|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xense-devel] Enforcing MAC policies across different machines
Daniele, we are glad you like our write-up and we are looking forward to involve more people in the plentiful rewarding work that aims at robust and usable security in virtualized environments. The Xen mandatory access control framework is being completed with resource controls (largely submitted and committed into the Xen-devel tree) and local network controls (to be submitted very soon). A simple policy creation GUI and the Xen user guide chapter will follow promptly and aim at making it easy to experiment with this framework by August. You assume correctly that we are pursuing research and development related to a distributed reference monitor. We are pretty far into this topic and have existing collaborations with Universities. However, there are many interesting open topics. I have quickly put together the following list of topics that seem both critical for Xen security and interesting from a development and research perspective. I think that those topics are good starting points for interested people to become familiar with Xen and security and to contribute to Xen in the security area: * secure services, e.g., monitoring of user domains (anti virus, IDS), auditing, etc. --> there are existing monitoring projects, e.g., Xen Introspection Library (http://www.bryanpayne.org/3_software.php), Xen/Snort (http://www.xensource.com) and certainly many that I am not aware of * creating minimal domains (not necessarily Linux) to (i) safely host hardware devices (e.g., storage) and share it among different workloads or (ii) to host secure services mentioned above * applications leveraging the sHype/Xen mandatory access controls * building Trusted Virtual Domains on top of the Xen virtualization (for an overview of TVD concepts, see for example http://www.research.ibm.com/ssd_tvd) -- this one might be a little heavy to lift for a single person but appropriate for small collaboration groups We are pursuing some of these topics ourselves. However, we depend on the community to help make these things happen. Therefore, we are very open to consulting others who work in these areas and we are open to collaborations. I encourage readers of this list to contribute topics in any Xen security area where they are looking for help. Finally, we are very interested in knowing about any projects around Xen security (sHype/ACM, vTPM, and secure services) and will help where we can to ensure that Xen security services matter to users and distributions. Best Regards Reiner __________________________________________________________ Reiner Sailer, Research Staff Member, Secure Systems Department IBM T J Watson Research Ctr, 19 Skyline Drive, Hawthorne NY 10532 Phone: 914 784 6280 (t/l 863) Fax: 914 784 6205, sailer@xxxxxxxxxx http://www.research.ibm.com/people/s/sailer/
Hello everyone, I've read a recent thread (http://lists.xensource.com/archives/html/xense-devel/2006-04/msg00001.html) and a very interesting document (http://domino.research.ibm.com/library/cyberdig.nsf/papers?SearchView&Query=RC23865&SearchMax=10) and I would like to know if the concept of a distributed reference monitor for enforcing MAC policies is something on which you are working on, and in what areas of security is possible (if possible) to help in the development of Xen. Thank you very much! _______________________________________________ Xense-devel mailing list Xense-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xense-devel _______________________________________________ Xense-devel mailing list Xense-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xense-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |