Improving Flask Implementation Using Hardware Assisted In-VM Isolation

Abstract : The Flask architecture, which mainly contains object manager (OM) and security server (SS), is widely used to support flexible security policies in operating system. In nature, OM and SS should be isolated from each other to separate decision from enforcement. However, current implementation of Flask, such as SELinux and SEBSD, puts both OM and SS in the same address space. If one component is subverted, the whole system will be exposed to the attacker. In this paper, we present hardware assisted in-VM isolation to improve the security of the Flask implementation. The key of our approach is the separation of SS from other parts of guest OS by constructing hardware assisted page tables at the hypervisor level. In this way SS can execute in a strongly isolated address space with respect to its associated guest OS, and therefore can provide a trustworthy and centralized repository for policy and decision-making. Our experiment shows that our method introduces moderate performance overhead.
Type de document :
Communication dans un congrès
Dimitris Gritzalis; Steven Furnell; Marianthi Theoharidou. 27th Information Security and Privacy Conference (SEC), Jun 2012, Heraklion, Crete, Greece. Springer, IFIP Advances in Information and Communication Technology, AICT-376, pp.115-125, 2012, Information Security and Privacy Research. 〈10.1007/978-3-642-30436-1_10〉
Liste complète des métadonnées

Littérature citée [24 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01518216
Contributeur : Hal Ifip <>
Soumis le : jeudi 4 mai 2017 - 13:45:16
Dernière modification le : jeudi 4 mai 2017 - 14:53:56
Document(s) archivé(s) le : samedi 5 août 2017 - 13:01:19

Fichier

978-3-642-30436-1_10_Chapter.p...
Fichiers produits par l'(les) auteur(s)

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Baozeng Ding, Fufeng Yao, Yanjun Wu, Yeping He. Improving Flask Implementation Using Hardware Assisted In-VM Isolation. Dimitris Gritzalis; Steven Furnell; Marianthi Theoharidou. 27th Information Security and Privacy Conference (SEC), Jun 2012, Heraklion, Crete, Greece. Springer, IFIP Advances in Information and Communication Technology, AICT-376, pp.115-125, 2012, Information Security and Privacy Research. 〈10.1007/978-3-642-30436-1_10〉. 〈hal-01518216〉

Partager

Métriques

Consultations de la notice

91

Téléchargements de fichiers

23