Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Xen>
  3. Users
XenSE - any info available?
wes.parish at paradise
Jun 28, 2005, 5:08 AM
Post #1 of 2 (263 views)
Permalink
I came across this article and was wondering if anyone had any additonal
information:
Xen Developers Focus on Security
Enhanced virtual desktop could protect remote consumer transactions.
http://www.pcworld.com/news/article/0,aid,121624,00.asp

Thanks

Wesley Parish
--
Clinersterton beademung, with all of love - RIP James Blish
-----
Mau e ki, he aha te mea nui?
You ask, what is the most important thing?
Maku e ki, he tangata, he tangata, he tangata.
I reply, it is people, it is people, it is people.

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Re: XenSE - any info available? [ In reply to ]
mark.williamson at cl
Jun 28, 2005, 8:10 AM
Post #2 of 2 (260 views)
Permalink
> I came across this article and was wondering if anyone had any additonal
> information:
> Xen Developers Focus on Security
> Enhanced virtual desktop could protect remote consumer transactions.
> http://www.pcworld.com/news/article/0,aid,121624,00.asp

Lightning overview:
* The XenSE project is *not* there to patch security issues, etc. It's aim is
to add a Mandatory Access Control Framework to Xen itself.
* Security policies will be set by a user tool but then enforced by Xen.
Because Xen has a very small codebase, it can be audited thoroughly to
achieve high assurance that the policy is correctly enforced. This is
required for high level security accreditation (eg. EAL).
* will enable policies such as:
- Chinese Wall : don't allow domains from two different groups to run on the
same machine. You might use this if you are renting domains to competing
companies.
- Type enforcement : only allow communication (eg. event channels, shared
memory) between domains with the same "type". Type could be "owner" or it
could be "security level" (eg. "top secret" may only talk to "top secret"
etc)
- etc.
* As part of the system, we aim to break down "dom0" into multiple smaller
functional units. This allows us to reduce the Trusted Computing Base, again
allowing easier audit.

The end result should be a virtual machine system that splits its functions up
between multiple virtual machines with restricted privileges. As a whole
this should achieve an (even) higher assurance level than is possible for
(eg) monolithic SELinux. As a bonus, it should have higher resilience to
driver failures, etc.

Initial code for MAC has been contributed by IBM and is in the unstable tree
now. The project will be ongoing for some time - more or less "full" XenSE
support is planned for 4.0.

There's a XenSE mailing list, if you're interested. Not much happening on it
right now, though.

HTH,
Mark

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal