V-MGSM: A Multilevel and Grouping Security Virtualization Model for Mobile Internet Service

With the pervasiveness of smart phones and the advance of Mobile Internet, more and more Mobile Internet services migrated to the cloud service platform for better user experience. As one of the most indispensable components of the cloud computing infrastructure, virtualization technology has attracted considerable interest recently. However, the flourish of virtualization still facesmany challenges in information security. In this paper, we propose a novel architecture, calledmultilevel and grouping security model for virtualization (V-MGSM), for the security of resources in cloud computing platform. Specifically, to fulfill the balance between information sharing and privacy preservation, the virtual machines (VMs) are divided into diverse groups based on their corresponding entities, and each VM in the same group is assigned to different security level according to security requirements. Besides, the operation between VMs is based on mandatory access control mechanism. Detailed security analysis shows that the proposed V-MGSM can provide a secure communication mechanism for VMs and implement the synchronous updates of the borrowed data. Ultimately, we implement V-MGSM in Xen for experiments, and the results demonstrate that V-MGSM can indeed achieve data security and privacy protection efficiently for Mobile Internet service.


Introduction
In our information society, Mobile Internet which makes Internet connection accessible and ubiquitous is becoming increasingly adopted by ordinary consumers. With wide popularity and broad application, Mobile Internet service performs adding huge income to business communities and the Mobile Internet industry has recently started to take off [1][2][3]. By the end of March 2013, there were more than 81 million Mobile Internet users in China which generated beyond 20 billion dollars Mobile Internet market scale.
With tremendous advancement in mobile technology, people expect more services whenever and wherever possible. Although current mobile technologies and improvements allow shopping online, chatting online, or any other mobile applications through mobile terminals, several certain issues which hinder the communication process need to be addressed. For example, people tend to use mobile terminals such as smart phones to do anything realizable which causes series of problems including the following: the calculation load is magnified, the battery standby time is shortened, and the storage is limited. For the presented problems of mobile terminals, especially the limited computing ability and the limited storage discussed above, it is necessary to migrate Mobile Internet services to cloud platform to decrease the amount of computation and extend the standby time. A main advantage of cloud computing is to provide large storage and powerful computing ability by cloud server [4][5][6]. From this prospective, the cooperation between cloud computing and the Mobile Internet which is promising for cloud computing can transport applicable computing ability and storage from terminals to the cloud server. In short, the emergence of cloud computing is significant for the continued development of the Mobile Internet. Figure 1 illustrates the necessity for traditional Mobile Internet services to be migrated to cloud service platform. Specifically, the larger the service scale is, the more the physical devices and instruments it requires to execute implementation are. In particular for Mobile Internet services, since it is constrained for the capacity of mobile terminals,  more resources are required in the server of service provider [7,8]. Benefiting from the increasing of computing ability and the decreasing of costs, virtualization technology brings many advantages over general technology in IT industry, such as raising utilization of hardware and promoting quality of service. For full use of infrastructure and reduction of the cost, more and more Mobile Internet service providers tend to migrate their services into a cloud service platform. However, the migrations of Mobile Internet service providers from conventional model to cloud services platform result in security issues which has become a critical concern. With virtualization, multitenant including medical service, education service, and enterprise service offers different services upon the same platform and may incur new vulnerabilities to the cloud platform, especially privacy violation between different service providers and internal access by VMs within one service provider. Even though virtualization security has attracted considerable interest in recent years and several secure solutions have been proposed [9,10], the flourish of secure solutions for virtualization still faces many challenges in the balance between information sharing and privacy preservation. Security issues on virtualization technology have been the dominating barrier to the development and widespread use of Mobile Internet.
(i) A VM illegally accesses to another relatively important VM in a virtualization system without authorization, which may cause the leakage of confidential information.
(ii) To improve the efficiency of an organization, it is necessary to guarantee the information sharing among VMs which belong to the same organization.
(iii) Virtual machine monitor (VMM) has the highest priority in a virtualization system, and the virtualization system will be broken if VMM is accessed illegally.
In order to construct a secure communication mechanism for virtualization [11] and fulfill the balance between information sharing and privacy preservation, a new multilevel and grouping security access control model (V-MGSM) is proposed in this paper. And our main contributions are threefold.
(i) In V-MGSM model, to implement the efficient isolation for VMs corresponding to different organizations, all VMs have been divided into several groups, which can avoid the unnecessary access and provide the privacy preservation among different groups.
(ii) For reasonable and secure access control, different security levels are assigned to VMs in the same group.
In particular, a low-level VM is not able to access other VMs which have higher security levels; one VM could not access other VMs which are divided into other groups; and VMs with high level could manage VMs with low level. Then, the confidential information in a high-level VM will not be obtained by some malicious low-level VMs.
(iii) In the same group, a high-level VM could borrow data from a low-level VM, and when the borrowed data is modified in the low-level VM, the corresponding data in the high-level VM will be updated synchronously.
The remainder of this paper is organized as follows. In Section 2, we survey the related works. In Section 3, we Mobile Information Systems 3 present the architecture of our proposed V-MGSM model. Then, we provide the correctness and security proof of V-MGSM model in Section 4, followed by implementation in Section 5. Finally, we draw our conclusions in Section 6.

