Xen Security Architecture SHYPE/ACM policy Configuration Graphics tutorial

Source: Internet
Author: User
Tags ocaml xen hypervisor


Experimental Requirements

1. Familiar with Xen virtualization platform deployment;

2. The simple te and Chinese wall strategies in the Xen SHYPE/ACM security architecture and their implementation mechanisms are analyzed and validated.


1th. Xen Environment Deployment
1.1 Version Selection

Because Ubuntu is widely used and software packages are easy to download, we choose Ubuntu System for Xen deployment. The selectable LTS systems are as follows [1]:

1) Ubuntu 10.04 system uses the Linux 2.6.32 kernel, because Linux 3.0 the following kernel does not support xen[2], need to recompile the kernel, more time-consuming and laborious, after the kernel compiled support Xen 4.0;

2) The Ubuntu 12.04 system uses the Linux 3.2+ kernel and supports Xen 4.1;xen to list the XM toolset as Deprecated[3] from 4.1 onwards. The configuration of Acm/shype strategy is more convenient with XM tools.

3) Ubuntu 12.04 system with the Linux 3.2+ kernel, support Xen 4.2, starting from Xen 4.2, no longer support ACM Security module, it is not appropriate;

4) Ubuntu 14.04 system with Linux 3.13+ kernel, support Xen 4.4;

5) The Ubuntu 15.04 system uses the Linux 3.19.3 kernel, which supports Xen 4.5,xen to cancel the XM toolset (xend) from 4.5 and replaces [3] with the XL toolset.


Combined with the above reasons, the Xen environment uses Ubuntu 12.04 x64 deployment is more appropriate, Xen version choice of 4.1, but this article chose Ubuntu 14.04 x64 + Xen 4.1 combination, it turns out that can be installed successfully.

According to the article [4] in the recommendations, should choose 64-bit Ubuntu installation more reasonable. So our installation image was finally identified as Ubuntu-14.04-desktop-amd64.iso.

Since Xen's DOM0 system supports a limited number of graphics cards and does not support the default graphics card in the VMware Workstation virtual machine, rebooting after installing Xen will cause the system to be black and unusable. Therefore, this experiment cannot select a VMware virtual machine and can only choose to install Ubuntu on a physical machine for experimentation.

Use the tutorial in [5] to make an Ubuntu 14.04 LTS x64 USB Drive installation disk, then use the installation disk for installation. If it is a dual system with Windows, you will need to restore the boot menu with EASYBCD and access the Ubuntu system via the boot menu.


1.2 Xen source download and install dependent packages

Since the Xen-released binary installation package does not contain the XSM feature by default, turning on the XSM feature must change the compilation options and recompile. So this article needs to be installed from the Xen source code.

Since February 2013, Xen Source has been managed by git and its git repository address is:

Git://xenbits.xen.org/xen.git


The commands used for source download are:

git clone git://xenbits.xen.org/xen.gitcd xengit checkout stable-4.1


Compiling requires git, which needs to be installed well in advance:

Apt-get Install git

Then install the dependent packages:

Apt-get install Bcc bin86 gawk bridge-utils iproutelibcurl3 libcurl4-openssl-dev bzip2 module-init-tools transfig tgif Tex Infotexlive-latex-base texlive-latex-recommended texlive-fonts-extratexlive-fonts-recommended Pciutils-dev Mercurial build-essential make Gcclibc6-dev zlib1g-dev python python-dev python-twisted Libncurses5libncurses5-dev  Patch Libvncserver-dev Libsdl-dev libjpeg62-dev iasl libbz2-deve2fslibs-dev git-core uuid-dev OCaml Libx11-dev Bison Flex Binutils xorg-devudev gettext libgcrypt11-dev libssl-dev pciutils libglib2.0-dev  gcc-multilib fakeroot pkg-config Libpci-devcrash Crash Kexec-tools Makedumpfile

1.3 Xen Source Compilation

1) After Xen 4.0, XSM has ACM and flask two modules, the default is not open, you need to select one, and then compile, its config.mk file content is as follows:

Xsm_enable = nflask_enable? = nacm_security? = N


2) starting with Xen 4.2, flask becomes the default XSM module, Flask is enabled by default when XSM is enabled, and ACM does not start by default. The contents of its config.mk file are as follows:

