Secure isolation and sharing between virtual machines can be realised by using mandatory access control (MAC) technology, but current MAC mechanism can' t effectively protect the resources inside the virtual machine. Based on thorough analysis on current Xen vir-tualisation technologies and the mandatory access technology, in the paper we propose a virtual mandatory access control (VMAC) framework in light of Xen Security Module (XSM)/Flask, the framework provides centralised management and operation on two level security policy: the virtual machine ( VM) and the virtual machine monitor ( VMM ) , and implements a fine-grained mandatory access control of Xen.%利用强制访问控制技术可实现虚拟机间安全的隔离与共享,但现有强制访问控制技术无法对虚拟机内部资源进行有效的保护.在深入分析Xen虚拟化技术和强制访问控制技术的基础上,针对Xen Security Module (XSM)/Flask架构,提出虚拟化强制访问控制VMAC(Virtual Mandatory Access Control)框架,提供了Virtual Machine(VM)和Virtual Machine Monitor(VMM)两级安全策略的集中管理和操作,实现了Xen的细粒度强制访问控制.
展开▼