Security Mechanisms for Virtualization.
With the prosperity of virtualization, the security of communications between VMs has attracted considerable interest recently. The necessity of communication between VMs in the specific application scenario was firstly pointed out in [12], which mentioned that the implementation of access control mechanism for VMs' communication was also essential. Furthermore, as a mandatory access control (MAC) mechanism, sHype [13] was one of the most well-known security architectures for VMM. Based on Xen, both the communication between VMs and the hardware resource access by VMs could be controlled well by sHype, which determine the kind of VMs that should run simultaneously according to the interest conflicts. However, the type of communication between VMs was not defined in sHype. Recently, some attention has been devoted into communication types between VMs. A Prioritized Chinese Wall (PCW) policy [14] was proposed, constructing a set of VMs which could communicate with each other dynamically. A role-based access control policy [15] was proposed later, which focused on the communication between guest VMs and VMM layer. However, they all ignored inter-VMs communication. A Virt-BLP model [16] based on BLP [17] model was proposed, which met the requirements of multilevel security for virtualization. As a security communication mechanism for virtual machine system, Virt-BLP model secured the communication between VMs, while the memory taken by access control matrix was so large.

Development of Multilevel Access Control Model.
At present, there are several security models and methods used in nonvirtualized system to guarantee the access control. Bell-LaPadula Model [18], SeaView model [19], and multilevel relational (MLR) [20] model have been introduced after thirty years of the research on multilevel access control [21]. Compared with other models previously proposed, MLR was clear in semantics and perfect in function after years of research on the security access control model and has been widely used in several areas and was pretty secure as a multilevel security model. However, in a multilevel user system, due to the fact that a high-level user may want to borrow data from a low-level user when it is reasonable and necessary, a high-level user can borrow data from lowlevel tuple in MLR and the high-level tuple which does have this borrowed data will be updated or deleted synchronously when the borrowed data has been modified by the lowlevel user. Meanwhile, a deadly secure risk caused by data borrowing in MLR is that the change of a high-level user's perspective by a low-level user may result in the leakage of confidential data from high-level user if a borrowed relation exists between these two users.

Proposed V-MGSM Model
In this section, we redesign the architecture, elements, data explanations, security theorem, and state transition rules for better use in virtualization and propose a multilevel and grouping access control model on the basis of MLR model to construct a secure communication mechanism for VMs. We first review the architecture of virtualization, which serves as the basis of V-MGSM model.
The practical architecture of virtualization is shown as in Figure 2(a). With a software layer VMM inserted between hardware and operating systems, several VMs could run on one single physical machine at the same time. In addition, for secure communication between VMs, a mandatory access control (MAC) module is constructed to control the flow of communication between VMM and VMs. However, from different VMs' perspectives, VMM is regarded as different entities. As shown in Figure 2(b), a virtualization system could be divided into several groups according to VMs' corresponding organizations such as User System 1 and User System 2, each of which consists of VM1 and VM2, VM3 and VM4, respectively. What is more, in user system's perspective, they are managed and controlled by VMM1 and VMM2 separately, although there is only one VMM in virtualization system indeed.