Xsm_enable = nflask_enable? = $ (xsm_enable)

Because the version used in this article is Xen4.1, you need to modify CONFIG.MK as follows:

Xsm_enable = yflask_enable? = nacm_security? = y

Then run the following command to compile:

Make dist or make Xen tools stubdommake install-xenmake install-toolspython_prefix_arg= '--install-layout=deb ' make Install Stubdom

1.4 Modifying/etc/modules

Modify the/etc/modules file to add the following line:

Xen-evtchnxen-gntdevxen-netbackxen-blkbackxenfsblktap

1.5 Adding a Lib search path

To modify the/etc/ld.so.conf.d/libc.conf file, add the following lines:

/usr/local/lib (Had)/lib64/usr/lib/usr/lib64

Run the Ldconfig command to make the changes effective.


1.6 Modifying Grub Startup items

Step One: Modify the/etc/default/grub file, modify the grub_timeout=10 to Grub_timeout=-1, and change the grub_hidden_timeout=0 to Grub_hidden_ timeout=10.

Step Two: execute the Update-grub.

For Ubuntu 14.04 to automatically generate ' Ubuntu, with Xen hypervisor ' Startup items in/boot/grub/grub.cfg, you don't need to manually reconfigure yourself as in Ubuntu 12.04.

Reboot the system.


1.7 Testing the Xen environment

Start Xend First:

Start Xencommonsservice xencommons start//start the xend before you turn off the network card before you start xend restart the network card (if you do not do this will prompt an error, the reason is unknown) ifconfig eth0 Downservice xend Startifconfig eth0 up

Then run the XM List command with the following results:


Name            ID   Mem      vcpus State time      (s) Domain-0     0     15610    8                   r-----       1305.5

Modify the/etc/xen/xend-config.sxp file, remove the Xend-unix-server no comment, and change xend-unix-server Yes to remove the xend-unix-path/var/lib/xend/ Xend-socket's comments.


1.8 Creating a virtual machine

First, you need to make a disk file of the virtual machine, and enter the following command to create a 10GB disk file

DD If=/dev/zero of=vm1disk bs=1k seek=10000kcount=0mkfs-t ext3 vm1disk (answer y when you need to reply to confirmation) Mount-o Loop Vm1disk/mntcp-ax/{ro Ot,dev,var,etc,usr,bin,sbin,lib}/mntmkdir/mnt/{proc,sys,home,tmp}


Then make a custom modification to the/mnt/etc/fstab,/mnt/etc/hostname, which is omitted here.

Umount/mnt


At this point, the virtual machine disk file Vm1disk is created and the Vm2disk is created in a similar manner.

Next, edit the virtual machine configuration file/root/domain1.xm, which reads as follows:

Kernel= "/boot/vmlinuz-3.13.0-24-generic.efi.signed" memory = 512name = "Domain1" DHCP = "DHCP" disk = [' tap:aio:/root/ Vm1disk,sda1,w ']root = "/dev/sda1 ro xencons=tty"


Finally, run the command:

XM CREATEDOMAIN1.XM


Under normal circumstances, the virtual machine domain1 should already be started. The XM Console domain1 command allows you to open the Terminal command line of the virtual machine domain1, as shown in.



Then create the DOMAIN2.XM similarly, and then run the XM create DOMAIN2.XM to start the domain2 virtual machine.


1.9 Testing the Acm/shype environment

Modify/etc/xen/xend-config.sxp, Add (xsm_module_name ACM), otherwise, the ACM policy type will be considered unsupported (unspecified XSM type used), an error is identified to run the XM getpolicy command, Hint supported security subsystems:none. Modifying the xend-config.sxp in the source code does not seem to be effective, only the compiled file can be modified.

Run the Xensec_toolgetpolicy command, the results are as follows, then the ACM/SHYPE environment is complete.


Install Python 2.7 x64 and Wxpython 3.0 x64 for Python 2.7 on Windows, where the Wxpython download page is as follows: HTTP://WWW.WXPYTHON.ORG/DOWNLOAD.PHP#MSW

Also install Wxpython on Ubuntu:

Apt-get Install python-wxgtk2.8 Python-wxtools


Run the following command if the interface shown appears, stating that the policy Configuration tool is installed.

