{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T04:39:33Z","timestamp":1750307973936,"version":"3.41.0"},"reference-count":40,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2007,7,1]],"date-time":"2007-07-01T00:00:00Z","timestamp":1183248000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["SIGOPS Oper. Syst. Rev."],"published-print":{"date-parts":[[2007,7]]},"abstract":"<jats:p>In this work, we show how the abstraction layer created by a hypervisor, or virtual machine monitor, can be leveraged to reduce the complexity of mandatory access control policies throughout the system. Policies governing access control decisions in today's systems are complex and monolithic. Achieving strong security guarantees often means restricting usability across the entire system, which is a primary reason why mandatory access controls are rarely deployed. Our architecture uses a hypervisor and multiple virtual machines to decompose policies into multiple layers. This simplifies the policies and their enforcement, while minimizing the overall impact of security on the system. We show that the overhead of decomposing system policies into distinct policies for each layer can be negligible. Our initial implementation confirms that such layering leads to simpler security policies and enforcement mechanisms as well as a more robust layered trusted computing base. We hope that this work serves to start a dialog regarding the use of mandatory access controls within a hypervisor for both increasing security and improving manageability.<\/jats:p>","DOI":"10.1145\/1278901.1278905","type":"journal-article","created":{"date-parts":[[2007,9,14]],"date-time":"2007-09-14T13:44:55Z","timestamp":1189777495000},"page":"12-19","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":28,"title":["A layered approach to simplified access control in virtualized systems"],"prefix":"10.1145","volume":"41","author":[{"given":"Bryan D.","family":"Payne","sequence":"first","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, GA"}]},{"given":"Reiner","family":"Sailer","sequence":"additional","affiliation":[{"name":"IBM T.J. Watson Research Center, Hawthorne, NY"}]},{"given":"Ram\u00f3n","family":"C\u00e1ceres","sequence":"additional","affiliation":[{"name":"IBM T.J. Watson Research Center, Hawthorne, NY"}]},{"given":"Ron","family":"Perez","sequence":"additional","affiliation":[{"name":"IBM T.J. Watson Research Center, Hawthorne, NY"}]},{"given":"Wenke","family":"Lee","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, GA"}]}],"member":"320","published-online":{"date-parts":[[2007,7]]},"reference":[{"volume-title":"http:\/\/www.commoncriteria.org\/docs\/index.html","year":"1999","key":"e_1_2_1_1_1","unstructured":"Common criteria for information technology security evaluation version 2.1. http:\/\/www.commoncriteria.org\/docs\/index.html , 1999 . Common criteria for information technology security evaluation version 2.1. http:\/\/www.commoncriteria.org\/docs\/index.html, 1999."},{"volume-title":"http:\/\/sourceforge.net\/projects\/ffsb","year":"2006","key":"e_1_2_1_2_1","unstructured":"Flexible file system benchmark (FFSB) version 5.1. http:\/\/sourceforge.net\/projects\/ffsb , 2006 . Flexible file system benchmark (FFSB) version 5.1. http:\/\/sourceforge.net\/projects\/ffsb, 2006."},{"issue":"4","key":"e_1_2_1_3_1","article-title":"Advanced virtualization capabilities of POWER5 systems","volume":"49","author":"Armstrong W. J.","year":"2005","unstructured":"W. J. Armstrong , R. L. Arndt , D. C. Boutcher , R. G. Kovacs , D. Larson , K. A. Lucke , N. Nayar , and R. C. Swanberg . Advanced virtualization capabilities of POWER5 systems . IBM Journal of Research and Development , 49 ( 4\/5 ), 2005 . W. J. Armstrong, R. L. Arndt, D. C. Boutcher, R. G. Kovacs, D. Larson, K. A. Lucke, N. Nayar, and R. C. Swanberg. Advanced virtualization capabilities of POWER5 systems. IBM Journal of Research and Development, 49(4\/5), 2005.","journal-title":"IBM Journal of Research and Development"},{"key":"e_1_2_1_4_1","volume-title":"Proceedings of the 2007 Security Enhanced Linux Symposium","author":"Athey J.","year":"2007","unstructured":"J. Athey , C. Ashworth , F. Mayer , and D. Miner . Towards intuitive tools for managing SELinux: Hiding the details but retaining the power . In Proceedings of the 2007 Security Enhanced Linux Symposium , March 2007 . J. Athey, C. Ashworth, F. Mayer, and D. Miner. Towards intuitive tools for managing SELinux: Hiding the details but retaining the power. In Proceedings of the 2007 Security Enhanced Linux Symposium, March 2007."},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/945445.945462"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/69605.2085"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/1164394.1164414"},{"key":"e_1_2_1_9_1","unstructured":"A. Bennett. Hole-in-the-chroot. http:\/\/clyde.concordia.ca\/security\/hole-in-the-chroot-v1\/.  A. Bennett. Hole-in-the-chroot. http:\/\/clyde.concordia.ca\/security\/hole-in-the-chroot-v1\/ ."},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/373256.373261"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.4"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/363095.363143"},{"key":"e_1_2_1_13_1","volume-title":"Technical Report DoD 5200.28-STD","author":"D.","year":"1985","unstructured":"Do D. Trusted computer system evaluation criteria. Technical Report DoD 5200.28-STD , Department of Defense , 1985 . DoD. Trusted computer system evaluation criteria. Technical Report DoD 5200.28-STD, Department of Defense, 1985."