Ronald Perez

Building a MAC-based security architecture for the Xen open-source hypervisor

We present the sHype hypervisor security architecture and examine in detail its mandatory access control facilities. While existing hypervisor security approaches aiming at high assurance have been proven useful for high-security environments that prioritize security over performance and code reuse, our approach aims at commercial security where near-zero performance overhead, non-intrusive implementation, and usability are of paramount importance. sHype enforces strong isolation at the granularity of a virtual machine, thus providing a robust foundation on which higher software layers can enact finer-grained controls. We provide the rationale behind the sHype design and describe and evaluate our implementation for the Xen open-source hypervisor

Building the IBM 4758 secure coprocessor

Meeting the challenge of building a user-configurable secure coprocessor provided several lessons in hardware and software development and continues to spur further research. In developing the 4758, we met our major research security goals and provided the following features: (1) a lifetime-secure tamper-responding device, rather than one that is secure only between resets that deployment-specific security officers perform; (2) a secure booting process in which each layer progressively validates the next less-trusted layer, with hardware restricting access to its secrets before passing control to that layer; (3) an actual manufacturable product - a nontrivial accomplishment considering that we designed the device so that it does not have a personality until configured in the field; (4) the first FIPS 140-1 Level 4 validation, arguably the only general-purpose computational platform validated at this level so far; and (5) a multipurpose programmable device based on a 99-MHz 486 CPU internal environment, with a real operating system, a C language development environment and relatively high-speed cryptography.

Framework for security and privacy in automotive telematics

Automotive telematics may be defined as the information-intensive applications that are being enabled for vehicles by a combination of telecommunications and computing technology. Telematics by its nature requires the capture of sensor data, storage and exchange of data to obtain remote services. In order for automotive telematics to grow to its full potential, telematics data must be protected. Data protection must include privacy and security for end-users, service providers and application providers. In this paper, we propose a new framework for data protection that is built on the foundation of privacy and security technologies. The privacy technology enables users and service providers to define flexible data model and policy models. The security technology provides traditional capabilities such as encryption, authentication, non-repudiation. In addition, it provides secure environments for protected execution, which is essential to limiting data access to specific purposes.

TVDc: managing security in the trusted virtual datacenter

Virtualization technology is becoming increasingly common in datacenters, since it allows for collocation of multiple workloads, consisting of operating systems, middleware and applications, in different virtual machines (VMs) on shared physical hardware platforms. However, when coupled with the ease of VM migration, this trend increases the potential surface for security attacks. Further, the simplified management of VMs, including creation, cloning and migration, makes it imperative to monitor and guarantee the integrity of software components running within VMs. This paper presents the IBM Trusted Virtual Datacenter (TVDc) technology developed to address the need for strong isolation and integrity guarantees, thus significantly enhancing security and systems management capabilities, in virtualized environments. It signifies the first effort to incorporate trusted computing technologies directly into virtualization and systems management software. We present and discuss various components that constitute TVDc: the Trusted Platform Module (TPM), the virtual TPM, the IBM hypervisor security architecture (sHype) and the associated systems management software.

Secure coprocessor-based intrusion detection

The goal of an intrusion detection system (IDS) is to recognize attacks such that their exploitation can be prevented. Since computer systems are complex, there are a variety of places where detection is possible. For example, analysis of network traffic may indicate an attack in progress [11], a compromised daemon may be detected by its abnormal behavior [14, 12, 5, 10, 15], and subsequent attacks may be prevented by the detection of backdoors and stepping stones [16, 17].

Security for the cloud infrastructure: trusted virtual data center implementation

The trusted virtual data center (TVDc) is a technology developed to address the need for strong isolation and integrity guarantees in virtualized environments. In this paper, we extend previous work on the TVDc by implementing controlled access to networked storage based on security labels and by implementing management prototypes that demonstrate the enforcement of isolation constraints and integrity checking. In addition, we extend the management paradigm for the TVDc with a hierarchical administration model based on trusted virtual domains and describe the challenges for future research.

Virtualization and Hardware-Based Security

Hypervisors allow virtualization at the hardware level. These technologies have security-related strengths as well as weaknesses. The authors examine emerging hardware and software virtualization technologies in the context of modern computing environments and requirements.

A layered approach to simplified access control in virtualized systems

In this work, we show how the abstraction layer created by a hypervisor, or virtual machine monitor, can be leveraged to reduce the complexity of mandatory access control policies throughout the system. Policies governing access control decisions in todays systems are complex and monolithic. Achieving strong security guarantees often means restricting usability across the entire system, which is a primary reason why mandatory access controls are rarely deployed. Our architecture uses a hypervisor and multiple virtual machines to decompose policies into multiple layers. This simplifies the policies and their enforcement, while minimizing the overall impact of security on the system. We show that the overhead of decomposing system policies into distinct policies for each layer can be negligible. Our initial implementation confirms that such layering leads to simpler security policies and enforcement mechanisms as well as a more robust layered trusted computing base. We hope that this work serves to start a dialog regarding the use of mandatory access controls within a hypervisor for both increasing security and improving manageability.

Data protection and data sharing in telematics

Automotive telematics may be defined as the information-intensive applications enabled for vehicles by a combination of telecommunications and computing technology. Telematics by its nature requires the capture, storage, and exchange of sensor data to obtain remote services. Such data likely include personal, sensitive information, which require proper handling to protect the drivers privacy. Some existing approaches focus on protecting privacy through anonymous interactions or by stopping information flow altogether. We complement these by concentrating instead on giving different stakeholders control over data sharing and use. In this paper, we identify several data protection challenges specifically related to the automotive telematics domain, and propose a general data protection framework to address some of those challenges. The framework enables data aggregation before data is released to service providers, which minimizes the disclosure of privacy sensitive information. We have implemented the core component, the privacy engine, to help users manage their privacy policies and to authorize data requests based on policy matching. The policy manager provides a flexible privacy policy model that allows data subjects to express rich constraint-based policies, including event-based, and spatio-temporal constraints. Thus, the policy engine can decide on a large number of requests without user assistance and causes no interruptions while driving. A performance study indicates that the overhead is stable with an increasing number of data subjects.

Retrofitting the IBM POWER Hypervisor to Support Mandatory Access Control

Server virtualization more readily enables the collocation of disparate workloads on a shared physical platform. When employed on systems across a data center, the result can be a dramatic increase in server utilization and a decrease in overall power, cooling and floor space requirements. However, in an environment where workloads share the underlying platforms, achieving other desirable workload goals, such as availability and security, becomes a challenge. In particular, enforcing isolation between workloads in a large, dynamic, and virtualized data center requires strong yet easily configurable controls on the sharing of resources at the virtualization layer. Commercial hypervisors usually offer reasonable isolation of individual virtual machines (VMs). However, on hypervisor-based platforms, one cannot currently define a single policy that automatically enforces restrictions on the sharing of resources between multiple VMs or request an air gap between workloads. In this paper, we describe the design and implementation of a Hypervisor-based Mandatory Access Control (MAC) that achieves policy-driven distributed workload isolation for the IBM Power Hypervisor (PHYP). We discuss our experiences and lessons learned and examine the implications and trade-offs involved in providing MAC on a production- level, commercially-available hypervisor. Our goal is to simplify the security management of data centers through centralized security management and policy- driven distributed access control and data protection.