Elements of V-MGSM Model.
Before introducing the formal definitions of the multilevel relational model and multilevel relation for virtualization, in this part, we define the basic elements of V-MGSM model as follows.
(i) Subject and Object. Subjects represent active entities such as processes and users; objects represent passive entities such as data and files. In V-MGSM model, one VM is considered as a subject or an object based on the information flow of a communication process.
(ii) Security Level. Assuming that there are two VMs in virtual machine system, if and only if the subject and the object are in the same organization and the security level of subject is higher than or equal to that of the object, then the object can be accessed by the subject.
(iii) Data Attributes. In V-MGSM model, with virtualization system grouped on the basis of entities, in the scenario of communication between VMs, a VM could be queried by another VM only when they are corresponding to the same entity.  . Then, all data of data attributes and security levels in multilevel relation meet the following expression: Concretely, each relational instance ( 1 , 1 , 2 , 2 , . . . , , , ) consists of many records ( 1 , 1 , 2 , 2 , . . . , , , ), which are the records of VMs. All data and security levels in the relational instance meet the following expression:

Data Explanations of V-MGSM Model.
To avoid the fuzziness in the querying result which may occur in accessing a VM in MLR, two important properties, Entity Multi-Instance and Record Multi-Instance, are introduced. And Table 1 is an example taken to describe the definition of Entity Multi-Instance and Record Multi-Instance. Two entities (Gun, ) and (Gun, ) are described in Table 1, which are created by -subject and -subject, respectively; level is the lowest level, -record is a basic record and could only access -record, and it could only be deleted by -subject as well; TS is higher than in security level. Thus, both TS-record and -record could be accessed by TS-subject; TS-subject has borrowed the value of attribute Range "2" which is authorized by TS-subject. However, the value of the attribute quantity in TS-subject is set by TS-subject as the value of attribute quantity in -subject is not authorized by TS-subject. Then, two kinds of multi-instance including Record Multi-Instance and Entity Multi-Instance are mentioned in the example shown above.  Definition 4 (Entity Multi-Instance). In a multilevel relation, the records which have the same value of 1 and different values of 1 are called Entity Multi-Instance, meaning that the levels of entities are different. Then, the meaning of ( 1 , 1 , 2 , 2 , . . . , , , ) can be explained as follows.
(i) Primary Key 1 and Security Level Attribute 1 in V-MGSM Model. Let 1 denote the value of the primary key as well as the name of a VM, and let [ 1 ] denote both the identity of entity corresponding to VM and the security level of the entity in an instance .
[ 1 ] = 1 implies that the security level of the entity is 1 and the entity with security level 1 is called 1 -entity. In V-MGSM, with VMs divided into different groups according to their corresponding entities, different security levels are assigned to these entities. Given the value of 1 at the specific moment, only one entity could be authorized by subjects who have the same value of 1 .
(ii) Security Level Attribute in a Record. [ ] = represents that record is inserted by a VM with level , called -VM, and the data in this record is authorized by -VMs. If no corresponding record existed, it means that the entity is not authorized by -VM. The security level of a record, called , is used to judge whether the access is successful. Specifically, the data of VMs could be accessed by a subject who has a higher level than . In other words, a -VM could access other VMs if