},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/1095810.1095813"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/MARK.1979.8817256"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/945445.945464"},{"key":"e_1_2_1_17_1","volume-title":"Proceedings of the Network and Distributed Systems Security Symposium","author":"Garfinkel T.","year":"2003","unstructured":"T. Garfinkel and M. Rosenblum . A virtual machine introspection based architecture for intrusion detection . In Proceedings of the Network and Distributed Systems Security Symposium , February 2003 . T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed Systems Security Symposium, February 2003."},{"key":"e_1_2_1_18_1","volume-title":"Network and Distributed System Security Symposium","author":"Gibson T. J.","year":"2001","unstructured":"T. J. Gibson . An architecture for flexible, high assurance, multi-security domain networks . In Network and Distributed System Security Symposium , San Diego, CA , February 2001 . T. J. Gibson. An architecture for flexible, high assurance, multi-security domain networks. In Network and Distributed System Security Symposium, San Diego, CA, February 2001."},{"key":"e_1_2_1_19_1","volume-title":"Proceedings of the 12th USENIX Security Symposium","author":"Jaeger T.","year":"2003","unstructured":"T. Jaeger , R. Sailer , and X. Zhang . Analyzing integrity protection in the SELinux example policy . In Proceedings of the 12th USENIX Security Symposium , August 2003 . T. Jaeger, R. Sailer, and X. Zhang. Analyzing integrity protection in the SELinux example policy. In Proceedings of the 12th USENIX Security Symposium, August 2003."},{"key":"e_1_2_1_20_1","volume-title":"Proceedings of ACSAC","author":"Jaeger T. R.","year":"2005","unstructured":"T. R. Jaeger , S. Hallyn , and J. Latten . Leveraging IPsec for mandatory access control of linux network commmunications . In Proceedings of ACSAC , 2005 . T. R. Jaeger, S. Hallyn, and J. Latten. Leveraging IPsec for mandatory access control of linux network commmunications. In Proceedings of ACSAC, 2005."},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/32.106971"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.38"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/362375.362389"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/361268.361272"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.5555\/647054.715771"},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/32.55088"},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/800122.803961"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2006.47"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/1064979.1064984"},{"key":"e_1_2_1_30_1","volume-title":"Nettop: A network on your desktop","author":"Meushaw R.","year":"2000","unstructured":"R. Meushaw and D. Simard . Nettop: A network on your desktop . Tech Trend Notes (National Security Agency) , 9(4):3--11, Fall 2000 . R. Meushaw and D. Simard. Nettop: A network on your desktop. Tech Trend Notes (National Security Agency), 9(4):3--11, Fall 2000."},{"key":"e_1_2_1_31_1","unstructured":"National Security Agency. Security-Enhanced Linux. http:\/\/www.nsa.gov\/selinux\/.  National Security Agency. Security-Enhanced Linux. http:\/\/www.nsa.gov\/selinux\/ ."},{"key":"e_1_2_1_32_1","volume-title":"Proceedings of the 2006 Security Enhanced Linux Symposium","author":"PeBenito C. J.","year":"2006","unstructured":"C. J. PeBenito , F. Mayer , and K. MacMillan . Reference policy for security enhanced linux . In Proceedings of the 2006 Security Enhanced Linux Symposium , March 2006 . C. J. PeBenito, F. Mayer, and K. MacMillan. Reference policy for security enhanced linux. In Proceedings of the 2006 Security Enhanced Linux Symposium, March 2006."},{"key":"e_1_2_1_33_1","first-page":"28","volume-title":"Proceedings of the 15th National Computer Security Conference","author":"Proctor N. E.","year":"1992","unstructured":"N. E. Proctor and P. G. Neumann . Architectural implications of covert channels . In Proceedings of the 15th National Computer Security Conference , pages 28 -- 43 , Baltimore, Maryland , 1992 . N. E. Proctor and P. G. Neumann. Architectural implications of covert channels. In Proceedings of the 15th National Computer Security Conference, pages 28--43, Baltimore, Maryland, 1992."},{"key":"e_1_2_1_34_1","volume-title":"Proceedings of Black Hat USA 2006","author":"Rutkowska J.","year":"2006","unstructured":"J. Rutkowska . Subverting Vista kernel for fun and profit . In Proceedings of Black Hat USA 2006 , 2006 . J. Rutkowska. Subverting Vista kernel for fun and profit. In Proceedings of Black Hat USA 2006, 2006."},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2005.13"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/361011.361067"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/800179.1124633"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.5555\/646648.759411"},{"key":"e_1_2_1_39_1","article-title":"The process of security","author":"Schneier B.","year":"2000","unstructured":"B. Schneier . The process of security . Information Security Magazine , April , 2000 . B. Schneier. The process of security. Information Security Magazine, April, 2000.","journal-title":"Information Security Magazine"},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/1217935.1217951"},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/1030083.1030093"}],"container-title":["ACM SIGOPS Operating Systems Review"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1278901.1278905","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1278901.1278905","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T14:58:23Z","timestamp":1750258703000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1278901.1278905"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2007,7]]},"references-count":40,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2007,7]]}},"alternative-id":["10.1145\/1278901.1278905"],"URL":"https:\/\/doi.org\/10.1145\/1278901.1278905","relation":{},"ISSN":["0163-5980"],"issn-type":[{"type":"print","value":"0163-5980"}],"subject":[],"published":{"date-parts":[[2007,7]]},"assertion":[{"value":"2007-07-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}