Virtual environment secure file system (VSFS) is a software architecture for secure file sharing among applications with different trust levels that consists of a set of interconnected virtual machines (VMs). Application VMs (APP-VMs) run the application processes that transparently access remote shared files hosted by file system VMs (FS-VMs). Each FS-VM implements a mandatory access control (MAC) security policy to control file sharing. To define and enforce this policy, VSFS uses SELinux. Each APP-VM is labeled with a security context paired with the IP address of the VM. FS-VMs use this context to check access rights of the APP-VMs with respect to the requested files and operations. A third set of VMs, the administrative VMs (A-VMs), provides assurance about the integrity of the FS-VMs and implements anti-spoofing techniques to authenticate each file request sent by the APP-VMs. After describing the overall architecture, we discuss the security and performance results of a first prototype. These first results show that the overhead due to mandatory access control is fairly acceptable.

Security and Integrity of a Distributed File Storage in a Virtual Environment

BAIARDI, FABRIZIO;G. SALA
2007-01-01

Abstract

Virtual environment secure file system (VSFS) is a software architecture for secure file sharing among applications with different trust levels that consists of a set of interconnected virtual machines (VMs). Application VMs (APP-VMs) run the application processes that transparently access remote shared files hosted by file system VMs (FS-VMs). Each FS-VM implements a mandatory access control (MAC) security policy to control file sharing. To define and enforce this policy, VSFS uses SELinux. Each APP-VM is labeled with a security context paired with the IP address of the VM. FS-VMs use this context to check access rights of the APP-VMs with respect to the requested files and operations. A third set of VMs, the administrative VMs (A-VMs), provides assurance about the integrity of the FS-VMs and implements anti-spoofing techniques to authenticate each file request sent by the APP-VMs. After describing the overall architecture, we discuss the security and performance results of a first prototype. These first results show that the overhead due to mandatory access control is fairly acceptable.
2007
9780769530529
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11568/113679
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 3
  • ???jsp.display-item.citation.isi??? 2
social impact