Security Theorem of V-MGSM.
In this part, we first elaborate the modified Simple-security- * property, which is selected as one of the basements for V-MGSM model and was initially proposed in BLP model. Then, four integrated properties designed for V-MGSM are introduced.
Definition 5 (Simple-security- * property). In V-MGSM model, the security level of a subject is not dominated by the security level of an object. VMM has the highest priority in a virtualization system; VM could only read data from other VMs with lower levels in the same group and could not read data from VMM or other VMs with higher levels, eliminating the phenomenon of reading upward. Neither VMM nor other VMs with higher security levels could update or delete any data in low-level VMs, eliminating the phenomenon of writing downward. Moreover, two basic secure theorems defined in BLP model claimed that the phenomena of reading upward and writing downward should be avoided absolutely.
Definition 6 (Entity Integrated property). Entity Integrated property can be formally represented as . The modified Entity Integrated property is designed to confirm that every VM is divided into a unique group. 1 is the value of the primary key as well as the name of a VM and 1 is the security level of an entity corresponding to VM in an instance .
Definition 7 (Multi-Instance Integrated property). Multi-Instance Integrated property can be formally described as The modified Multi-Instance Integrated property is designed for the inexistence of fuzziness in the querying process, which may be caused by accessing the object by a subject in MLR. All instances with the same value of primary keys are allowed in any relation. However, given the security level, only one entity is authorized by the subject at most. For simplicity, only one entity is authorized by VMM according to the value of 1 when processing commands at specific moment.
To demonstrate the Multi-Instance Integrated property briefly and clearly, an example shown in Table 2 is used to describe the multi-instance conflict. Two entities with the same value of primary key "Gun3" and different values of 1 are presented in this example, which is not allowed in V-MGSM model. What is more, there is only one entity authorized to avoid the fuzziness in the querying result for a given security level. Compared with MLR, the advantage of V-MGSM model is that entity with multi-instance is permitted by crossing security levels. Meanwhile, only one entity is authorized when VM accesses other VMs. In V-MGSM, a high-level user cares more about the borrowed relation with a low-level user, rather than the detailed value of the borrowed data. The borrowed data is vindicated by the low-level VM and the security level of the borrowed data should be maintained as that of the lowlevel VM.
(i) The Main Thought of the Improved Data Borrowing. The thought of data borrowing in MLR model is relatively unreasonable, since amount of confidential information may leak from a high-level user because a low-level user can change the view of a high-level user. Compared with MLR which is designed for nonvirtualized system, V-MGSM model is more reasonable and could be applied to a virtualization system and the information in high-level VMs will not be leaked by a lowlevel VM's DELETE or UPDATE operation, overcoming the disadvantage of MLR model.

(ii) Conditions for a Successful Data-Borrowing Operation.
For secure inner communications between VMs within the same group, the improvement of V-MGSM mainly focuses on the aspect of data borrowing and synchronous update. In specific, we assume that the existence of the borrowed data is the basic condition for a successful data-borrowing operation by a high-level user; then, a low-level VM owns the value of the borrowed attribute; finally, the security level of borrowed data in the high-level VM is still maintained as the original security level, which ensures that the borrowed information is still vindicated by its creator. If none of the conditions is met, the borrowed data should be set null.
(iii) How to Perform Synchronous Update. The security level of the borrowed data is maintained as the original level in highlevel VM to perform synchronous update of the borrowed data when it has been modified or deleted by low-level VM. Therefore, the borrowed data from low-level VMs is set null or updated synchronously in high-level VMs when deleted or modified by the creator, avoiding losing important information.    Definition 12 (UPDATE manipulation language). Grammatical form of UPDATE manipulation can be described as follows: Semantics. For UPDATE manipulation language, the data of any VM could only be updated by its creator. In V-MGSM model, another situation, synchronous update of the borrowed information, is taken into consideration if highlevel VM has borrowed data from low-level VM. Definition 13 (SELECT manipulation language). Grammatical form of SELECT manipulation language is described as follows: Semantics. Let * denote selecting all data from relation , and let denote a check expression which could be security attribute expression or data expression. Data of VMs in relation 1 [, 2 ] will be calculated in , and record will be accessed by a higher-level subject in the same group. If

Correctness of V-MGSM Model.
To prove the correctness of V-MGSM model unambiguously, two steps are necessary.
One is the proof of all records in a relation that meet four integrated properties; the other one is the proof that any sequence of operations including INSERT, DELETE, and UPDATE transforms an arbitrary legal state into another legal state.
Definition 14. V-MGSM model is correctly equal to the fact that all records in a relation in a legal state in virtualization system meet four integrated properties defined in Section 3.

