Simau: A Dynamic Privilege Management Mechanism for Host in Cloud Datacenters

摘要

Nowadays, a majority of cyber-attacks are associated with the insider threats owing to improper privileges management. Though a number of access control mechanisms have been carried out, the insider threats are continuously increasing. In cloud, however, the physical machines of datacenters are still exposed to danger. Without the trusted hosts as the foundation, any further measurements for virtual machines are in vain. In this paper, we introduce Simau: a mechanism that constrains the privileges of root on each host in the cloud. It deploys a decision engine in user-space to support the variable security policies. The scope of Simau covers both kernel-space and user-space. Under Simau, once a system administrator logs into a host, he has only the least privileges to finish his missions and all his requests for privileged operations are determined by Simau. The experiments at last show good performance of our mechanism.