AN ACCESS CONTROL MODEL OF VIRTUAL MACHINE SECURITY

Size: px

Start display at page:

Download "AN ACCESS CONTROL MODEL OF VIRTUAL MACHINE SECURITY"

Mervin Williams
6 years ago
Views:

1 AN ACCESS CONTROL MODEL OF VIRTUAL MACHINE SECURITY QIN Zhong-yuan 1,3, CHEN Qi 2, LV You 2, QIANG Yong 2, GUO Ai-wen 2, SHEN Ri-sheng 1,3, Zhang Qunfang 4 1 Informaion Science and Engineering School, Souheas Universiy, Nanjing , China 2 Wu Jainxiong Deparmen, Souheas Universiy, Nanjing, Jiangsu , China 3 Key Lab of Informaion Nework Securiy, Minisry of Public Securiy, Shanghai , China 4 Compuer Deparmen, Nanjing Insiue of Arillery Corps, Nanjing, Jiangsu, China ABSTRACT Virualizaion echnology becomes a ho IT echnology wih he popu-lariy of Cloud Compuing. However, new securiy issues arise wih i. Specifically, he resources sharing and daa communicaion in virual machines are mos concerned. In his paper an access conrol model is proposed which combines he Chinese Wall and BLP model. BLP muli-level securiy model is inroduced wih corresponding improvemen based on PCW (Prioriized Chinese Wall) securiy model. This model can be used o safely conrol he resources and even behaviors in virual machines. Experimenal resuls show is effeciveness and safey. 1. INTRODUCTION As one of he key echnologies of cloud compuing, virualizaion has been widely used, his makes he securiy problem of virual machines (VM) more and more prominen [1]. Compared o radiional compuer sysems, virual machines will mee more securiy hreas; he hreas come no only from ouside, bu also from inside, which are caused by he characerisics of he virual machine sysem [2-4]. Nowadays he inernal hreas increasingly aroused academia and indusry ineress. The main inernal hreas include communicaion aacks beween virual machines, denial of service and informaion leakage, ec. Communicaion aack is a kind of aacks ha aackers implan code and aack hrough he process, shared memory or memory error, which is also called cover channels. There is no saisfied soluion for his problem in he indusry ye [5-7]. Denial of service makes he compuer resources canno be allocaed o he arge machine if he malicious VM apply for resources unlimiedly. Sundarapandian e al. (Eds) : ACITY, AIAA, CNSA, DPPR, NeCoM, WeST, DMS, P2PTM, VLSI pp , CS & IT-CSCP 2013 DOI : /csi

2 134 Compuer Science & Informaion Technology (CS & IT) The informaion leakage can happen in he following wo siuaions: (1) The aackers ransmi daa hrough cover channels, such as using he ime delay beween cache miss deecion in he CPUs which share he same cache, such aacks usually have some alliance relaions, hey achieve key daa ransmission by using he sysem holes hrough consulaions. (2) The aackers use he resource shared beween differen VMs, such as shared memory or CPU, o seal informaion. This kind of daa leakage will no cause damage o he sysem or daa o he virual machine sysem, bu if he VM running in upper layer is a server which conains criical daa, he leakage of such informaion can bring serious risks. Usually he operaion of he virual machine is conrolled by he Virual Machine Monior (VMM, also known as Hypervisor). Secure hypervisor can realize he resource isolaion, daa securiy, communicaion securiy and inegriy of heir code. Represenaive work is he IBM s hypervisor archiecure: shype [8]. I uses securiy model o conrol sysem processes, memory access and isolaion of inernal resources hrough access conrol module (ACM). Bu when he Chinese Wall policy is adoped o preven he hidden sream passing hrough differen virual machines, shype saically divide he differen conflic resources ino differen access area, as a resul he resource uilizaion is reduced [9]. Cheng e al proposed a Chinese Wall model wih a prioriy (Prioriized Chinese Wall, PCW) [10] o reduce he risk of he hidden informaion flow in a virual machine sysem. Based on he previous work, especially shype and PCW archiecure, we propose an access conrol model suiable o virual machine environmen, and we also verify he model in Xen. The main conribuions of his paper are: 1. An access conrol securiy model of virual machines is proposed, i inroduces he BLP(Belllapadula) model on he basis of he PCW model o conrol he memory sharing among virual machines and mainain he CW model o manage he virual machine sar. 2. The BLP model is improved, he conrol range of rused subjecs and securiy level are added. 3. We implemen a prooype for he securiy model, hree sraegies are used o realize he securiy model. Resuls show he effeciveness of he proposed model. 2. MODEL ANALYSIS 2.1 Analysis of virual machine access conrol model In 2005 IBM proposed shype, which is a securiy archiecure used o conrol he informaion flow beween he operaing sysems ha share he same hardware plaform and i can achieve he conrolled sharing of resources beween virual machines. Xen virual machines adoped he core idea of shype ha i se an ACM module in he virual layer and implemened wo securiy policies [11]: Chinese Wall (CW) [12] and Simple Type Enforcemen (STE). Is main objecives are: (1) Managemen of he communicaion beween wo virual machines in he same sysem; (2) Managemen of he hardware resources ha virual machine can access; (3) Muliple virual machines in he same conflic se of ineres canno be run a he same ime, his reduced he occurrence of he conver channel. While he CW sraegy can preven virual machines have conflic of ineres running a he same ime in he same VMM, he STE policies can conrol wheher communicaions can happen beween differen virual machines and he hardware resources virual machines can access.

3 Compuer Science & Informaion Technology (CS & IT) 135 CW and STE boh have significan advanages on he conrol and disribuion of resources, which is he main reason why Mandaory Access Conrol (MAC) mehod can be well applied in VMs. However, CW and STE also have many limiaions, which mainly refleced in ha hey canno preven he cover channel; an aacker can easily ake advanage of shared resources or hirdpary virual machine for daa ransfer. Ge Cheng, Hai Jin e al proposed he PCW sraegy model [10], which is based on he Chinese Wall securiy policy, bu i is also differen wih he shype s CW sraegy, i.e., he relaionship of conflic ses is no longer saic, bu can be exened along wih he flow of informaion. This model can preven he conver channel effecively, however, he following defecs also exised: 1. PCW model is so sric ha i grealy reduced he resource uilizaion of virual machine, which is conrary o he original goal of virual machine design, and here is also a possibiliy of sysem deadlock ha a virual machine may never ge a chance o run because of dynamic conflic se of ineres unless you resar he sysem. 2. PCW is only limied o isolaed conrol of virual machine resource allocaion, ha is, eiher access or refused, bu his does no mach he acual requiremens. Virual machine is equivalen o a compuer group, here are wo conflics beween he virual machines in his group, one is he resource reques and he oher is access righs. Bu resricions on access righs canno be sricly isolaed. For example, FTP service, when here is a conflic beween he hos and clien access righs, he hos can se he access righs of he clien, limi he clien s read and wrie permissions so ha clien can operae wihin is scope, bu PCW can only permi or deny which canno fi his demand. 2.2 BLP model and is improvemen From above, we can see ha he CW and PCW conflic ses canno fully mee he securiy needs of he virual machine. In order o solve he problem from he securiy of he whole sysem, we inroduce anoher model: BLP muli-level securiy model. In our model, BLP will be used o conrol he memory sharing of virual machine, i also manage he CW model o conrol he sar of virual machine. Considering he PCW can effecively preven he cover channel hreas brough by he communicaion and CPU resource sharing of virual machine. Therefore, CW, PCW and BLP will simulaneously exis in our model. We have made some improvemens on he BLP o beer mee he sysem requiremens. BLP model was proposed for he U.S. miliary in he 1970s o solve he informaion securiy and confidenialiy problems of ime-division sysem, he model is mainly used o preven confidenial informaion o be accessed by unauhorized subjec [13]. In BLP model, se L( s) = l as s securiy permissions of subjec s, se l( o) = l as sensiiviy level of objeco and for all he securiy levels l i ( i = 0,1,, k 1, l i < l i+ ),here are hree access and conrol rules: 1 o 1. Independen safey feaures: he subjec s has discreionary access permissions on he objec o. 2. Simple safey condiions: he subjec s can perform read operaion on objec o, if and only ifl o < l s, s has auonomous read permissions on o.