Definition 15.
A model is correctly equal to the fact that any legal state can be transformed into another legal state by any sequence of INSERT, DELETE, and UPDATE which are previously defined.
It is necessary to stress that INSERT, DELETE, and UPDATE operations change an arbitrary legal state in virtualization system into another legal state. Evidently, any SELECT operation does not change any state because no data is inserted, updated, or deleted. Then, we assume that record has been operated in the following steps. (iii) Any UPDATE operation does not break four integrated properties. Actually, all integrated properties have been met mandatorily based on the semantics of UPDATE operation. Therefore, if the initial state is correct, any state transformed from any correct state by an UPDATE operation is correct or legal as we defined in Definition 15.
Hence, all related operations can transform a legal state into another legal state without breaking four integrated properties. Eventually, we can prove that the proposed V-MGSM model is correct.

Security Analysis.
To prove the security of V-MGSM model, we define the secure state and explain the reason why the state is still secure after executing series of operations mentioned in the earlier part. The output of any subject 2 belonging to ( ) is not influenced by deleting any input of subject 1 belonging to ( ). Let S be the set of all subjects including all VMs, and let be all records with different levels in a virtual machine system. Then, we define ( ) as a set of all subjects whose security levels are lower than or equal to , ( ) denote a set of all records whose levels are lower than or equal to , and ( ), ( ): S-SV( ) are ( ), R-RV(c), respectively. For any access level , we have obtained the following equations with great ease according to the meaning of each notation: To prove the security of V-MGSM model, we take sequence of operations including INSERT, DELETE, SELECT, and UPDATE by VMs as input in V-MGSM and output the result which includes two parts: (1) a set of records or result of failed access is returned to VM by any SELECT operation; (2) the successful or failed information returns to the subject after INSERT, DELETE, or UPDATE operation.
Upon analyzing the possible access results returned to the subject, the security proof of V-MGSM consists of two situations.
(i) For any access level c, the output to any subject ∈ ( ) is not influenced by changing ( ) and four cases in the following need to be taken into consideration.
(a) Due to the semantics of SELECT operation, when executing a SELECT manipulation bysubject and is less than or equal to , no record in the set RH( ) will be returned to subject . Therefore, the output to the subject ∈ ( ) is not influenced by changing ( ) as ( ) ⊇ ( ). Wherein is the record created by a -subject and is the record created by a -subject, only records r and are involved and should be taken into account. The successful or failed information, which is delivered to the subject s ∈ SV (c), is not influenced by changing ( ) because , ∈ ( ) ⊇ ( ). Then, we can draw a conclusion that ( ) is not changed by deleting any input of a subject ∈ ( ). Since is greater than , ∉ ( ).
Finally, we draw a conclusion that no downward information flow exists during communication process. The results returned to any subject 2 belonging to set ( ) which is not influenced by deleting the input of any subject s 1 belonging to set ( ). Thus, any state of virtualization transformed from a secure initial state is maintained securely after new state transition rules are carried out.

