[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xense-devel] Re: [Xen-devel] ACM ternary ops?

To: Reiner Sailer <sailer@xxxxxxxxxx>
From: Michael LeMay <lemaymd@xxxxxxxxxxx>
Date: Mon, 05 Jun 2006 11:25:03 -0400
Cc: xense-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 05 Jun 2006 08:25:14 -0700
List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>

Reiner,

Thank you for that detailed explanation, it's great to hear that you'llbe integrating additional networking hooks into ACM. Are they currentlyavailable in any public repositories? After this discussion, I'vedecided that the appropriate approach to my problem would be to add morenetworking hooks as well, although I haven't yet determined exactlywhere I will need them. I would hate to recreate your work or conflictwith it.

Since you asked what exactly I'm looking for, I'll try to explain itbriefly here. I'd like to have a general network access controlarchitecture at the hypervisor level, that can control networkcommunications to and from any domU. It shouldn't matter whether thecommunications are intended for other VMs on the same machine, or someexternal host. Originally, I had wanted to have some control over whichIP addresses the domU's are permitted to communicate with. However,after this discussion, I can see that a better approach would be torestrict the communications from all VMs such that they are unable tomake any connections, but simply route connections through a designatedVM that enforces an appropriate network policy from userspace or usingiptables, etc.


-- Michael

Reiner Sailer wrote:

> ------------------------------
>
> Message: 4
> Date: Tue, 30 May 2006 08:52:48 -0400
> From: Michael LeMay <lemaymd@xxxxxxxxxxx>
> Subject: [Xen-devel] ACM ternary ops?
> To: xen-devel@xxxxxxxxxxxxxxxxxxx
> Message-ID: <447C4020.4020008@xxxxxxxxxxx>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Hello all,
>
> I am interested in adding support for user-defined mandatory network
> access control policies to the existing ACM policy framework.  The most
> logical way to do this would be to add more hooks to handle networking
> and then define another policy module, like chinese wall and type
> enforcement.  However, it doesn't feel right to add a "ternary_ops"
> structure that is invoked after "secondary_ops".  Is there any
> reasonable justification for not including a link in each ops structure
> that points to the next policy module in the chain?  Essentially, I'd
> like to convert the current n-pointer structure to the following
> linked-list structure:
>
> acm_primary_ops -> acm_secondary_ops -> acm_ternary_ops -> ... -> NULL
>
Hi Michael,
to be able to answer more (than I do below) to your point, I need toknow what "user-defined" policy do you aim to enforce? Is it afiner-grained operating system policy (based on OS structures, such asIP address or similar things etc.)?
If it is an operating system policy, then the policy should beimplemented, decided, enforced, and managed in the operating system(e.g., IP tables, SELinux,...) and probably not in the hypervisor. Themajor focus of the ACM hypervisor security module is to keep thehypervisor code as small as possible and robust, and the hypervisorsecurity guarantees easy to understand. --> only integrate what needsto be there. Higher layer security can and should be handled in thehigher layers (OS, Middleware, Apps.).
Regarding hypervisor ACM network enforcement: We are currentlyintegrating network packet policy enforcement into the Dom0 netbackinterface to control local network traffic (enforcing the simpletype-enforcement policy based on acm labels of sending/receivingdomain). In this case, we don't need new policies but integrate theexisting acm_getdecision hypervisor call into the netback code todecide if a packet is passed or discarded between virtual networkinterfaces. This solutions appears to be a good fit for local trafficbecause the virtual network resource is part of the hypervisorenvironment and because the network policy is based on hypervisorstructures: domains (not IP...). Other enforcement is be needed toguard external packets and such controls (at least our prototypes) useOS-level security, such as SELinux.
>Is there any
> reasonable justification for not including a link in each ops structure
> that points to the next policy module in the chain?
Every policy layer operating on the same hooks might keep internalstate information, which must be rolled back if an access is denied bya policy component called "later" for the same hook. The chinese walland the simple type enforcement policy components were chosen to builda hypervisor policy because they complete each other (one controlswhich domains can start on a system, the other controls how starteddomains can share information/communicate) and because they offer agood abstraction (workload = Doms + resources) based on which securityguarantees are understood.
Running more than two policy components at the same time would requireto show that you really need all these policies active at the sametime. Otherwise, it seems more appropriate to define a new hypervisorpolicy that can be configured instead of the existing ones (assumingthis new policy belongs into the hypervisor layer).
Greetings
Reiner



_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel

Follow-Ups:
- [Xense-devel] Re: [Xen-devel] ACM ternary ops?
  - From: Reiner Sailer

Prev by Date: Re: [Xense-devel] [Q] about ACM/IA64 status
Next by Date: [Xense-devel] Re: [Xen-devel] ACM ternary ops?
Previous by thread: Re: [Xense-devel] [Q] about ACM/IA64 status
Next by thread: [Xense-devel] Re: [Xen-devel] ACM ternary ops?
Index(es):
- Date
- Thread