4 136 Compuer Science & Informaion Technology (CS & IT) 3. *-properies: subjec s can perform wrie operaion on objeco, if and only ifl o > l s, s have auonomous read permissions ono. Considering he special feaures of VMs, we made he following improvemens on BLP: 1. The rused subjec is added BLP model s sric confidenialiy brings he sysem a lo of resricions, e.g., any virual machine can communicae only based on he securiy level, however, some special virual machines need o exchange informaion uncondiionally. Therefore, we add a rused subjec, which can go beyond he BLP model s sric securiy level sysem and exchange informaion wih he arge objec. We make a limiaion ha rused subjec canno exchange malicious objecs wih oher objecs, i.e., a rused subjec canno be served as malicious objec ransfer medium. 2. Conrol of he securiy level s range In he convenional implemenaion of BLP axiom, a subjec s sensiive level is fixed in is enire life cycle. The sysem se a securiy level for each VM, bu i does no mean ha all he virual machine of higher securiy level have read permission on hose of lower securiy level, because i does no mee he acual service s demand. Therefore, here is a need o se a zone classificaion for he securiy level. There are muli-level securiy daa sreams in a securiy zone, while i does no exis in he differen zones. In his way he flow of daa beween he virual machines in differen securiy levels can be conrolled according o sysem requiremens. 3. MODEL DESIGN AND SECURITY ANALYSIS 3.1 Model Design In our model we assume ha he securiy levels of all he virual machines are in he same zone, meanwhile virual machines have independen access righs o he resource allocaed by he sysem, ha is, he subjec and objec boh mee he discreionary access permissions. We presen he Virual machine Based Access Conrol model (VBAC), which is defined as follows: 1. Model elemens Subjec and objec elemens Subjec se S :{ s1, s2,, s m }, defined as an objec which sends access reques, Objec se O :{ o1, o2,, o m }, defined as an objec is accessed. In he virual machine sysem, boh VM and sysem resources are likely o become one of subjec or objecs; Trused subjec se: T( s):{ s s is rused and s S} ; Access characerisic and reques decision sequence Access characerisic (AC) conains memory read and wrie:{ read, read wrie }, memory ransfer: { mem ranfer}, VM label: { addlabel, rmlabel }, resource apply and release: { apply, release }, VM creae and desroy:{ creae, desroy }, VM sar and sop:{ sar, sop }, communicaion apply and

5 Compuer Science & Informaion Technology (CS & IT) 137 release: { com apply, com release}, securiy level adjusmen: { level( L ) L is he new sec uriy level }; u u The sae se of he virual machine:sae(o){running,sop,sleep}; Sysem securiy level F: securiy caegory, f1 and f2 represen subjec s and objec s securiy level respecively, f3 and f4 represen caegory; Reques se R : S + O X, S S { φ} =, reques elemen is R :{ R R R, i 0} ; + =, X AC { φ } F i i i Securiy Decision se D:{yes,no,error,?}, is elemen is D :{ D D D, j 0}, which is he decision of reques R ; j j j j T Reques sequence X : R, which represens he reques sequence a differen ime, reques elemen is x, x represen he reques a ime ; T Decision sequence Y : D, i s he decision sequence se which securiy policy responses o he reques sequence, decision elemen is denoed as y, y represens he decision a ime ; The conflics se and access marix The conflics ineres se: CIS(o), he daa se which has ineres conflic wih objec o, elemen CIS (o) represens he conflic relaion se of o a ime ; conflic zone: RC, all he elemens in a conflic se belong o he corresponding conflic zone, ha is s CIS( s), s RC ; if s is no included in any conflic se, s` S, s CIS( s`), i s he same o say s belongs o no conflic zone, hen define s RC ; Sysem access marix A: (S O), i s used o record he access memory of he subjecs and objecs conrolled by he sysem, marix elemen A ( si, o j ) represens he access marix a ime, A { 1, 0,1},1 represens ha s i had accessed o j, 0 represens ha i s sill no decided and will change wih decision D ( s, o, x ), -1 represens ha i canno be accessed.a 0 is he iniial access marix. i j Sysem sae and sysem Presen access se: P( S O AC) ; Sysem sae V: P( S O AC) A F ; Sae sequence Z : V T is he sae sequence, sae elemen is denoed as z, z represen he sae of ime ; z0 is he iniial sae, usually regard iniial sae of sysem as safe.

