A Hypervisor-Based Bus System for Usage Control

Cornelius Moucha, Enrico Lovat, Alexander Pretschner
2011 2011 Sixth International Conference on Availability, Reliability and Security  
Data usage control is concerned with requirements on data after access has been granted. In order to enforce usage control requirements, it is necessary to track the different representations that the data may take (among others, file, window content, network packet). These representations exist at different layers of abstraction. As a consequence, in order to enforce usage control requirements, multiple data flow tracking and usage control enforcement monitors must exist, one at each layer. If
more » ... e at each layer. If a new representation is created at some layer of abstraction, e.g., if a cache file is created for a picture after downloading it with a browser, then the initiating layer (in the example, the browser) must notify the layer at which the new representation is created (in the example, the operating system). We present a bus system for system-wide usage control that, for security and performance reasons, is implemented in a hypervisor. We evaluate its security and performance. Keywords-Usage Control, Virtualization, Information Flow it is processed according to the message type. VI. EVALUATION Requirement 1 (Section III) and its sub-requirements are met by design. Performance: We evaluate the performance of the communication infrastructure, i.e., the message exchange between one monitor and the bus component, as well as the communication between two monitors using a notification message. To do so, we compare our solution (Scenario 1)
doi:10.1109/ares.2011.44 dblp:conf/IEEEares/MouchaLP11 fatcat:bnpoecj7h5arvodeprv6h7z2ie