Introducing Role-based Access Control to a Secure

This is the accepted version of the manuscript. The final version of this manuscript can be downloaded from https://doi.org/10.1109/APSCC.2008.14

Introducing Role-based Access Control to a Secure Virtual Machine Monitor: Security Policy Enforcement Mechanism for Distributed Computers Manabu Hirano Dept. of Information and Computer Engineering, Toyota National College of Technology 2-1 Sakae, Toyota, Aichi, Japan [email protected] Takahiro Shinagawa, Hideki Eiraku, Shoichi Hasegawa, Kazumasa Omote∗, Koichi Tanimoto, Takashi Horie, Kazuhiko Kato Dept. of Computer Science, Graduate School of ISE, University of Tsukuba 1-1-1 Tennodai, Tsukuba, Ibaraki, Japan {shina, hdk, s-hase, komote, tanimoto horietk}@osss.cs.tsukuba.ac.jp, [email protected] Takeshi Okuda, Eiji Kawai, Suguru Yamaguchi Graduate School of Information Science, Nara Institute of Science and Technology 8916-5 Takayama, Ikoma, Nara, Japan {okuda, eiji-ka, suguru}@is.naist.jp Abstract In recent years, as the data processed by governmental or commercial organizations increases, cases involving information leak have risen. It is difficult to control information on many distributed end-point computers using conventional security mechanisms. Therefore, we have been proposed a novel secure VMM (Virtual Machine Monitor) architecture which is used as a foundation of security policy enforcement on distributed computers. This paper especially introduces Role-based Access Control (RBAC) to the ID management framework in a secure VMM system. Our proposal will reduce costs for distributed policies updates. Proposed RBAC mechanism employs attribute certificates (ACs) to handle user’s roles. This paper shows design and prototype implementation based on PKI-based ID card and proven open source VMM software, QEMU.

or central government processes resident’s personal information and a police organization processes information of criminal records. As the data processed by governmental organizations increases, cases involving information leak have risen considerably. Especially, it is difficult to control information on distributed end-point computers in such organizations.

In recent years, most governmental organizations around the world employ computer systems to process massive amounts of data to be protected. For example, a local

In this paper, we discuss a large-scale security policy enforcement mechanism based on a Virtual Machine Monitor (VMM). A VMM is a technology to encapsulate an operating system, which was originally designed and developed for mainframe computers such as IBM VM/370 [1]. An ideal VMM technology provides complete isolation of virtual machines (VMs) [2]. A layer of a trusted VMM can, without modifying a guest operating system, provide useful and strong security functions transparently for each end-point computer. For example, such trusted VMM software can provide storage encryption, traffic confidentiality based on a virtual private network (VPN) and access control mechanisms for each computer’s hardware/software resources. We call this kind of VMM system “a secure VMM”. We assume that a secure VMM system for an enduser environment can be used as a foundation of security policy enforcement in governmental and commercial organizations.

∗ He currently belongs to Japan Advanced Institute of Science and Technology.

In recent research, some security-purpose VMM systems have been developed [3, 4, 5]. Main advantage of such

1. Introduction

MAC-based policy, integrity check for software and configuration Security boundary Server systems

High risk of information leak

In large-scale organizations, each computer has to process a complex user ID based policy Allow 㵰USB drive㵱 Alice , Bob, Charlie 㵺 Allow 㵰Internet connection㵱 Alice, Bob

If Alice moves to a different division , each policy file has to be updated.

VPN etc End user㵭s desktop or mobile computers

End user㵭s mobile computer

Alice User ID based policy Security mechanism

Firewall, anti-virus, intrusion detection/prevention system etc Anti-virus, anti-phishing, anti-spyware, monitoring software etc

Figure 1. Security components in an organization

security-purpose VMM systems is that they can insert security layer without modifying existing guest operating systems. Our previous paper has shown a novel ID management framework for a secure VMM system [6]. The proposed ID management framework provides a simple user authentication and user ID based access control mechanism. However, it has a problem that it cannnot deal with frequent personnel reshuffling in real-world organizations. Therefore, this paper introduces Role-based Access Control (RBAC) [7, 8] to the ID management framework in a secure VMM system. The proposed RBAC-extended secure VMM system can achieve high flexibility to a frequent personnel change in an organization and it will be able to control information resources on distributed end-point computers efficiently.

2

Problems

This section shows problems of a policy enforcement mechanism for distributed end-point computers.

2.1

Security Problems in End-user’s Distributed Computing Environment

There are many types of security mechanisms for practical information systems. Fig. 1 shows security components in an organization. A firewall is a typical boundary security mechanism which can filter network packets. An anti-virus gateway also checks user’s packets to prevent virus intrusion. Security administrators can manage and protect server systems physically. On the other hand, end user’s computers are physically distributed and they can be moved outside of organizations. In general, it is difficult to control such end user’s distributed computing environment. Although a security administrator can install monitoring software for user’s behaviors, an end-user can easily remove or bypass such software

User authentication

Alice㵭s ID card

End user㵭s desktop or laptop computer

Figure 2. User ID based policy management mechanism

on each computer. Furthermore, most existing commercial operating systems cannot enforce mandatory security policy to end users strictly. A thin-client system [9] like Citrix’s ICA is an efficient mechanisms to prevent information leak case for such environment. Thin-client security system can provide a strong security policy enforcement mechanism. However, a typical thin-client system needs a continuous connection to the Internet and it is dependent on the stability of the central server system. This paper employs another security policy enforcement mechanism using client-based VMM technology for distributed computers.

2.2

Policy Management Problems

This paper focuses on an efficient mechanism to manage security policy in distributed computers. Most security systems have a user authentication and user ID based access control mechanism. However, a conventional user ID based security mechanism has some problems. For example, most governmental and commercial organizations have frequent personnel shuffling. Moreover, they are drastically reformed in a climate of political and economic change. If they only employ user ID based policy, the security mechanism will not deal with the change of the organization. Fig. 2 shows a user ID based policy management mechanism. The example policy shown in Fig. 2 expresses permissions of the use of USB devices and Internet connection on the user’s computer. This example supports ID card based user authentication. If Alice moves to another division then the security policy has to be updated in all endpoint computers. Moreover, a large-scale organization has to manage complex user ID based security policies. Thus, the user ID based policy mechanism has the following problems: (1) It cannot deal with frequent personnel changes in an organization flexibly. (2) It cannot support a large-scale organization because many user IDs cause complexity of security policies.

3

Security Policy Enforcement Mechanism

Boot authorization etc

Administrator installs security policy to secure VMM system

VM 䋨Guest OS)

In section 2.1, we have described security problems in end user’s distributed computing environment. This section shows the basic concept of a secure VMM architecture as a foundation of security policy enforcement. This section also introduces original secure VMM implementation called BitVisor and its ID management framework.

3.1

Requests for virtual resources Secure VMM system Security policy VMM operation

Basic Concept of a Secure VMM

Sandhu et al. showed access control model and its relationship to other security services [10]. Typical security system consists of an authentication mechanism, a reference monitor, an audit monitor, an authorization database and an access control mechanism. Access control is enforced by a reference monitor to mediate every attempted access by a user to objects in the system. Sandhu et al. also defined that policies are high level guidelines which determine how accesses are controlled and access decisions determined. There are three different policies which commonly occur in computer systems as follows: (1) Discretionary Access Control (DAC), (2) Mandatory Access Control (MAC) and (3) Role-based Access Control (RBAC). These access control policies are not exclusive in practical systems. Although DAC cannot control the flow of information strictly, MAC can control the flow of information. Most commercial operating systems does not support a strict MAC mechanism to users. Thus, an end user can modify access modes of each object. We aim to enforce security policy to distributed endpoint computers in organizations with the help of a VMM mechanism. Fig. 3 shows the basic concept of the proposed secure VMM architecture. Most VMM software has a mediation mechanism for physical/virtual resources. Data and operations through the security hooks, for example writing data for storages and inbound/outbound packets through physical network interface cards, are monitored by the reference monitor. Audit monitor records user’s behaviors through security hooks. Fig. 3 includes a user authentication mechanism using PKI-based ID cards, therefore the reference monitor can authorize the accesses or operations based on each user ID. In this paper, we assume that end users cannot modify secure VMM software. One of protection methods for secure VMM software is an attestation mechanism based on a tamper-resistant device like TPM (Trusted Platform Module) [11]. Intel’s recent products support the TXT (Trusted Execution Technology) to guarantee trusted boot operations. Orange Book [12], classic security standard, defines that Trusted Computing Base (TCB) contains all of the elements of the system responsible for supporting the security policy

Security administrator

Audit monitor

User ID-based access control

Security hooks

Reference monitor

Secure VMM system authenticates users

PIN User authentication (ID management)

ID card

User

Access to physical hardware resources

Figure 3. Basic concept of secure VMM architecture

and supporting the isolation of objects (code and data) on which the protection is based. Thus, our proposal employs a VMM technology with the ID management framework and a reference monitor as TCB.