6 138 Compuer Science & Informaion Technology (CS & IT) Sae shif: W R D V V 0, ( x, y, z) SYM : ( R, D, W, z ) X Y Z 2. Model rules represen a sae shif o anoher sae afer reques and decide; SYM, only a any ime T ( x, y, z, z 1) W ; To implemen he securiy conrol of he sysem, he subjecs and objecs of he virual machine sysem is defined as he safey rules below. In B1, B4, B5, B6, B7, B8, B9, and B10, subjecs and objecs are VMs, bu in oher rules he subjecs are virual machine and he objecs are he hardware resources. Rule B1: The subjec add a label or remove a label, R ( s, o, addlabel ) R ( s, o, rmlabel ) R ( s, o, addlabel ) R ( s, o, rmlabel ) is permied only when s T( s), ha is, he subjec is a rused subjec. Rule B2: The subjecs apply for resource, R ( s, o, apply ) R ( s, o, apply ) is permied only when he following condiion is saisfied. 1. A ( s, o) 1, s had never accessed o before ; 2. There s no oher subjec is accessing o a ; 3. s ' s : A ( s', o) = 1 o ' CIS + 1( o) : A ( s', o') 1, he subjecs had accessed o will no be confliced wih s. Rule B3: Subjecs release resources, R ( s, o, release ) R ( s, o, release) is permied only when sae( s) = sop, ha is, he subjec is sopped. Rule B4: Subjecs creae and desroy he objecs, R ( s, o, creae desroy) R ( s, o, creae desroy ) is permied only when s T( s) ; Rule B5: Subjecs sar he objecs, R ( s, o, sar ) R ( s, o, sar ) is permied only when: s T ( s) and o`, D ( o, o`, apply) = 1, ha is, all he resources applied by he clien is permied by Rule 2; s ' ( sae( s ') = running) ^ ( sae( s ') = sleep), o CIS( s '), he objec is no confliced wih he VMs which is running or suspended. Rule B6:The subjecs sop he objecs, R ( s, o, sop) R s o sop is permied only when s T( s). (,, )

7 Compuer Science & Informaion Technology (CS & IT) 139 Rule B7: The subjecs communicae wih he objecs, R ( s, o, com apply) R ( s, o, com apply) is permied only when: 1. s RC o RC, ha is, s and o don belongs o any conflic se; 2. s CIS( o) o CIS( s), ha is, he wo sides of communicaion aren in he same conflic se. Rule B8: The subjecs release communicaion, R ( s, o, com release) R ( s, o, com release) is permied only when D ( s, o, com apply) =1, ha is, if he communicaing rules beween s and o fi B7 and ge permission, release communicaion is always permied. Rule B9: The subjecs adjus he securiy level, R ( s, o, level ( L )) R ( s, o, level ( L )) is permied only when s T( s) ^ ( sae ( o) = sop),ha is, s is rused subjecs and he clien is no running. n Rule B10: The subjecs apply for memory ransfer from he objecs, R ( s, o, mem ranfer) R ( s, o, mem ranfer ) is permied only when ( f1( s) > f2( o) ^ f3( s) f4( o)) ( s T( s)) ; ha is, he subjecs dominae he objec or he subjec is rused subjec. Rule B11: The subjecs only read he mapped memory, R ( s, o, readonly map) R ( s, o, readonly map) is permied only when: ( f1( s) > f2( o)^ f3( s) f4( o)) ( s T( s)), ha is, he subjecs dominae he objec or he subjec is rused subjec. Rule B12: The subjecs read or wrie he mapped memory, R ( s, o, read wrie ) R ( s, o, read wrie ) is permied only when: {( f ( s) = f ( o))^[ f ( s) f ( o) f ( s) f ( o)]} ( s T( s)), ha is, he wo sides of read and wrie are a he same securiy level. Conflic se expansion heorem: 1. If R (s,o,apply) fi B2, hen: a) If ( s1 SYM, s CIS ( s1)) ^ ( s2 SYM, A( s2, o) = 1), le A( s, o ) = 1, expand he conflic se of s2 as: CIS( s ) = U 2 1 s2 s1 A( s2, o) = 1 b) If ( s1 SYM, s CIS ( s1 )) ^ ( s2 SYM, A( s2, o) = 1), hen only le A( s, o ) = 1,ha is, if s is no in any conflic se and o was never accessed by any objec, we only need o modify he access hisory marix A; s n

