IEEE Transactions on Software Engineering
Lattice-based enforcement of Chinese Walls
Computers and Security
ACM Transactions on Information and System Security (TISSEC)
A note on the confinement problem
Communications of the ACM
Lattice-Based Access Control Models
Computer
A Chinese Wall Approach to Privacy Policies for the Web
COMPSAC '02 Proceedings of the 26th International Computer Software and Applications Conference on Prolonging Software Life: Development and Redevelopment
Using CQUAL for Static Analysis of Authorization Hook Placement
Proceedings of the 11th USENIX Security Symposium
Verification of a Formal Security Model for Multiapplicative Smart Cards
ESORICS '00 Proceedings of the 6th European Symposium on Research in Computer Security
Enforcing History-Based Security Policies in Mobile Agent Systems
POLICY '03 Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks
SP '93 Proceedings of the 1993 IEEE Symposium on Security and Privacy
Policy management using access control spaces
ACM Transactions on Information and System Security (TISSEC)
Xen and the art of virtualization
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Resolving constraint conflicts
Proceedings of the ninth ACM symposium on Access control models and technologies
Consistency analysis of authorization hook placement in the Linux security modules framework
ACM Transactions on Information and System Security (TISSEC)
Building a MAC-Based Security Architecture for the Xen Open-Source Hypervisor
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Run-Time Detection of Covert Channels
ARES '06 Proceedings of the First International Conference on Availability, Reliability and Security
Shamon: A System for Distributed Mandatory Access Control
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Analyzing integrity protection in the SELinux example policy
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Shame on trust in distributed systems
HOTSEC'06 Proceedings of the 1st USENIX Workshop on Hot Topics in Security
KvmSec: a security extension for Linux kernel virtual machines
Proceedings of the 2009 ACM symposium on Applied Computing
Constructing trusted virtual execution environment in P2P grids
Future Generation Computer Systems
Load-based covert channels between Xen virtual machines
Proceedings of the 2010 ACM Symposium on Applied Computing
Proceedings of the 38th annual international symposium on Computer architecture
Virtualization: Issues, security threats, and solutions
ACM Computing Surveys (CSUR)
Information flow control for stream processing in clouds
Proceedings of the 18th ACM symposium on Access control models and technologies
| Hi-index | 0.00 |
Flexible mandatory access control (MAC) enforcement is now available for virtual machine systems. For example, the sHype MAC system for the Xen virtual machine monitor is part of the mainline Xen distribution. Such systems offer the isolation of VM systems with the flexible security of MAC enforcement. A problem is that such MAC VM systems will only be assured at modest levels (e.g., Common Criteria EAL4), so they may contain covert channels. Covert channels are often difficult to identify and harder to remove, so we propose an approach to manage possible covert leakage to enable verification of security guarantees. Typically, covert channels are outside of access control policies, but we propose an approach that includes both overt flows and covert flows to assess the possible risk of information leakage due to their combination. We define the concept of a risk flow policy that describes the authorized risks due to covert flows. In this paper, we evaluate the ability of four policy models to express risk flow policies. Further, we examine how such policies will be enforced in VM systems. We find that variants of the Chinese Wall model and Bell-LaPadula model have features necessary to express risk flow policies. Further, we find that such policies can be enforced in the context of sHype's Type Enforcement model.