WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xense-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xense-devel] Re: [Xen-devel] ACM ternary ops?

from [Michael LeMay] [Permanent Link][Original]
To: Reiner Sailer <sailer@xxxxxxxxxx>
Subject: [Xense-devel] Re: [Xen-devel] ACM ternary ops?
From: Michael LeMay <lemaymd@xxxxxxxxxxx>
Date: Mon, 05 Jun 2006 11:25:03 -0400
Cc: xense-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 05 Jun 2006 08:25:14 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <OFE428EA49.08F7AD2E-ON8525717E.005EA5F1-8525717E.00632F87@xxxxxxxxxx>
List-help: <mailto:xense-devel-request@lists.xensource.com?subject=help>
List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>
List-post: <mailto:xense-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=unsubscribe>
References: <OFE428EA49.08F7AD2E-ON8525717E.005EA5F1-8525717E.00632F87@xxxxxxxxxx>
Sender: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.2 (X11/20060501) 
Reiner,
Thank you for that detailed explanation, it's great to hear that you'll be integrating additional networking hooks into ACM. Are they currently available in any public repositories? After this discussion, I've decided that the appropriate approach to my problem would be to add more networking hooks as well, although I haven't yet determined exactly where I will need them. I would hate to recreate your work or conflict with it. 
Since you asked what exactly I'm looking for, I'll try to explain it 
briefly here.  I'd like to have a general network access control 
architecture at the hypervisor level, that can control network 
communications to and from any domU.  It shouldn't matter whether the 
communications are intended for other VMs on the same machine, or some 
external host.  Originally, I had wanted to have some control over which 
IP addresses the domU's are permitted to communicate with.  However, 
after this discussion, I can see that a better approach would be to 
restrict the communications from all VMs such that they are unable to 
make any connections, but simply route connections through a designated 
VM that enforces an appropriate network policy from userspace or using 
iptables, etc.

-- Michael

Reiner Sailer wrote:

> ------------------------------
>
> Message: 4
> Date: Tue, 30 May 2006 08:52:48 -0400
> From: Michael LeMay <lemaymd@xxxxxxxxxxx>
> Subject: [Xen-devel] ACM ternary ops?
> To: xen-devel@xxxxxxxxxxxxxxxxxxx
> Message-ID: <447C4020.4020008@xxxxxxxxxxx>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Hello all,
>
> I am interested in adding support for user-defined mandatory network
> access control policies to the existing ACM policy framework.  The most
> logical way to do this would be to add more hooks to handle networking
> and then define another policy module, like chinese wall and type
> enforcement.  However, it doesn't feel right to add a "ternary_ops"
> structure that is invoked after "secondary_ops".  Is there any
> reasonable justification for not including a link in each ops structure
> that points to the next policy module in the chain?  Essentially, I'd
> like to convert the current n-pointer structure to the following
> linked-list structure:
>
> acm_primary_ops -> acm_secondary_ops -> acm_ternary_ops -> ... -> NULL
>
Hi Michael,


to be able to answer more (than I do below) to your point, I need to 
know what "user-defined" policy do you aim to enforce? Is it a 
finer-grained operating system policy (based on OS structures, such as 
IP address or similar things etc.)?

If it is an operating system policy, then the policy should be 
implemented, decided, enforced, and managed in the operating system 
(e.g., IP tables, SELinux,...) and probably not in the hypervisor. The 
major focus of the ACM hypervisor security module is to keep the 
hypervisor code as small as possible and robust, and the hypervisor 
security guarantees easy to understand. --> only integrate what needs 
to be there. Higher layer security can and should be handled in the 
higher layers (OS, Middleware, Apps.).

Regarding hypervisor ACM network enforcement: We are currently 
integrating network packet policy enforcement into the Dom0 netback 
interface to control local network traffic (enforcing the simple 
type-enforcement policy based on acm labels of sending/receiving 
domain). In this case, we don't need new policies but integrate the 
existing acm_getdecision hypervisor call into the netback code to 
decide if a packet is passed or discarded between virtual network 
interfaces. This solutions appears to be a good fit for local traffic 
because the virtual network resource is part of the hypervisor 
environment and because the network policy is based on hypervisor 
structures: domains (not IP...). Other enforcement is be needed to 
guard external packets and such controls (at least our prototypes) use 
OS-level security, such as SELinux.

>Is there any
> reasonable justification for not including a link in each ops structure
> that points to the next policy module in the chain?


Every policy layer operating on the same hooks might keep internal 
state information, which must be rolled back if an access is denied by 
a policy component called "later" for the same hook. The chinese wall 
and the simple type enforcement policy components were chosen to build 
a hypervisor policy because they complete each other (one controls 
which domains can start on a system, the other controls how started 
domains can share information/communicate) and because they offer a 
good abstraction (workload = Doms + resources) based on which security 
guarantees are understood.

Running more than two policy components at the same time would require 
to show that you really need all these policies active at the same 
time. Otherwise, it seems more appropriate to define a new hypervisor 
policy that can be configured instead of the existing ones (assuming 
this new policy belongs into the hypervisor layer).

Greetings

Reiner 


_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel
















[More with this subject...]










<Prev in Thread]
Current Thread
[Next in Thread>




















Previous by Date: 
Re: [Xense-devel] [Q] about ACM/IA64 status, Atsushi SAKAI




Next by Date: 
[Xense-devel] Re: [Xen-devel] ACM ternary ops?, Reiner Sailer




Previous by Thread: 
Re: [Xense-devel] [Q] about ACM/IA64 status, Atsushi SAKAI




Next by Thread: 
[Xense-devel] Re: [Xen-devel] ACM ternary ops?, Reiner Sailer




Indexes: 
[Date]
[Thread]
[Top]
[All Lists]











   
  

  

     
   
  









  
Copyright
       2005-2025, Citrix Systems Inc. All rights reserved. 
   Legal and Privacy