Reiner Sailer
2005-Sep-03 00:56 UTC
[Xen-devel] Re: [Xense-devel] [PATCH] ACM: adding C-support for policy translation and labeling support for domains
>David Palmer <dwpalmer.xense@gmail.com> wrote on 09/02/2005 11:47:15 AM:> Reiner, > > What I hear you saying is that you want to enable a hierarchy of > security servers. This frees the ACM in the Xen hypervisor from > being the end-all-be-all mechanism for making security decisions.Yes. I guess you call the centralized decision function a security server. The security server of the hypervisor probably matches the ACM. The ACM stores all access classes (security information, sets of types), which are attached to VMs or resources by means of the so-called sid-reference (subject/object security identifier). The coarse grained hypervisor policy guards access of VMs to resources (ii) relying on a small trusted computing base with (ii) introducing very overhead and (iii) not relying on co-operation of general VMs (mandatory). In the current HV ACM context: Chinese Wall guards which VMs can use the hardware together with which other VMs. The Type Enforcement guards, which VMs can communicate with which other VMs (direct: event channel and grant-tables in Xen) and which VMs can co-operate through which resources with other VMs (e.g., network, sharing access to virtual disk, ...). For the latter, the hypervisor relies on (and trusts) device VMs such as the storage or network VM to enforce access on its behalf. Device domains have more privileges than general domains and can retrieve ssid information from the hypervisor to support their access control decisions. Other policies, such as OS-layer policies (e.g., SELinux) enforced inside of VMs can include knowledge about identities (roles, ...) or data (multi-level) and enforce finer grained policies. They can either refine the hypervisor policy or independently implement their own one (being agnostic of the hypervisor enforcement). In the latter case, the hypervisor offers a basic "safety-net like" confinement and might override operations permitted by higher layer policies (e.g. as basic protection in case the OS becomes compromised and with it the OS-security).> It also enables domains to incorporate resource specific rules for > making access decisions for those resources. This is not intended > to preclude providing the policy statements in the XML files to > specify the rules for these access decisions.Yes.> Let me know if I''m still misunderstanding you, but this is making > more sense. I want to take a moment to look over the new functions > to see how they support the above objective before commenting further. > > DaveI think you are on the right track. Thanks Reiner> On 9/1/05, Reiner Sailer <sailer@us.ibm.com> wrote: > > David Palmer <dwpalmer.xense@gmail.com> wrote on 09/01/2005 02:34:10 PM: > > > > > Is it your experience that decision cache''s aren''t efficient? > > I must have expressed myself clumsily. Decision caches are extremely > efficient as long as we use policies that don''t change often, which > is the goal on the hypervisor level. > > > I thought the theory was that most access checks will be against the > > local cache in order to make calls to the security server > > infrequent. This is accomplished by the ACM responding to each > > decision request with a list of related decisions. As the cache is > > checked locally, it avoids the context switch and should perform > > well. By adding a method for the ACM to signal each object manager > > when to clear the cache, we''re still able to support changing the > > policy. This could be provided by a standard static library and > > promoted as the accepted method for creating object managers and > > should be carefully optimized. > > The sHype security architecture for Xen is designed so that you can > choose. If you like to have "policy-unaware" domains then this is > absolutely OK. In this case some trusted domains act simply as the > long arm of Xen access control enforcement. > > Additionally, you can only get decisions from the hypervisor that > are based on what the hypervisor knows. For example, the hypervisor > does not know about disk drives and other peripherals. You could > submit the security reference of a device and the id of a domain and > let the hypervisor ACM make the decision but it seems more natural > that those domains that manage the peripheral make the decision > (they are trusted and part of the security architecture anyway and > they might have additional information on which the decision can be > based). The security policy that controls sharing is (intentionally) > extremely simple to implement. > > > By suggesting that domains should make "informed decisions" rather > > than "blindly call the ACM", are you suggesting that you''ll be > > making the Xen security policy that everyone else will abide by? > > The point I hoped to make in my last mail is quite the opposite of > what I hear