A computing system typically includes hardware such as processors and memory, and software such as an operating system (OS) which functions as an agent between application programs and the hardware. Many computing systems include multiple processors, and a number of computing environments also include a security module. An example of a security module is a trusted platform module (TPM) comprising a hardware module that enforces security. An example TPM specification is published by the Trusted Computing Group (TCG) at www.trustedcomputinggroup.org/home. When a computing system with a TPM receives processing requests, the computing system enforces security policies based on the TPM verification.
An area of interest for providing security is in virtualization which involves a process of simulating several virtual machines (VMs), each running a separate operating system instance. Each OS may run in a different VM. For example, Xen is a virtual machine monitor (VMM), also know as a hypervisor, for managing the VMs that execute on a host machine to provide the functionality of several guest operating systems on top of the host, on the same computer hardware at the same time.
The Xen Security Module (XSM) is in development by the National Security Agency (NSA). The XSM is a security architecture implemented in the Xen hypervisor for controlling accesses to hardware resources from individual VMs running beyond the hypervisor and inter-VM communications. The basic architecture of the XSM is derived from Security Enhanced Linux (SELinux). SELinux is an initiative by the NSA (http://www.nsa.gov/selinux/), which uses Mandatory Access Control (MAC) mechanisms that provide only those necessary accesses a program needs to perform its task (also known as the principle of least privilege).
SELinux is an implementation of MAC using Linux Security Modules (LSM) in the Linux kernel, based on the principle of least privilege. A Linux kernel integrating SELinux enforces MAC policies (access control policies) that confine user programs/processes and system servers to the minimum amount of privilege they require for performing tasks. This is independent of the traditional Linux access control mechanisms.
Similar to SELinux, the access control policies in XSM are based on static attributes such as domain or subject types and labels, such that dynamic trusted computing (TC) attributes such as TC-related information cannot be supported. TC is a technology developed and promoted by the Trusted Computing Group (https://www.trustedcomputinggroup.org/home). Typical TC-related information includes the configuration of the host and VMs, the running state of the VMs, the loading and running integrity of the VMM and VMs. TC policies are security requirements according to TC-related attributes or information. For example, policies such as “A VM can access a resource or talk to another VM only when both are running in a good state” cannot be enforced in XSM.
IBM developed a secure hypervisor (sHype) based on the Xen hypervisor to control accesses to virtualized resources and to control information flow between VMs. However, sHype becomes an example policy module in XSM, and only enforces policies based on VM labels, making it unsuitable for enforcing trusted computing policies.