
- 30. Host Userspace
virtd_isolated_t:1 virtd_isolated_t:2
Guest
Web Server Guest
DNS Server
Userspace Userspace
Guest
Guest Guest
Guest
Kernel
Kernel Kernel
Kernel
Host Kernel
SELinux
Host Hardware
virt_image_t:1 virt_image_t:2
- 32. Future enhancements:
Virtual network security
Controlled flow between guests
Distributed guest security
Multilevel security