you saying: By exposing all the policy information > (types) to appropriately privileged domains, we actually empower > policy-aware domains to make their own access control decisions. > Such decisions can be simply based on the received hypervisor > security types, but they can also be based on additional security > information available to these domains (for example: the history of > users of a disk partition). > > When we thought about it, we felt that the "decision call" approach > (that you are suggesting) is opposing the ACM policies onto upper > layers (e.g. OS) and limiting them in participation in decisions. > > Thanks > Reiner > > > > On 8/31/05, Reiner Sailer <sailer@us.ibm.com> wrote: > > > > Hi Dave, > > > > we are introducing the get_ssid ACM command to allow ACM policy- > > specific decisions > > and enforcement in policy-aware domains. > > > > One can call back into the hypervisor for policy decisions having > > the benefit you are > > naming (transparency). However doing this for every IP packet, for > > example, seems not efficient. > > Consequently, you''ll end up establishing decision cashes in the > > domains. Then you have the same > > problem as before (change in policy) without the performance > > benefit. If transparency > > (policy hiding) is the most important factor, then such a solution > > has merit. Another benefit of > > getting the whole ssid is that you can re-use this information for > > other decisions since you get > > all the types of a domain, not just a yes/no decision. > > > > Nothing speaks against having an optional "acm_decision" call that > > can be used > > by domains that don''t want to make informed decisions but blindly > > call the ACM > > (hypervisor call++ overhead) each time they make a decisions. Such a > > call might prove useful > > where decisions are made very infrequently. For example, a virtual > > block device domain owning a > > hard drive and allowing other domains to mount certain logical > > partitions might just ask the ACM for > > a decision when deciding about accepting a mount-request from a > > domain to a logical partition > > (right now, the virtual block device domain is dom0 but this could > > be refined in the future when other > > domains can ''own'' peripherals). > > > > Regards > > Reiner > > > > xense-devel-bounces@lists.xensource.com wrote on 08/31/2005 07:11:44PM:> > > > > > > I''m not clear why the getssid() needs to be introduced. Isn''t the > > > problem better solved by introducing new object managers? With the > > > getssid(), the code must know about the specific policy, making the > > > policy less amenable to adjustment as problems are discovered. > > > Wouldn''t it be better for the domains to provide object managers? > > > This would allow the STE policy to make statements about those new > > > objects. The code can be policy neutral by strictly following the > > > decisions of the security server. Wouldn''t this make it easier to > > > revoke policies and update them without having to change the > code and patch? > > > > > > Dave > > > > > > > > On 8/18/05, Reiner Sailer <sailer@us.ibm.com> wrote: > > > > > > This patch: > > > > > > * adds a C-based security policy translation tool to Xen > > > (secpol_xml2bin) and removes the current Java > > > security policy translator (Java dependencies). The C-based tool > > > integrates into the Xen source tree build > > > and install (using gnome libxml2 for XML parsing). See install.txt. > > > > > > * introduces security labels and related tools. Users can now use > > > semantic-rich label names to put security-tags > > > on domains. See example.txt, policy.txt. > > > > > > * moves the security configuration (currently > > > ACM_USE_SECURITY_POLICY) from xen/Rules.mk > > > into a separate top-level Security.mk file (it is needed by the > > > tools/security and xen/acm). > > > > > > Both xen/acm and tools/security are built during the Xen build > > > process only if ACM_USE_SECURITY_POLICY > > > is not ACM_NULL_POLICY (which is the default setting). > > > > > > Comments welcome! > > > > > > Note: We are currently preparing a patch that introduces a new ACM > > > command (getssid) to retrieve the security types > > > of a running domain. This command is enables domain-internal > > > enforcement functions based on the ACM security policy. > > > > > > Thanks > > > Reiner > > > > > > Signed-off-by Reiner Sailer <sailer@us.ibm.com> > > > Signed-off by Stefan Berger <stefanb@us.ibm.com> > > > Signed-off by Ray Valdez <rvaldez@us.ibm.com> > > > > > > > > > _______________________________________________ > > > Xense-devel mailing list > > > Xense-devel@lists.xensource.com > > > http://lists.xensource.com/xense-devel > > > > > > > > > > > _______________________________________________ > > > Xense-devel mailing list > > > Xense-devel@lists.xensource.com > > > http://lists.xensource.com/xense-devel_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel