Retrofitting the IBM POWER Hypervisor to Support Mandatory Access Control

Enriquillo Valdez
IBM T. J. Watson Research Center
USA

Reiner Sailer
IBM T. J. Watson Research Center
USA

Ronald Perez
IBM T. J. Watson Research Center
USA

Distributed workloads execute today in multiple VMs running on multiple platforms and using many different kinds of shared resources. Such workloads require isolation on the abstraction of distributed workloads and shared resources instead of individual machines and individual resources. However, today’s commercial hypervisors usually offer isolation of individual virtual machines (VM). On hypervisor-based platforms, customers cannot currently define formal models that enforce restrictions on the sharing of resources based on their distributed workloads or request an air gap between competing workloads. In this paper, we address the problem of workload isolation on a single hypervisor-based system which serves as the building block for enabling isolation guarantees across set of virtualized platforms. We describe the design and implementation of a Hypervisor-based Mandatory Access Control (MAC) that implements a formal security model for achieving distributed workload isolation for the IBM Power Hypervisor (PHYP). Using formal descriptions of sharing capabilities between virtual machines and enforcing them independently of the protected workloads supports stronger compliance proofs than audit logs alone and prevents local administrators from violating those rules, e.g., through mistakes in assignment of storage or network resources to VMs. We describe our experiences and lessons learned, and we examine the implications and trade-offs involved in providing MAC on a production-level, commercially-available hypervisor. Incorporating MAC into PHYP formalizes workload isolation which in turn simplifies the security management of a single or multiple platforms.

Keywords: Hypervisor, PHYP

Read Paper Read Paper (in PDF)