8 140 Compuer Science & Informaion Technology (CS & IT) (2) If R ( s, o, com apply) fis B7, hen: a) If s RC o RC ( s or o doesn belong o any conflic se, hen expand he conflic se: U CIS( o) = s, s RC ^ o CIS( o) s o CIS( s) = Uo, o RC ^ s CIS( s) o s do _ nohing, o RC ^s RC b) s CIS ( o) o CIS( s), if he wo sides of communicaion aren in a same conflic se, So, expand any of hem: =U CIS( s) CIS( o) ( s1, s2, K, sn ),( D( s1, s2, com apply) = 1) ^ ( D( s2, s3, com apply) = 1) ^( ) ^ ( D( s 1, s, com apply) = 1),will expand all conflic ses of s (1 i N) : N N s o i 2 i N CIS( s1 ) = U si By symmery and ransiiviy, we can be obained ha all he subjecs of direc or indirec communicaion will in a same conflic se, which is he previously menioned Alliance of conflic se. 3.2 VBAC model securiy analysis In VBAC model, rule B1 o B8 of VBAC adop he core ideas of CW s conflic se; B9 o B12 adop he muli-level securiy idea of BLP. We assume ha he iniial sysem sae is safe in a conflic of ineres and secure confidenialiy. Rule B2, B3 conrol resource allocaion, in full compliance wih he idea of conflic isolaion, mee CW s simple securiy feaures o ensure here s no informaion disclosure on he resource allocaion. Rule B7, B8 conrol even channels beween virual machines by CW s idea, even channel is a echnical core of he virual machine, as semaphore mechanism of he radiional sysem. Many virual machine behaviors are based on he even channel, if he conrol is oo sric, he availabiliy of he virual machine will be affeced, so he conrol of even channel need o be se in accordance wih he secure requiremens of he sysem. There are a hird pary cover channel in Rule B2, B3, B7, B8, he conflic se expansion heorem is proposed o solve his problem and eliminaes he hird-pary securiy risks well. The model rules B9 B12 conrol he virual machine resource sharing and communicaion problems by idea of BLP, rule B10, B11, B12 mee he securiy feaures of he muli-level securiy sysem, hus, he sysem conversion will limied by B9 o B12 o ensure he confidenialiy. si s1

9 Compuer Science & Informaion Technology (CS & IT) 141 From he model, we can beer avoid informaion leakage caused by sysem resource allocaion, as well as beer conrol of hird-pary cover channel of virual machines. 4. IMPLEMENTATION AND EXPERIMENT RESULTS In he implemen, we divide he virual machine-based access conrol model ino hree pars: he main sraegy, he second sraegy, he hird sraegy. The secure conrol sraegy is realized hrough he cooperaion of hree sraegies. (1) The main sraegy primary policy: I implemened he conflic se model, used core idea of CW and is responsible for creae, sar and desroy of he virual machine. The sraegy is based on virual machine and follows VBAC model s Rule B1, B4, B5, B6; (2) The second sraegy second policy: In Xen, resource conrol and even channel managemen uses STE model, we also use his securiy model. STE adoped CW s idea of ineres conflic se, i is responsible for applicaion, allocaion, revocaion of virual hardware resources, and he even channel managemen, in he model proposed in his paper, i will follow he VBAC model s rule of B1, B2, B3, B7, B8, as well as he conflic se expansion heorem; (3) The hird sraegy hird policy: The hird sraegy conrols he muli-level secure communicaions beween virual machines; i adoped he core idea of he BLP, and is responsible for managing memory sharing, daa ransfer and oher issues. I follows he VBAC model rule B9, B10, B11, B Tes Resuls 1. Memory managemen es In our experimen he PC s physical memory is 4GB, ha is, number of pages in he memory space: 4G/4KB = 1M. Tes scenarios of memory access conrol are as follows: creae hree VMs Dom1, Dom2, Dom3, configuraion informaion for each VM memory is: memory 512MB for Dom1, memory 256MB for Dom2, and 256MB for Dom3. (1) Scheme 1: es if here is conflic relaionship beween Dom1 and Dom2; These wo virual machines are allocaed memory space respecively. The es procedure is as follows: 1 Boh Dom1 and Dom2 were no se a securiy ype, afer saring Dom1 deec he memory space allocaed by Xen; 2close Dom1, hen sar Dom2 and deec memory space allocaed by Xen. We ge memory allocaion of Dom1 and Dom2 hrough Xenrace ools and debug-keys in Xm as shown in Figure 1. In figure 1, he verical axis represens he ime axis, he horizonal axis represens he number of pages, and experimenal machine has 4GB physical memory or memory pages 1M, so he maximum memory page number is In he Xen virual machine sysem, Xen occupied he saring 64MB memory space, as he red region shown in he figure; afer sar of he Domain0, all he oher memory was managed by Domain0 and i go a memory allocaion of 131,072, as he green region shown; When sar Dom1, i was allocaed a memory of 65536

