xense-devel

[Top] [All Lists]

Re: [Xense-devel] ACM doesnt scale

from [Reiner Sailer]

[Permanent Link][Original]

To:	aq <aquynh@xxxxxxxxx>
Subject:	Re: [Xense-devel] ACM doesnt scale
From:	Reiner Sailer <sailer@xxxxxxxxxx>
Date:	Thu, 23 Jun 2005 21:46:37 -0400
Cc:	xense-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date:	Fri, 24 Jun 2005 01:45:29 +0000
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<9cde8bff05062318192325acdf@xxxxxxxxxxxxxx>
List-help:	<mailto:xense-devel-request@lists.xensource.com?subject=help>
List-id:	"A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>
List-post:	<mailto:xense-devel@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=unsubscribe>
Sender:	xense-devel-bounces@xxxxxxxxxxxxxxxxxxx

xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 06/23/2005 09:19:16 PM:

> On 6/23/05, Steven Hand <Steven.Hand@xxxxxxxxxxxx> wrote:
> > 
> > >at the moment, ACM supports only 2 models, and the code doesnt scale
> > >enough (at all) to support more models in the future? any plan to fix
> > >that?
> > 
> > Yes - the current ACM code is a proof of concept derived from the
> > IBM sHype code. The model at present is that two policies (a primary
> > and secondary) will be in place at any time, although it is intended
> > that the selection of these will be more dynamic in the future. It's
> > not yet clear if extending this will be required, but we're certainly
> > aware of the structure and limitations of the current code.
> > 
> 
> also the way security models are integrated into ACM doesnt scale, 
either.

Could you plesae be a little more specific about the "scaling"?  What is 
your
application of the ACM module that determines there's a "scaling" problem?

The current ACM interface aims at simple replacement of one policy by 
another 
policy. We are not aiming at supporting a large number of policies.  The 
current
layering is for two policies because this seems to be a good match for the 
use of 
hypervisors:

a) one policy is describing and enforcing which kinds of payloads 
   cannot run concurrently on a single hardware system (while the 
   reasons for requesting this might differ from case to case, 
   such requirements are actually out there)

b) one policy is for describing and enforcing which running VMs can share 
   information freely

We have experimented with multi-level policies as well.  However,  our 
immediate interest 
is the reception and usage of the powerful yet simple and easy to 
comprehend policies that 
we've already provided. Hence our immediate focus on policy  management 
tools that will aid 
the understanding and usage of the current implementation.

Also, virtual TPM, integrity measurement, and other "trusted computing" 
related enhancements are 
coming to Xen soon, and there will be synergies with our access control 
framework that we hope to explore.

Thanks
Reiner

_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Xense-devel] ACM doesnt scale, aq Re: [Xense-devel] ACM doesnt scale, Steven Hand Re: [Xense-devel] ACM doesnt scale, aq Re: [Xense-devel] ACM doesnt scale, Reiner Sailer <= Re: [Xense-devel] ACM doesnt scale, aq Re: [Xense-devel] ACM doesnt scale, Ronald Perez Re: [Xense-devel] ACM doesnt scale, Reiner Sailer

Previous by Date:	Re: [Xense-devel] ACM doesnt scale, aq
Next by Date:	[Xen-devel] [PATCH] choose security model for ACM at built-time, aq
Previous by Thread:	Re: [Xense-devel] ACM doesnt scale, aq
Next by Thread:	Re: [Xense-devel] ACM doesnt scale, aq
Indexes:	[Date] [Thread] [Top] [All Lists]