A virtualized usage control bus system
Cornelius Moucha1+, Enrico Lovat2,
and Alexander Pretschner2
1Fraunhofer IESE,
Information Systems Quality (ISQ)
Kaiserslautern, Germany
cornelius.moucha@iese.fraunhofer.de
2Karlsruhe Institute
of Technology
Karlsruhe, Germany
lovat@kit.edu and pretschner@kit.edu
Abstract
Usage control is an extension of access control that
additionally defines what must and must not happen
to data after access has been granted. The process of enforcing usage control
requirements on data
must take into account all the different representations that the data may
assume
at different levels of abstraction (e.g. file, window content, network packet).
Therefore, multiple data flow tracking and usage control enforcement monitors
are likely to exist,
one at each relevant layer. Whenever data flows from a representation at one
layer to a representation
at another layer (e.g. a file is loaded and interpreted by an application),
then the monitor for
the initiating layer (in the example, the operating system) must notify the
monitor for the receiving layer
(in this example, an application, like a browser) about the data being
transfered. This is required
in order to associate both representations to the same data.
In this paper, we present a bus system to support system-wide usage control
enforcement that,
for security and performance reasons, is implemented in a hypervisor.
We provide an example application for enforcing usage control across layers of
abstraction
in the context of social networks. We evaluate security and performance of our
bus system.
Keywords:
Data-flow tracking, usage control, bus system, virtualization, information
flow.
+Corresponding author: Cornelius Moucha
Fraunhofer IESE, Information Systems Quality (ISQ), Fraunhofer-Platz 1, 67663
Kaiserslautern, Germany
Tel: +496316800-2111, Email: cornelius.moucha@iese.fraunhofer.de
Journal of
Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications
(JoWUA),
Vol. 2, No. 4, pp.
84-101, December 2011 [pdf]