10 142 Compuer Science & Informaion Technology (CS & IT) pages, is page space is he yellow region shown in Figure1, afer closing Dom1, Dom1 s memory page was recovered; so when saring Dom2, Domain0 allocae memory for i in-memory heap, as he black region shown in he figure. We can conclude from he daa ha Dom2 and Dom1 can share memory pages. (2) Scheme 2: Fig. 1. Conrol of Memory resource es resuls Tes he memory space which is allocaed for he virual machine of same conflic se. The es procedure is as follows:label he Dom1 wih securiy ype "A", and label he Dom2 wih "B", afer swich on he Dom1, es he memory address segmen assigned o Xen; 2 Close Dom1, swich on Dom2,examine he memory page saus allocaed for Dom2. Figure 2 shows he resuls of scheme 2. In he design of scheme, here are some conflic of ineress beween Dom1, and Dom2. Thus, despie Domain0 recover is memory afer Dom1 is closed, he ype of access has been recorded in memory by he hisory array. The memory page used by Dom1 canno be assigned o Dom2 when allocaing memory pages for Dom2 because he conflic relaionship menioned above. The memory page used by Dom1 is marked in yellow, page of memory allocaed for Dom2 is marked in brigh blue, from he saisics, we find ha here is no shared memory page in Dom1 and Dom2. (3) Scheme 3: Tes he influence ha conflic se expansion heorem may have on memory allocaion. In order o achieve he expeced resuls, we se memory configuraion of Dom1 o 512MB, he memory of Dom2 and Dom3 o 256MB. The es procedure is as follows: Se all he array which conain memory usage hisory o 0, he Dom1 wih securiy label "A", Dom2 wih securiy label "C", examine he memory address ranges assigned o Xen afer swiched on Dom1; 2 Close Dom1 and swich on Dom2, es saus of memory page allocaed for Dom2; 3 creae Dom3 which is se wih securiy label "E", hen close Dom2 and swich Dom, es saus of memory page allocaed for Dom3.

11 Compuer Science & Informaion Technology (CS & IT) 143 Fig. 2. Resul of memory resources conrol es in scheme 2 Three memory allocaion of he es scheme 3 is shown in Figure ,072 memory pages used by Dom1 are marked in yellow, Dom2 represen memory pages for Dom1 which is allocaed by Domain0 afer Dom1 is closed; in he scheme, here are some conflic beween Dom2 and Dom3, for hey had shared he same memory page. According o conflic se expansion heorem, hey had he same ype of conflic. Thus memory page used by Dom1 canno be assigned o Dom3, In Figure3 memory allocaed for Dom3 is marked in brigh blue. 4.2 Resul analysis Fig. 3. Resul of memory resources conrol es in scheme 3 From he es daa and resul analysis, we find he proposed securiy model has he following several characerisics: (1) High safey. In he secion abou securiy and effeciveness in his paper, he safey of virual machine managemen, even channel, resource managemen and shared memory access conrol have been esed. Resuls show ha he virual machine managemen conrol accord wih he requiremen of CW se model of ineres conflic; Resource managemen and even channel conrol can ge he effecive conrol hrough exended definiion of conflic se; he conrol o memory shared follows mulisage safey conrol rules of VBAC model which has been menioned in his paper.