3.2

BitVisor and ID Management Framework

We are developing novel secure VMM software called BitVisor with the support of the Japanese government [13]. This is a joint development project with 6 universities/college and 5 companies. Latest source code of BitVisor has been released to the public in March 2008. Current implementation of BitVisor can provide some transparent security functions such as a built-in IPsec-VPN module with IKEv1 [14][15] and a storage encryption module based on XTS-AES algorithm [16] in the VMM layer. The IPsecVPN module enables users to establish VPN without modifying guest operating systems. The IPsec-VPN module provides encrypted communication and mutual authentication function between end-point computers and the VPN gateway. The transparent storage encryption function can force the use of encrypted storage (HDD, thumb drive etc) in endpoint computers to prevent information leak case. Another feature of BitVisor is ID management framework [6]. Fig. 4 shows the design of the ID management framework for BitVisor. Our ID management framework is independent from BitVisor’s architecture. Therefore, we can apply our ID management software to many existing VMM software. This paper shows prototype implementation of the proposal using proven open source VMM software, QEMU instead of BitVisor under development. We employs X.509 public key certificates (PKC) [17] to

Secure VMM

RH

Secure VMM software can call ID management API

Role hierarchy

ID Card (Smart Card)

ID Management Framework ID management API

Users

PKCS#11 middleware

P

Permission assignment

R

Permissions

Roles

PrivateKeyUSER

PKCTRUST ANCHOR(VMM) CRL

PA

UA User assignment

U

PKCUSER

EncyptionKeyUSER

Figure 5. Role-based Access Control PC/SC library Certificate revocation management

Card reader device driver

BitVisor application (PKCS#11 compatible)

CA CA issues public key certificate

Protected data

Smart card communication via smart card reader (APDU exchange )

Alice

Bob

Guest

Employee

AA

4

RBAC Extension for a Secure VMM system

In section 2.2, we have described user ID based policy management problems. We have also described some security policy models in section 3.1. RBAC [7] controls accesses based on the activities the user executes in the system. A role can be defined as a set of actions and responsibilities associated with a particular working activity. Therefore, RBAC can provide flexible access control method than simple DAC and MAC. Fig. 5 shows hierarchical RBAC defined by the NIST RBAC model [8]. In RBAC model, users acquire permissions through roles. The simplest flat RBAC model supports many-to-many user-role assignment (UA), many-to-many permission-role assignment (PA) and user-role assignment review. A user can use permissions of multiple roles simultaneously. In addition, hierarchical RBAC model supports role hierarchy (RH). A user’s roles are frequently changed in organizations, however the user’s ID is rarely changed in her or his organization. To employ role-based policy instead of user ID based policy, security administrators do not need update all computers’ security policies frequently. As a result, a pro-

User IDs (Public key certificates ) UA: User assignment to roles

Figure 4. Design of proposed ID management framework for secure VMM systems

authenticate user. The ID management framework working in the VMM layer can handle PKI-based ID card system. A Japanese government employee has a tamper-proof ID card with a contact and contact less interface. Our ID management framework employs this kind of ID card system to authenticate users in the VMM layer. Our previous paper showed an example design of VM boot management based on user IDs.

Charlie

Manager

Roles (Attribute certificates )

AA issues attribute certificates

Figure 6. Certification Authority (CA) and Attribute Authority (AA)

posed RBAC-based policy enforcement mechanism will be able to respond flexibly to such changes than simple user ID based mechanisms. Moreover, our proposal can reduce complexity of security policies in large-scale organizations in comparison with simple user ID based policies.

