At present,there are few security models which control the communication between virtual machines(VMs).Moreover,these models are not applicable to multi-level security(MLS).In order to implement mandatory access contr...At present,there are few security models which control the communication between virtual machines(VMs).Moreover,these models are not applicable to multi-level security(MLS).In order to implement mandatory access control(MAC)and MLS in virtual machine system,this paper designs Virt-BLP model,which is based on BLP model.For the distinction between virtual machine system and non-virtualized system,we build elements and security axioms of Virt-BLP model by modifying those of BLP.Moreover,comparing with BLP,the number of state transition rules of Virt-BLP is reduced accordingly and some rules can only be enforced by trusted subject.As a result,Virt-BLP model supports MAC and partial discretionary access control(DAC),well satisfying the requirement of MLS in virtual machine system.As space is limited,the implementation of our MAC framework will be shown in a continuation.展开更多
基金Acknowledgements This work was supported by National Key Basic Research and Development Plan(973 Plan)of China(No.2007CB310900)National Natural Science Foundation of China(No.90612018,90715030 and 60970008).
文摘At present,there are few security models which control the communication between virtual machines(VMs).Moreover,these models are not applicable to multi-level security(MLS).In order to implement mandatory access control(MAC)and MLS in virtual machine system,this paper designs Virt-BLP model,which is based on BLP model.For the distinction between virtual machine system and non-virtualized system,we build elements and security axioms of Virt-BLP model by modifying those of BLP.Moreover,comparing with BLP,the number of state transition rules of Virt-BLP is reduced accordingly and some rules can only be enforced by trusted subject.As a result,Virt-BLP model supports MAC and partial discretionary access control(DAC),well satisfying the requirement of MLS in virtual machine system.As space is limited,the implementation of our MAC framework will be shown in a continuation.
