1. Familiar with Xen virtualization platform deployment;
2. The simple te and Chinese wall strategies in the Xen SHYPE/ACM security architecture and their implementation mechanisms are analyzed and validated.
Because Ubuntu is widely used and software packages are easy to download, we choose Ubuntu System for Xen deployment. The selectable LTS systems are as follows [1]:
1) Ubuntu 10.04 system uses the Linux 2.6.32 kernel, because Linux 3.0 the following kernel does not support xen[2], need to recompile the kernel, more time-consuming and laborious, after the kernel compiled support Xen 4.0;
2) The Ubuntu 12.04 system uses the Linux 3.2+ kernel and supports Xen 4.1;xen to list the XM toolset as Deprecated[3] from 4.1 onwards. The configuration of Acm/shype strategy is more convenient with XM tools.
3) Ubuntu 12.04 system with the Linux 3.2+ kernel, support Xen 4.2, starting from Xen 4.2, no longer support ACM Security module, it is not appropriate;
4) Ubuntu 14.04 system with Linux 3.13+ kernel, support Xen 4.4;
5) The Ubuntu 15.04 system uses the Linux 3.19.3 kernel, which supports Xen 4.5,xen to cancel the XM toolset (xend) from 4.5 and replaces [3] with the XL toolset.
Combined with the above reasons, the Xen environment uses Ubuntu 12.04 x64 deployment is more appropriate, Xen version choice of 4.1, but this article chose Ubuntu 14.04 x64 + Xen 4.1 combination, it turns out that can be installed successfully.
According to the article [4] in the recommendations, should choose 64-bit Ubuntu installation more reasonable. So our installation image was finally identified as Ubuntu-14.04-desktop-amd64.iso.
Since Xen's DOM0 system supports a limited number of graphics cards and does not support the default graphics card in the VMware Workstation virtual machine, rebooting after installing Xen will cause the system to be black and unusable. Therefore, this experiment cannot select a VMware virtual machine and can only choose to install Ubuntu on a physical machine for experimentation.
Use the tutorial in [5] to make an Ubuntu 14.04 LTS x64 USB Drive installation disk, then use the installation disk for installation. If it is a dual system with Windows, you will need to restore the boot menu with EASYBCD and access the Ubuntu system via the boot menu.
Since the Xen-released binary installation package does not contain the XSM feature by default, turning on the XSM feature must change the compilation options and recompile. So this article needs to be installed from the Xen source code.
Since February 2013, Xen Source has been managed by git and its git repository address is:
Git://xenbits.xen.org/xen.git
The commands used for source download are:
git clone git://xenbits.xen.org/xen.gitcd xengit checkout stable-4.1
Compiling requires git, which needs to be installed well in advance:
Apt-get Install git
Then install the dependent packages:
Apt-get install Bcc bin86 gawk bridge-utils iproutelibcurl3 libcurl4-openssl-dev bzip2 module-init-tools transfig tgif Tex Infotexlive-latex-base texlive-latex-recommended texlive-fonts-extratexlive-fonts-recommended Pciutils-dev Mercurial build-essential make Gcclibc6-dev zlib1g-dev python python-dev python-twisted Libncurses5libncurses5-dev Patch Libvncserver-dev Libsdl-dev libjpeg62-dev iasl libbz2-deve2fslibs-dev git-core uuid-dev OCaml Libx11-dev Bison Flex Binutils xorg-devudev gettext libgcrypt11-dev libssl-dev pciutils libglib2.0-dev gcc-multilib fakeroot pkg-config Libpci-devcrash Crash Kexec-tools Makedumpfile
1) After Xen 4.0, XSM has ACM and flask two modules, the default is not open, you need to select one, and then compile, its config.mk file content is as follows:
Xsm_enable = nflask_enable? = nacm_security? = N
2) starting with Xen 4.2, flask becomes the default XSM module, Flask is enabled by default when XSM is enabled, and ACM does not start by default. The contents of its config.mk file are as follows:
Xsm_enable = nflask_enable? = $ (xsm_enable)
Because the version used in this article is Xen4.1, you need to modify CONFIG.MK as follows:
Xsm_enable = yflask_enable? = nacm_security? = y
Then run the following command to compile:
Make dist or make Xen tools stubdommake install-xenmake install-toolspython_prefix_arg= '--install-layout=deb ' make Install Stubdom
Modify the/etc/modules file to add the following line:
Xen-evtchnxen-gntdevxen-netbackxen-blkbackxenfsblktap
To modify the/etc/ld.so.conf.d/libc.conf file, add the following lines:
/usr/local/lib (Had)/lib64/usr/lib/usr/lib64
Run the Ldconfig command to make the changes effective.
