With the development of cloud computing technology and the proliferation of the Internet of Things (IoT) terminals, more and more scenes need the collaboration of virtual machines and IoT terminals to resolve. However, there are many severe challenges on the security of virtual machines and IoT terminals. Based on Bell-LaPadula Model (BLP), a task-oriented multilevel cooperative access control scheme virtualization and reality BLP, named VR-BLP, is proposed. Specifically, tasks are created for each user of the platform and tasks and users are divided into multiple levels to provide more granularities to limit access between virtual machines and IoT terminals. Moreover, with network isolation cooperating with process isolation and shared memory isolation mechanisms, VR-BLP is implemented to enhance the security isolations between tasks. Performance evaluations show that VR-BLP enhanced the security of environment with virtualization and IoT without causing significant performance penalty.
Since it was created in 2006, cloud computing [
To address security challenges in cloud environment, many access control schemes are proposed, such as RBAC [
Figure
Multiuser and multitask scenes over virtualization and IoT.
In order to construct a task-oriented secure isolation mechanism for environment with virtualization and IoT, a new multilevel cooperative access control scheme named VR-BLP is proposed in this paper. And our main contributions are threefold. A task-oriented multilevel cooperative access control scheme for environment with virtualization and IoT, named VR-BLP, is proposed to enhance the security isolations between users and tasks. Network isolation cooperates with process isolation and shared memory isolation to enhance security isolations between virtual machines and IoT terminals. Performance evaluations show that VR-BLP is an efficient multilevel access control scheme for environment with virtualization and IoT.
The remainder of this paper is organized as follows. In Section
The BLP [
A MUSHI system [
Though these works are very meaningful and valuable, they do not consider the security issues in a task-oriented environment with virtualization and IoT. To satisfy the requirements for environment with virtualization and IoT, a task-oriented cooperative access scheme VR-BLP is proposed and implemented with network isolation cooperating with process isolation and shared memory isolation mechanisms, to enhance the security isolations between tasks.
In this section, we will introduce the knowledge related to the design and the implementation of our VR-BLP scheme.
While giving the definition of the subject, the object, the security level function, the state, the state transition rules, and so on, BLP model defines that a system is secure if and only if the system always satisfies the simple security property, the
LSM [
SDN [
In this section, we redefine the architecture, elements, security properties, and state transition rules of the BLP model for better applying to the circumstance of the environment with virtualization and IoT. And we propose a task-oriented multilevel access control scheme for environment with virtualization and IoT to construct a secure isolation between users and tasks.
Before introducing the formal definitions of the task-oriented multilevel access control scheme for virtualization and IoT, we define the basic elements of the VR-BLP model as below.
The simple security property means that, for
The
In our scheme, the subjects are user and the objects are task. Tasks are created by users and are assigned with different classifications. Users have different clearance levels given by the system as we designed. Our purpose is to make users with higher clearance levels able to access tasks with lower classifications. While tasks contain a set of resources, users with higher clearance levels could actually read data from resources with lower classifications, whether these resources are virtual machines or IoT terminals. Users with higher clearance levels could not write data to locations that belong to resources with lower classifications, whether these resources are virtual machines or IoT terminals. On the contrary, users with lower clearance levels could not read data from resources with higher classifications, whether these resources are virtual machines or IoT terminals. Users with lower clearance levels could write data to locations that belong to resources with higher classifications, whether these resources are virtual machines or IoT terminals.
A rule is a function
Proposed VR-BLP scheme.
Read-only:
Given state
If
Else
Rule
Write-only:
Given state
If
Else
Rule
Read-Write:
Given state
If
Else
Rule
Let the initial state
Let the initial state
Let the initial state
This section will mainly introduce the application scenarios of VR-BLP scheme and the specific design architecture of our scheme.
As shown in Figure
Application framework of VR-BLP.
The system modules consist of three parts: the policy making module, the security label module, and the access control module.
Users are assigned with different clearance levels according to the needs of the design, and tasks are assigned with classifications which are equal to the clearance level of the user who create those tasks. Since tasks contain a set of resources, resources are mapping to tasks resulting in that users achieve the multilevel security access control of resources. Therefore, the security label module adds different security labels to tasks and the access control modules isolate resources through network isolation, memory isolation, and process isolation. The policy making module makes policies and send these policies to the security module and the access control module to guide them to isolate resource meeting our expectations.