5

Design

In our previous proposal [6], we employ X.509 PKC to authenticate user in a secure VMM system. To extend the previous ID management framework, this paper proposes to express user’s roles as attribute certificates (ACs) [18]. ACs are usually used with a PKC to express user’s additional attributes. Chadwick et al. showed RBAC implementation called PERMIS X.509 role-based privilege management infrastructure using ACs [19]. This paper shows a novel AC based RBAC mechanism for a secure VMM system. Fig. 6 shows relationships between PKCs (user IDs) and ACs (roles). Certification Authority (CA) first issues each user’s PKC as a user ID. Attribute Authority (AA) next issues each user’s AC as a role. This relationship indicates User assignment (UA) in Fig. 5. In our RBAC-extended ID management framework, both a PKC and an AC are stored in each user’s ID card. Our ID management framework authenticates users using PKI-based ID cards. Authentication processes are exe-

Boot authorization based on roles

Improved parts using RBAC

VM

Table 1. Hardware/software environment Smart card eLWISE (NTT Communications) Smart card reader ASE drive IIIe (Athena Smartcard Solutions) OS Linux Fedora Core 7 VMM QEMU 0.9.0 CA OpenSSL 0.9.8 PCSC Library Pcsc-lite 1.3.2 [21] USB CCID driver Athena CCID driver [22]

Requests for virtual resources

QEMU

RBAC

VMM operation

Security hook (USB)

Role-based authorization for USB devices

RBAC

Reference monitor

RBAC Policy

User㵭s roles

PKI-based ID card

Trusted AA㵭s PKC

Role decision (Attribute certificates)

AC (Role)

User ID

Private Key

Trusted CA㵭s PKC

User authentication (PKI authentication)

PKC (ID)

Access to physical hardware resources





Syntax 1: User ID, User’s role, idVendor:idProduct Syntax 2: User ID, User’s role, VM ID 



Figure 7. Prototype implementation of RBACextended ID management framework

cuted based on a trusted CA’s PKC stored in a secure VMM system. An ID card never exports the user’s private key associated with the user’s PKC. After authenticating the user, proposed RBAC-extended ID management framework obtains an AC from the user’s ID card and verifies authenticity of the AC based on a trusted AA’s PKC stored in a secure VMM system. Relationship between a PKC and an AC is verified by subject and holder field in each certificate. As a result, a secure VMM system can decide a role of the user. The proposed system has to verify an expired certificate using Certificate Revocation Lists (CRL), etc.

6

Prototype Implementation

Fig. 7 shows prototype implementation of our RBACextended ID management framework. We implemented the prototype system in proven open source VMM software, QEMU [20]. Table 1 shows hardware and software environment used in prototype implementation. This prototype implementation enables us to authorize the use of removable USB devices based on a user’s role and a device’s ID. The prototype implementation also includes a role-based authorization mechanism to boot VMs. We newly implemented the following parts: Role decision part verifies a relation between a PKC (subject field) and an AC (holder field) and extracts a role from the AC. Role decision part also verifies authenticity of ACs using a trusted AA’s PKC. We implemented new security hook to monitor connections of USB devices in QEMU. Reference monitor authorizes the use of USB devices based on a user’s role and a device’s ID. On the other hand, we also implemented standalone Java-based AA software to issue ACs. Our PKI-based ID

Figure 8. Syntax of security policy card can store up to 6 certificates; therefore a card administrator can store both a PKC and an AC in a user’s ID card. To update user’s roles, a card administrator has to recover user’s ID cards and update the AC area. Moreover, a security administrator has to prestore a trusted CA’s PKC and AA’s PKC in each secure VMM system in a safe manner. Fig. 8 shows syntax of RBAC policy used in the prototype implementation. Syntax 1 expresses a policy for the use of USB devices. Syntax 2 expresses a policy for VM boot authorization. idVendor means a vendor ID and idProduct means a product ID of USB devices. VM ID means a file name of a VM image. If User ID is missing then each operation is authorized by User’s role only. User ID is expressed by Distinguished Name (DN) in each certificate, for example “CN=JP::ST=Aichi::L=Toyota::O=TCT::OU=ICE::CN=Alice”. User’s role is expressed by strings, for example “Employee”. idVendor:idProduct is expressed by hex strings, for example “056e:6002”.

7

Discussion

This paper has shown a novel RBAC-extended secure VMM architecture using ACs. To employ the proposed RBAC-extended secure VMM architecture, we can reduce complexity of security policy for large-scale organizations. Moreover, an administrator does not need to update all computers’ security policies when users’ roles are changed. In such case, a security administrator has only to update user’s ID cards. This paper employs single CA model for user authentication and non-hierarchical RBAC model for authorization. To deploy to large and complex organizations, we should support hierarchical CA and AA model. We also have to consider an efficient certificates revocation mechanism. On

the other hand, this paper employs QEMU to show the usability of our proposal. We will integrate RBAC-extended ID management framework to BitVisor described in section 3.2.

8

Conclusion

A secure VMM is an architecture which is used as a foundation of security policy enforcement for distributed end-point computers. This paper has discussed the following policy management problems: (1) A user ID based policy mechanism cannot deal with frequent personnel changes in organizations, (2) A user ID based policy causes complexity of security policies. Therefore, this paper has shown basic design and prototype implementation of RBAC-extended ID management framework for a secure VMM architecture. Our proposal will be able to reduce costs of policy management for distributed computers.

Acknowledgements This work is supported by Special Coordination Funds for Promoting Science and Technology of Ministry of Education, Culture, Sports, Science and Technology, Japan.

[6] Manabu Hirano, Takeshi Okuda, Eiji Kawai and Suguru Yamaguchi. Design and Implementation of a Portable ID Management Framework for a Secure Virtual Machine Monitor. Journal of Information Assurance and Security (JIAS), Dynamic Publishers, 2:211– 216, 2007. [7] D. Ferraiolo and R. Kuhn. Role-based access controls. In 15th NIST-NCSC National Computer Security Conference, pages 554–563, 1992. [8] Ravi Sandhu, David Ferraiolo, and Richard Kuhn. The NIST model for role-based access control: Towards a unified standard. [9] T. Richardson, Q. Stafford-Fraser, K.R. Wood, and A. Hopper. Virtual network computing. Internet Computing, IEEE, 2(1):33–38, Jan/Feb 1998. [10] Ravi S. Sandhu and Pierrangela Samarati. Access control: Principles and practice. IEEE Communications Magazine, 32(9):40–48, 1994. [11] TCG. TPM Specification, Version 1.2. [12] DEPARTMENT OF DEFENSE STANDARD. Epartment of defense trusted computer system evaluation criteria. DoD 5200.28-STD, Dec 1998. [13] SecureVM Project. http://www.securevm.org/.

References [1] L. Seawright and R. MacKinnon. VM/370 - a study of multiplicity and usefulness. IBM Systems Journal, pages 4–17, 1979. [2] Stuart E. Madnick and John J. Donovan. Application and analysis of the virtual machine approach to information system security and isolation, Proceedings of the workshop on virtual computer systems. In ACM Press, pages 210–224, 1973. [3] Reiner Sailer, Trent Jaeger, Enriquillo Valdez, Ramon Caceres, Ronald Perez, Stefan Berger, John Linwood Griffin, Leendert van Doorn. Building a MAC-Based Security Architecture for the Xen Open-Source Hypervisor. In Annual Computer Security Application Conference, pages 276–285, 2005. [4] Meushaw, R. and D. Simard. NetTop: Commercial Technology in High Assurance Applications. In National Security Agency Tech Trend Notes, 2000. [5] Tal Garfinkel, Ben Pfaff, Jim Chow, Mendel Rosenblum, Dan Boneh. Terra: a virtual machine-based platform for trusted computing. In Proceedings of the ACM Symposium on Operating Systems Principles, pages 193–206, 2003.

[14] S. Kent and K. Seo. Security Architecture for the Internet Protocol. RFC4301, 2005. [15] D. Harkins and D. Carrel. The Internet Key Exchange (IKE). RFC2409, 1998. [16] IEEE 1619-2007. IEEE Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices, 2007. [17] R. Housley, W. Polk, W. Ford, and D. Solo. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC3280, 2002. [18] S. Farrell and R. Housley. An Internet Attribute Certificate Profile for Authorization. RFC3281, 2002. [19] David W. Chadwick and Alexander Otenko. The PERMIS X.509 role based privilege management infrastructure. Future Generation Computer Systems, 19:277–289, 2003. [20] QEMU open source http://www.qemu.org/.

processor

emulator.

[21] PCSC-Lite. http://pcsclite.alioth.debian.org/. [22] Athena CCID driver. scs.com/downloads.asp.

http://www.athena-