12 144 Compuer Science & Informaion Technology (CS & IT) (2) Less space overhead. In access conrol module, he securiy level and conflic se ype sored in arrays afer he mapping, he size of sraegy informaion cache array is decided by securiy ype number M and virual machine number N. Assuming ha each array elemen occupied 1 Bye, hen he array of sraegy informaion will occupy M * N Byes oally. In resource conrolling, he larges overhead comes from he memory pages. In order o reduce he cos of he space, we adop he Bi-map sorage, which has grealy reduced he space overhead. (3) Exisence of ime performance loss. From he esing process, we can see ha performance loss in access conrol are mainly caused by memory allocaion, because a lo of memory page need o be allocaed every ime when he sysem sars, and each allocaion will cause reading and decision of model informaion, hus a cerain period of ime loss happened. 5. SUMMARY Virual machine is one of he key echnologies of cloud compuing, bu here exis many aacks o he virual machine. According o he inernal safey problems of virual machine, we propose a novel access conrol model which is suiable for virual machine environmen. On he basis of PCW securiy model, we inroduced he BLP mulilevel securiy model, and make corresponding improvemens of BLP. The performance and space overhead are ananlyzed. The simulaion resuls show ha he proposed model is feasible and secure. ACKNOWLEDGMENTS This work is suppored by he Key Lab of Informaion Nework Securiy, he Minisry of Public Securiy and Informaion Securiy Special fund of Naional Developmen and Reform Commission (Projec name: Developmen of Securiy es service capabiliies in wireless inelligen erminals). REFERENCES [1] Feng DG, Zhang M, Zhang Y, Xu Z. Sudy on cloud compuing securiy[j]. Journal of Sofware, 2011,22(1): [2] Wang, Z.,X.X. Jiang. HyperSafe: A Lighweigh Approach o Provide Lifeime Hyper-visor Conrol- Flow Inegriy[C] IEEE Symposium on Securiy and Privacy, 2010: [3] Salaun, M. Pracical overview of a Xen cover channel[j]. Journal in Compuer Virology, 2010, 6(4): [4] Liu, Q., G.H. Wang, C.L. Weng, e al. A Mandaory Access Conrol Framework in Vir-ual Machine Sysem wih Respec o Muli-level Securiy II: Implemenaion[J]. China Communicaions, 2011, 8(2): [5] Ranjih, P., C. Priya,K. Shalini. On cover channels beween virual machines[j]. Journal in Compuer Virology, 2012, 8(3): [6] Okamura, K.,Y. Oyama. Load-based cover channels beween Xen virual machines[c]. 25h Annual ACM Symposium on Applied Compuing, Sierre, Swizerland, 2010:

13 Compuer Science & Informaion Technology (CS & IT) 145 [7] JingZheng, W., D. Liping, W. Yongji, e al. Idenificaion and Evaluaion of Sharing Memory Cover Timing Channel in Xen Virual Machines[C] IEEE 4h Inerna-ional Conference on Cloud Compuing (CLOUD 2011), Los Alamios, CA, USA, 2011: [8] R. Sailer, E.V., T. Jaeger, R. Perez, L. van Doorn, J. L. Griffin, and S. Berger..sHype: Secure Hypervisor approach o rused virualized sysems, Yorkown Heighs, NY, USA:2005. [9] CHENG Ge, JIN Hai, ZOU De-qing, ZHAO Feng. Chinese wall model based on dy-namic alliance[j]. Journal on Communicaions, 2009, 30(11): [10] Cheng, G., H. Jin, D.Q. Zou, e al. A Prioriized Chinese Wall Model for Managing he Cover Informaion Flows in Virual Machine Sysems[M]. Proceedings of he 9h In-ernaional Conference for Young Compuer Scieniss, Vols 1-5, ed. G.J. Wang, e al.los Alamios: Ieee Compuer Soc,2008. [11] Shi Nei, Zou Deqing, Jin hai. Xen Virualize echnology [M]. Wu han: Huazhong Uni-versiy of Science and Technology Press,2009. [12] Foley, S.N. Building Chinese walls in sandard unix(tm)[j]. Compuers & Securiy, 1997, 16(6): [13] Gansen, Z.,D.W. Chadwick. On he modeling of Bell-LaPadula securiy policies using RBAC[C] IEEE 17h Workshops on Enabling Technologies: Infrasrucure for Collaboraive Enerprises., Piscaaway, NJ, USA, 2008:

Simple Network Management Based on PHP and SNMP

Simple Network Management Based on PHP and SNMP Simple Nework Managemen Based on PHP and SNMP Krasimir Trichkov, Elisavea Trichkova bsrac: This paper aims o presen simple mehod for nework managemen based on SNMP - managemen of Cisco rouer. The paper