jens
Uploaded by
11 SLIDES
264 VUES
110LIKES

Understanding Xen Security Policies: Structure, Implementation, and Improvement Strategies

DESCRIPTION

This document explores the core ideas and implementation strategies behind Xen Security Policies (XSP). It describes the fundamental constructs, including subjects, objects, and access control rules. We dive into policy management services, domain creation, and specific implementations of access control hooks. Furthermore, we discuss potential improvements such as time-limited rules and dynamic change capabilities. By encapsulating types and establishing common labels, we highlight enhancements for effective policy management. This guide aims to facilitate a better understanding of security policy frameworks within the Xen environment.

1 / 11

Download Presentation
Télécharger la présentation

Understanding Xen Security Policies: Structure, Implementation, and Improvement Strategies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. XEN STE POLICY • Basic Idea • Implementation • Improvement

  2. Basic Idea • Subject • domain • Object • file, dir, device, domain • Rules • access control array

  3. Basic Idea • Type • Basic type, can not be used directly • Label • Encapsulate types • Subject Label • Object Label • Rule • Only two labels share at least one common type that access can be permit

  4. Implementation • policy management services(7) • domain management control hooks(2) • event channel control hooks(2) • grant table control hooks(2) • generic domain-requested decision hooks(2) • other(1)

  5. Implementation • domain_create(...,ssidref) • xsm_domain_create(d,ssidref) • xsm_ops->domain_create(d,ssidref) • acm_domain_create(d,ssidref) • acm_primary_ops->domain_create() acm_primary_ops->acm_init_domain_ssid • ste_domain_create() • ste_pre_domain_create()

  6. Implementation • acm_primary_ops->acm_init_domain_ssid • ste_init_domain_ssid

  7. Domain ssid struct acm_binary_policy{ …. u16 primary_policy_code; …. }; struct acm_ssid_domain { struct list_head node; int datatype; ssidref_t ssidref; ssidref_t old_ssidref; void *primary_ssid; void *secondary_ssid; struct domain *subject; domid_t domainid; }; struct ste_ssid { ssidref_t ste_ssidref; struct acm_ste_cache_line \ ste_cache[ACM_TE_CACHE_SIZE]; }; struct domain { ….. void *ssid ….. };

  8. Implementation-another example • __gnttab_map_grant_ref • xsm_grant_mapref(ld,rd,op->flags) • acm_grant_mapref(ld,rd,op->flags) • acm_pre_grant_map_ref(id) • acm_primary_ops->pre_grant_map_ref(id) • ste_pre_grant_map_ref • share_common_type(subj,obj)

  9. Implementation-another example • GET_SSIDP() • have_common_type(ref_s,ref_o); dom1 dom2 domx

  10. Improvement • Add Time Limit • Dynamic change rules • To be continue......

  11. Thank You!

More Related
SlideServe
Audio
Live Player
Audio Wave
Play slide audio to activate visualizer
Slide 1

Sea Ice

Slide Player

AI NARRATOR Slide 1 of 12

Sea Ice

0:00 0:15