Step One: Modify the/etc/default/grub file, modify the grub_timeout=10 to Grub_timeout=-1, and change the grub_hidden_timeout=0 to Grub_hidden_ timeout=10.
Step Two: execute the Update-grub.
For Ubuntu 14.04 to automatically generate ' Ubuntu, with Xen hypervisor ' Startup items in/boot/grub/grub.cfg, you don't need to manually reconfigure yourself as in Ubuntu 12.04.
Reboot the system.
Start Xend First:
Start Xencommonsservice xencommons start//start the xend before you turn off the network card before you start xend restart the network card (if you do not do this will prompt an error, the reason is unknown) ifconfig eth0 Downservice xend Startifconfig eth0 up
Then run the XM List command with the following results:
Name ID Mem vcpus State time (s) Domain-0 0 15610 8 r----- 1305.5
Modify the/etc/xen/xend-config.sxp file, remove the Xend-unix-server no comment, and change xend-unix-server Yes to remove the xend-unix-path/var/lib/xend/ Xend-socket's comments.
First, you need to make a disk file of the virtual machine, and enter the following command to create a 10GB disk file
DD If=/dev/zero of=vm1disk bs=1k seek=10000kcount=0mkfs-t ext3 vm1disk (answer y when you need to reply to confirmation) Mount-o Loop Vm1disk/mntcp-ax/{ro Ot,dev,var,etc,usr,bin,sbin,lib}/mntmkdir/mnt/{proc,sys,home,tmp}Then make a custom modification to the/mnt/etc/fstab,/mnt/etc/hostname, which is omitted here.
Umount/mnt
At this point, the virtual machine disk file Vm1disk is created and the Vm2disk is created in a similar manner.
Next, edit the virtual machine configuration file/root/domain1.xm, which reads as follows:
Kernel= "/boot/vmlinuz-3.13.0-24-generic.efi.signed" memory = 512name = "Domain1" DHCP = "DHCP" disk = [' tap:aio:/root/ Vm1disk,sda1,w ']root = "/dev/sda1 ro xencons=tty"
Finally, run the command:
XM CREATEDOMAIN1.XM
Under normal circumstances, the virtual machine domain1 should already be started. The XM Console domain1 command allows you to open the Terminal command line of the virtual machine domain1, as shown in.
Then create the DOMAIN2.XM similarly, and then run the XM create DOMAIN2.XM to start the domain2 virtual machine.
Modify/etc/xen/xend-config.sxp, Add (xsm_module_name ACM), otherwise, the ACM policy type will be considered unsupported (unspecified XSM type used), an error is identified to run the XM getpolicy command, Hint supported security subsystems:none. Modifying the xend-config.sxp in the source code does not seem to be effective, only the compiled file can be modified.
Run the Xensec_toolgetpolicy command, the results are as follows, then the ACM/SHYPE environment is complete.
Install Python 2.7 x64 and Wxpython 3.0 x64 for Python 2.7 on Windows, where the Wxpython download page is as follows: HTTP://WWW.WXPYTHON.ORG/DOWNLOAD.PHP#MSW
Also install Wxpython on Ubuntu:
Apt-get Install python-wxgtk2.8 Python-wxtools
Run the following command if the interface shown appears, stating that the policy Configuration tool is installed.