The security label module receives security policies from the policy making module and attach security labels to tasks and resources. For tasks, they are attached with security labels according to their classifications. For resources, they are attached with the same security labels as the task which creates them. In this way, resources could be isolated from others by access control module through their security labels easily.
The access control module receives policies from the policy making module and achieves the isolation of resources through process isolation, shared memory isolation, and network isolation. For process isolation and shared memory isolation, they are implemented by a security module named KMAC that we designed based on LSM. Through attaching tasks’ security labels to virtual machines and virtual machines’ disk images, KMAC does not allow one virtual machine request to access a disk whose security label is different from the virtual machine’s security label. Through attaching tasks’ security labels to virtual machines and virtual machines’ shared memory, KMAC does not allow one virtual machine request to access a shared memory whose security label is different from the virtual machine’s security label. For network isolation, we use SDN and traditional network technologies to isolate resources. When a user requests to access a task with access attribute read-only, write-only, or read-write, the request is analyzed by the security switch and the ACL rules in the security switch decides if the request is legal. According to decisions that the security switch makes, the request is allowed or denied to execute.
To strengthen the security isolation of virtual machines, a KMAC module based on LSM is designed. For security reason, KMAC module must be compiled into the Linux kernel as a LSM module. KMAC strengthen the security isolation of the process and the shared memory between virtual machines. As shown in Figure
Resources isolation.
Process isolation
Shared memory isolation
Network isolation
As shown in Figure
As shown in Figure
Topology of test environment.
In Figure
Policies of test environment.
Policies of access control between different tasks
Policies of access control between different users
In this section, the above isolation experiments are conducted. The check mark in Tables
Access control between different tasks.
Tasks | Access to Tasks | ||||
---|---|---|---|---|---|
Task1 | Task2 | Task3 | Task4 | ||
Task1 | Kvm10 | ✓ | |||
Docker11 | ✓ | ||||
PC12 | ✓ | ||||
| |||||
Task2 | Kvm20 | ✓ | ✓ | ||
Docker21 | ✓ | ✓ | |||
PC22 | ✓ | ✓ | |||
| |||||
Task3 | Kvm30 | ✓ | ✓ | ✓ | |
Docker31 | ✓ | ✓ | ✓ | ||
PC32 | ✓ | ✓ | ✓ | ||
| |||||
Task4 | Kvm40 | ✓ | ✓ | ✓ | ✓ |
Docker41 | ✓ | ✓ | ✓ | ✓ | |
PC42 | ✓ | ✓ | ✓ | ✓ |
Access control between different users.
Users | Access to Users | |||||
---|---|---|---|---|---|---|
User1 | User2 | User3 | User4 | |||
User1 | Task1 | Kvm10 | ✓ | |||
Docker11 | ✓ | |||||
PC12 | ✓ | |||||
| ||||||
User2 | Task1 | Kvm20 | ✓ | ✓ | ||
Docker21 | ✓ | ✓ | ||||
PC22 | ✓ | ✓ | ||||
| ||||||
User3 | Task1 | Kvm30 | ✓ | ✓ | ✓ | |
Docker31 | ✓ | ✓ | ✓ | |||
PC32 | ✓ | ✓ | ✓ | |||
| ||||||
User4 | Task1 | Kvm40 | ✓ | ✓ | ✓ | ✓ |
Docker41 | ✓ | ✓ | ✓ | ✓ | ||
PC42 | ✓ | ✓ | ✓ | ✓ |
As shown in Table
At last, as shown in Figure
Performance comparison of VR-BLP.
The test about the impact on the host (single CPU)
The test about the impact on the host (double CPU)
The test about the impact on the guest (single CPU)
The test about the impact on the guest (double CPU)
In this paper, a task-oriented multilevel cooperative access control scheme based on BLP, named VR-BLP, has been proposed. Specifically, the access control between virtual machines and IoT terminals achieves fined-grained isolation by dividing tasks and users into multiple levels. Moreover, VR-BLP enhances the security isolations between tasks through the cooperation of network isolation, process isolation, and shared memory isolation. Performance evaluations show that VR-BLP enhanced the security of environment with virtualization and IoT with only a small performance loss.
The data used to support the findings of this study are available from the corresponding author upon request.
The authors declare that they have no conflicts of interest.
This work is supported by the National Key Research and Development Program of China (2016YFB0800804), National Natural Science Foundation of China (61672411 and U1401251), Research Foundations for Science and Technology on Communication Networks Laboratory (no. KX172600023), and China 111 Project (no. B16037).