Abstract
Virtual Interacting Network CommunIty (Vinci) is a software architecture that exploits virtualization to share in a secure way an information and communication technology infrastructure among a set of users with distinct security levels and reliability requirements. To this purpose, Vinci decomposes users into communities, each consisting of a set of users, their applications, a set of services and of shared resources. Users with distinct privileges and applications with distinct trust levels belong to distinct communities. Each community is supported by a virtual network, i.e. a structured and highly parallel overlay that interconnects virtual machines (VMs), each built by instantiating one of a predefined set of VM templates. Some VMs of a virtual network run user applications, some protect shared resources, and some others control traffic among communities to discover malware or worms. Further VMs manage the infrastructure resources and configure the VMs at start-up. The adoption of several VM templates enables Vinci to minimize the complexity of each VM and increases the robustness of both the VMs and of the overall infrastructure. Moreover, the security policy that a VM applies depends upon the community a user belongs to. As an example, discretionary access control policies may protect files shared within a community, whereas mandatory policies may rule access to files shared among communities. After describing the overall architecture of Vinci, we present the VM templates and the performance results of a first prototype.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
Download to read the full chapter text
Chapter PDF
References
Uhlig, R., Neiger, G., Rodgers, D., Santoni, A., Marting, F., Anderson, A., Bennett, S., Kagi, A., Leung, F., Smith, L.: Intel Virtualization Technology. Computer 38(5), 48–56 (2005)
Dunlap, G.W., King, S.T., Cinar, S., Basrai, M.A., Chen, P.M.: Revirt: enabling intrusion analysis through virtual-machine logging and replay. SIGOPS Oper. Syst. Rev. 36(SI), 211–224 (2002)
Goldberg, R.P.: Survey of virtual machine research. IEEE Computer 7(6), 34–45 (1974)
Huang, W., Abali, B., Panda, D.: A case for high performance computing with virtual machines. In: Proc. of the 20th annual international conference on Supercomputing, pp. 125–134 (2006)
Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Pratt, I., Warfield, A., Barham, P., Neugebauer, R.: Xen and the art of virtualization. In: Proceedings of the ACM Symposium on Operating Systems Principles (October 2003)
Callaghan, B., Pawlowski, B., Staubach, P.: NFS V3 Protocol Specification. RFC 1813
Loscocco, P., Smalley, S.: Integrating flexible support for security policies into the linux operating system. In: Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, Berkeley, CA, USA, pp. 29–42. USENIX Association (2001)
Loscocco, P.A., Smalley, S.D.: Meeting critical security objectives with security enhanced linux. In: Proceedings of the 2001 Ottawa Linux Symposium. (2001)
Netfilter.org: Netfilter/Iptables project, www.netfilter.org/
OpenVPN: OpenVPN - An Open Source SSL VPN Solution, http://openvpn.net/
King, S.T., Chen, P.M.: Backtracking intrusions. ACM Trans. Comput. Syst. 23(1), 51–76 (2005)
Cheetancheri, S.G., et al.: A distributed host-based worm detection system. In: LSAD 2006: Proc. of the 2006 SIGCOMM workshop on Large-scale attack defense, pp. 107–113. ACM Press, New York (2006)
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: NDSS (2003)
Figueiredo, R.J., Dinda, P.A., Fortes, J.A.B.: A case for grid computing on virtual machines. In: ICDCS 2003: Proceedings of the 23rd International Conference on Distributed Computing Systems, Washington, DC, USA, p. 550. IEEE Computer Society, Los Alamitos (2003)
Pearson, S.: Trusted Computing Platforms, the Next Security Solution. Trusted Computing Group Administration, Beaverton (2002)
Berger, S., Cáceres, R., Goldman, K.A., Perez, R., Sailer, R., van Doorn, L.: vTPM: virtualizing the trusted platform module. In: USENIX-SS 2006: Proceedings of the 15th conference on USENIX Security Symposium, Berkeley, CA, USA, pp. 21. USENIX Association (2006)
IOzone: IOzone Filesystem Benchmark, http://www.iozone.org/
Griffin, J.L., Jaeger, T., Perez, R., Sailer, R., van Doorn, L., Caceres, R.: Trusted Virtual Domains: Toward secure distributed services. In: Proc. of 1st IEEE Workshop on Hot Topics in System Dependability (HotDep) (2005)
Löhr, H., Ramasamy, H.V., Sadeghi, A.R., Schulz, S., Schunter, M., Stüble, C.: Enhancing Grid Security Using Trusted Virtualization. In: Xiao, B., Yang, L.T., Ma, J., Muller-Schloer, C., Hua, Y. (eds.) ATC 2007. LNCS, vol. 4610, pp. 372–384. Springer, Heidelberg (2007)
Sailer, R., Jaeger, T., Zhang, X., van Doorn, L.: Attestation-based policy enforcement for remote access. In: CCS 2004: Proceedings of the 11th ACM conference on Computer and communications security, pp. 308–317. ACM Press, New York (2004)
Zhao, X., Borders, K., Prakash, A.: SVGrid: a secure virtual environment for untrusted grid applications. In: MGC 2005: Proceedings of the 3rd international workshop on Middleware for grid computing, pp. 1–6. ACM Press, New York (2005)
Bryant, E., Early, J., Gopalakrishna, R., Roth, G., Spafford, E., Watson, K., William, P., Yost, S.: Poly2 Paradigm: A Secure Network Service Architecture. In: Proceedings 19th Annual Computer Security Applications Conference, 2003, pp. 342–351 (2003)
Wolinsky, D.I., Agrawal, A., Boykin, P.O., Davis, J., Ganguly, A., Paramygin, V., Sheng, P., Figueiredo, R.J.: On the Design of Virtual Machine Sandboxes for Distributed Computing in Wide Area Overlays of Virtual Workstations. In: First Workshop on Virtualization Technologies in Distributed Computing (VTDC) (November 2006)
Chun, B., Culler, D., Roscoe, T., Bavier, A., Peterson, L., Wawrzoniak, M., Bowman, M.: Planetlab: an overlay testbed for broad-coverage services. SIGCOMM Comput. Commun. Rev. 33(3), 3–12 (2003)
Gepner, P., Kowalik, M.F.: Multi-core processors: New way to achieve high system performance. In: PARELEC 2006: International symposium on Parallel Computing in Electrical Engineering, pp. 9–13. IEEE Computer Society Press, Washington (2006)
Leung, F., Neiger, G., Rodgers, D., Santoni, A., Uhlig, R.: Intel Virtualization Technology: Hardware support for efficient processor virtualization. Intel Technology Journal 10(3), 167–178 (2006)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Baiardi, F., Sgandurra, D. (2008). Secure Sharing of an ICT Infrastructure through Vinci. In: Hausheer, D., Schönwälder, J. (eds) Resilient Networks and Services. AIMS 2008. Lecture Notes in Computer Science, vol 5127. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-70587-1_6
Download citation
DOI: https://doi.org/10.1007/978-3-540-70587-1_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-70586-4
Online ISBN: 978-3-540-70587-1
eBook Packages: Computer ScienceComputer Science (R0)