Python/usr/sbin/xensec_ezpolicy
In Xensec_ezpolicy, click the new Org button and add three more organizations: A-bank, B-bank, and Autocorp, and create two divisions under A-bank: Securityunderwriting and Marketanalysis. Then select the __unlabeled__, A-bank, and B-bank three items, click the Create Run-time exclusion Rulefrom selection button, add it to a conflict set, and then use a similar method to __unlabeled __, A-bank.marketanalysis, and a-bank.securityunderwriting three are added to a conflict set. The end result is as follows:
Select File->save as Xen ACM Security Policy in the menu ... Save policy file to path:/etc/xen/acm-security/policies/mytest-security_policy.xml
The final content of the file is as follows:
<?xml version= "1.0" encoding= "UTF-8"?><!--auto-generated by Ezpolicy--><securitypolicydefinition x mlns= "http://www.ibm.com" xmlns:xsi= "http://www.w3.org/2001/XMLSchema-instance" xsi:schemalocation= "http://www.ibm.com". /.. /security_policy.xsd "> <PolicyHeader> <PolicyName>mytest</PolicyName> <date>t UE June 14:41:58 2015</date> <Version>1.0</Version> </PolicyHeader> <simpletypee Nforcement> <SimpleTypeEnforcementTypes> <Type>SystemManagement</Type> & Lt Type>__unlabeled__</type> <Type>A-Bank</Type> <type>a-bank.securityunderw Riting</type> <Type>A-Bank.MarketAnalysis</Type> <Type>B-Bank</Type> <Type>AutoCorp</Type> </SimpleTypeEnforcementTypes> </SimpleTypeEnforcement> <chinesewall Priority= "Primarypolicycomponent" > <ChineseWallTypes> <Type>SystemManagement</Type> <Type>__UNLABELED__</Type> <Type>A-Bank</Type> <type>a-bank . Securityunderwriting</type> <Type>A-Bank.MarketAnalysis</Type> <type>b-bank& lt;/type> <Type>AutoCorp</Type> </ChineseWallTypes> <ConflictSets> <conflict name= "RER" > <Type>__UNLABELED__</Type> <type>a-ban k</type> <Type>B-Bank</Type> </Conflict> <conflict name= "R ER "> <Type>__UNLABELED__</Type> <type>a-bank.marketanalysis</type> ; <Type>A-Bank.SecurityUnderwriting</Type> </Conflict> </ConflictSets> </chin Esewall> <SecurityLabelTemplate> <subjectlabels bootstrap= "Systemmanagement" > <virtualmac Hinelabel> <Name>SystemManagement</Name> <SimpleTypeEnforcementTypes> <Type>SystemManagement</Type> <Type>__UNLABELED__</Type> <Type>A-Bank</Type> <Type>A-Bank.SecurityUnderwriting</Type> <Type>A-Bank.MarketAnalysis</Type> <Type>B-Bank</Type> <Type>AutoCorp</Type> </SimpleTypeEnforcementTypes> <chinese Walltypes> <Type>SystemManagement</Type> </ChineseWallTypes> </VirtualMachineLabel> <VirtualMachineLabel> <name>__unlabeled__</name > <Simpletypeenforcementtypes> <Type>__UNLABELED__</Type> </simpletypeenf Orcementtypes> <ChineseWallTypes> <Type>__UNLABELED__</Type> </ChineseWallTypes> </VirtualMachineLabel> <VirtualMachineLabel> <Name>A-Bank</Name> <SimpleTypeEnforcementTypes> <type>a- Bank</type> </SimpleTypeEnforcementTypes> <ChineseWallTypes> <Type>A-Bank</Type> </ChineseWallTypes> </VirtualMachineLabel> <VirtualMachineLabel> <Name>A-Bank.SecurityUnderwriting</Name> < ; Simpletypeenforcementtypes> <Type>A-Bank.SecurityUnderwriting</Type> < /simpletypeenforcementtypes> <ChineseWallTypes> <Type>A-Bank</Type> < ; Type>a-bank.securityunderwriting</type> </ChineseWallTypes> </virtualmachinela Bel> <VirtualMachineLabel> <Name>A-Bank.MarketAnalysis</Name> <SimpleTypeEnforcementTypes> <Type>A-Bank.MarketAnalysis</Type> < /simpletypeenforcementtypes> <ChineseWallTypes> <Type>A-Bank</Type> <Type>A-Bank.MarketAnalysis</Type> </ChineseWallTypes> < ;/virtualmachinelabel> <VirtualMachineLabel> <Name>B-Bank</Name> <SimpleTypeEnforcementTypes> <Type>B-Bank</Type> </simpletypee Nforcementtypes> <ChineseWallTypes> <Type>B-Bank</Type> </chinesewalltyp es> </VirtualMachineLabel> <VirtualMachineLabel> <name>autocorp& Lt;/name> <SimpleTypeEnforcementTypes> <Type>AutoCorp</Type> </SimpleTypeEnforcementTypes> <ChineseWallTypes> <type>autoco rp</type> </ChineseWallTypes> </VirtualMachineLabel> </subjectlabels > <ObjectLabels> <ResourceLabel> <Name>SystemManagement</Name> <SimpleTypeEnforcementTypes> <Type>SystemManagement</Type> </SimpleTypeEnforcementTypes> </ResourceLabel> <ResourceLabel> <name>__unlabeled__</name> <SimpleTypeEnforcementTypes> <type>__unlabeled__</type> ; </SimpleTypeEnforcementTypes> </ResourceLabel> <ResourceLabel> < Name>a-bank</name> <SimpleTypeEnforcementTypes> <type>a-bank</ty pe> </SimpleTypeEnforcementTypes> </ResourceLabel> <RESOURCELABEL&G T <Name>A-Bank.SecurityUnderwriting</Name> <SimpleTypeEnforcementTypes> <Type>A-Bank.SecurityUnderwriting</Type> </SimpleTypeEnforcementTypes> </re Sourcelabel> <ResourceLabel> <Name>A-Bank.MarketAnalysis</Name> <SimpleTypeEnforcementTypes> <Type>A-Bank.MarketAnalysis</Type> </SimpleTypeEnforcementTypes> </ResourceLabel> <ResourceLabel> <Name>B-Bank</Name> <SimpleTypeEnforcementTypes> <type>b-ba nk</type> </SimpleTypeEnforcementTypes> </ResourceLabel> <resour Celabel> <Name>AutoCorp</Name> <SimpleTypeEnforcementTypes> <Type>AutoCorp</Type> </SimpleTypeEnforcementTypes> </resourcelabel > </ObjectLabels> </SecurityLabelTemplate></SecurityPolicyDefinition>
Next, close all the virtual machines and execute the following command at the command line to make the policy you just edited take effect.
XM RESETPOLICYXM setpolicy ACM mytest
Below, the labels for domain1 and domain2 are set separately for A-bank and B-bank:
XM AddLabel A-bank Dom domain1.xmxm AddLabel B-bank Dom Domain2.xm
Next, set the A-bank and B-bank tags for the virtual disk file:
XM AddLabel A-bank Res tap:aio:/root/vm1diskxm addlabel B-bank Res tap:aio:/root/vm2disk
Set the results. This will ensure that the virtual machine domain1 can access the disk file Vm1disk, the virtual machine domain1 can access the disk file Vm1disk, the virtual machine will be created successfully, thus verifying the Ste policy.
Then create the domain1 virtual machine, keep the domain1 open, and then start the domain2 virtual machine:
XM Create DOMAIN2.XMXM Create Domain2.xm
At this point we will find that the domain2 virtual machine creation failed, as shown in the prompt Error:domain Inconflict set with running Domain?
This is because in the Chinesewall strategy, the virtual Machine domain1 label is A-bank, the virtual machine domain2 is labeled B-bank, and A-bank and B-bank in the same conflict of interest class (Run-time exclustion Rules), so it cannot be run on the same host at the same time.
Solution: Modify the/xen/tools/check/check_python_devel file to remove the validation inside
2. Failed while compiling tools, prompting undefinedreference to symbol ' [email protected] @GLIBC_2.3.3Solution: Follow the instructions in http://stackoverflow.com/questions/18286738/undefined-reference-to-symbol-timer-settimeglibc-2-3-3, Change the LIBS+=-LM in/xen/tools/ioemu-remote/makefile.target to LIBS+=-LZ-LRT–LM
function
Solution: Refer to Http://lists.xen.org/archives/html/xen-devel/2012-12/msg00429.html
Modify/XEN/TOOLS/DEBUGGER/GDBSX/XG/XG_MAIN.C, add # include <sys/types.h> at the beginning of the file
Solution: Apt-getinstall Ocaml-findlib
Solution: Modify the line:118 in/xen/tools/ocaml/xenstored/connection.ml, comment out the three lines, add let Is_backend_mmap con =false
Solution: Use Kazam for video recording using the following methods:
Apt-get Install Kazamapt-get Install Pulseaudiopulseaudio//Open PulseAudio Server Kazam//Run video recording software
[1] List of Ubuntu releases. Http://en.wikipedia.org/wiki/List_of_Ubuntu_releases#Table_of_versions
[2] Ubuntu12.04 installation XEN4. Http://www.cppblog.com/LIULIANG/archive/2012/09/21/191481.html
[3] XEND. Http://wiki.xen.org/wiki/XEND
[4] Ubuntu 10.04 (with grub2) installs Xen 4.0.1. Http://www.codesky.net/article/201107/174124.html
[5] How to install Ubuntu with U disk. Http://jingyan.baidu.com/article/a3761b2b66fe141577f9aa51.html
Xen Security Architecture SHYPE/ACM policy Configuration Graphics tutorial
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