Implementation of V-MGSM Model
As shown in Figure 3, we construct a MAC framework which is composed of VMM, Management, XSM, V-MGSM MAC, ACCF, and VMs. Specifically, ACCF denotes access control configuration file, Management is used to manage the access control over other VMs in Domain0, and V-MGSM MAC is a security module which is implemented as a security hook function based on XSM, provided by Xen, and manages communications between VMs according to the state transition rules in V-MGSM model. When a VM makes a request to access another VM with access attribute SELECT, UPDATE, or DELETE, the XSM intercepts the request; and XSM transfers this access request to V-MGSM MAC; then, ACCF stores the access authority and relation between subjects and objects, which is used to help V-MGSM MAC to determine whether the access request is declined or not; finally, V-MGSM MAC returns the decision. If the returned decision is "Yes, " then XSM authorizes the subject to access the object with the access attribute; otherwise, the access is declined. The implementation is built in a workstation with four quad-core Intel Core i7, 2.5 GHz CPUs, 16 GB memory, and 1 T storage. In specific, the version of Xen is 3.3.1, the operating system in Domain0 is CentOS 5.4, and each VM covered in the test operates on Ubuntu 8.10. A web service is provided by Apache in Domain0, through which each VM could log in and query information of shared memory; in addition, a software used to apply to sharing memory and set the value in shared memory, called Virmem, is executed in every VM.
Step 1 (the initialization of the virtualization in Xen). Five VMs are created in Xen and denoted by VM1, VM2, VM3, VM4, and VM5, respectively, and the security levels of them are H3, H2, H1, H3, and H2, where H3 > H2 > H1. For efficient privacy preservation between different organizations, VM1, VM2, and VM3 are grouped into User System 1, and VM4 and VM5 are in User System 2; the unique identifications of User System 1 and System 2 are L1 and L2, respectively. Then, the Virmem in VM3, VM4, and VM5 is applied for sharing the memory and sets the first byte of each shared memory by " , " " , " and " , " respectively. And VM2 is applied for sharing the memory to VM1 and sets the first byte's value by " . " Step 2 (VM1 in User System 1 and VM4 in User System 2 query all shared memory in Domain0 by web service, resp.). Then, the results are shown in Tables 3(a) and 3(b). As VM1 owns the highest security level, all data in User System 1 but not User System 2 could be queried by VM1. And as shown in Table 3(a), the values of 1 in these records are the same which means that all VMs are corresponding to the same group User System 1. As shown in Table 3(b), when VM4 queries all shared memory in User System 2, the value of 1 is also the same. Therefore, the result shows that our proposed V-MGSM model is correctly and securely applied to the privacy preservation for virtualization.
Step 3 (the value of shared memory is updated by VM2). VM2 in User System 1 updates the first byte's value of shared memory to " " by Virmem. Then, VM2 queries shared memory by web service in Domain0, and the result is shown as in Table 3(c).
Step 4 (VM1 queries shared memory again). As shown in Table 3(d), the value of data in both first and second records is modified to " . " Hence, the value of borrowed shared memory in a high-level VM could be updated synchronously and successfully if it is updated by its owner, a low-level VM.
The experimental results show that multilevel security access control for VMs and efficient isolation for VMs corresponding to different groups and synchronous update have been implemented in a virtualization system and perform a secure communication process between VMs.

Conclusions
In this paper, based on multilevel relation, a new multilevel and grouping security model, called V-MGSM, is proposed for virtualization. In specific, on the basis of the security requirements for different VMs, we redesign the elements, integrated properties, and data manipulation languages of V-MGSM model, and all VMs are divided into several groups based on their corresponding entities, which can avoid the unnecessary access and provide the privacy protection among different groups. Besides, different security levels are assigned to VMs in the same group, and the confidential information in a high-level VM will not be obtained by some malicious low-level VM. Then, when the borrowed data is modified in the low-level VM, the corresponding data in the highlevel VM will be updated synchronously. In addition, detailed security analysis shows that the proposed V-MGSM can provide a secure communication mechanism for VMs and achieve the synchronous updates of the borrowed data. Eventually, we implement V-MGSM in Xen for experiments, and the results demonstrate that V-MGSM can indeed achieve efficiency for Mobile Internet service.

Disclosure
The abstract of this paper has been presented in the 5th International Conference on Intelligent Networking and Collaborative Systems, pp. 9-16, 2013 [1].