Python/usr/sbin/xensec_ezpolicy



Chapter 2nd ACM Policy Configuration

In Xensec_ezpolicy, click the new Org button and add three more organizations: A-bank, B-bank, and Autocorp, and create two divisions under A-bank: Securityunderwriting and Marketanalysis. Then select the __unlabeled__, A-bank, and B-bank three items, click the Create Run-time exclusion Rulefrom selection button, add it to a conflict set, and then use a similar method to __unlabeled __, A-bank.marketanalysis, and a-bank.securityunderwriting three are added to a conflict set. The end result is as follows:


Select File->save as Xen ACM Security Policy in the menu ... Save policy file to path:/etc/xen/acm-security/policies/mytest-security_policy.xml

The final content of the file is as follows:


<?xml version= "1.0" encoding= "UTF-8"?><!--auto-generated by Ezpolicy--><securitypolicydefinition x mlns= "http://www.ibm.com" xmlns:xsi= "http://www.w3.org/2001/XMLSchema-instance" xsi:schemalocation= "http://www.ibm.com". /.. /security_policy.xsd "> <PolicyHeader> <PolicyName>mytest</PolicyName> <date>t UE June 14:41:58 2015</date> <Version>1.0</Version> </PolicyHeader> <simpletypee Nforcement> <SimpleTypeEnforcementTypes> <Type>SystemManagement</Type> & Lt Type>__unlabeled__</type> <Type>A-Bank</Type> <type>a-bank.securityunderw            Riting</type> <Type>A-Bank.MarketAnalysis</Type> <Type>B-Bank</Type>    <Type>AutoCorp</Type> </SimpleTypeEnforcementTypes> </SimpleTypeEnforcement> <chinesewall Priority= "Primarypolicycomponent" > <ChineseWallTypes> <Type>SystemManagement</Type> <Type>__UNLABELED__</Type> <Type>A-Bank</Type> <type>a-bank . Securityunderwriting</type> <Type>A-Bank.MarketAnalysis</Type> <type>b-bank&            lt;/type> <Type>AutoCorp</Type> </ChineseWallTypes> <ConflictSets> <conflict name= "RER" > <Type>__UNLABELED__</Type> <type>a-ban k</type> <Type>B-Bank</Type> </Conflict> <conflict name= "R ER "> <Type>__UNLABELED__</Type> <type>a-bank.marketanalysis</type&gt                ; <Type>A-Bank.SecurityUnderwriting</Type> </Conflict> </ConflictSets> </chin Esewall> <SecurityLabelTemplate> <subjectlabels bootstrap= "Systemmanagement" > <virtualmac                    Hinelabel> <Name>SystemManagement</Name> <SimpleTypeEnforcementTypes>                    <Type>SystemManagement</Type> <Type>__UNLABELED__</Type>                    <Type>A-Bank</Type> <Type>A-Bank.SecurityUnderwriting</Type>                    <Type>A-Bank.MarketAnalysis</Type> <Type>B-Bank</Type> <Type>AutoCorp</Type> </SimpleTypeEnforcementTypes> <chinese            Walltypes> <Type>SystemManagement</Type> </ChineseWallTypes> </VirtualMachineLabel> <VirtualMachineLabel> <name>__unlabeled__</name > <Simpletypeenforcementtypes> <Type>__UNLABELED__</Type> </simpletypeenf                Orcementtypes> <ChineseWallTypes> <Type>__UNLABELED__</Type>                </ChineseWallTypes> </VirtualMachineLabel> <VirtualMachineLabel> <Name>A-Bank</Name> <SimpleTypeEnforcementTypes> <type>a-                    Bank</type> </SimpleTypeEnforcementTypes> <ChineseWallTypes>            <Type>A-Bank</Type> </ChineseWallTypes> </VirtualMachineLabel> <VirtualMachineLabel> <Name>A-Bank.SecurityUnderwriting</Name> &lt ; Simpletypeenforcementtypes> <Type>A-Bank.SecurityUnderwriting</Type> < /simpletypeenforcementtypes> <ChineseWallTypes> <Type>A-Bank</Type> &lt ; Type>a-bank.securityunderwriting</type> </ChineseWallTypes> </virtualmachinela                Bel> <VirtualMachineLabel> <Name>A-Bank.MarketAnalysis</Name> <SimpleTypeEnforcementTypes> <Type>A-Bank.MarketAnalysis</Type> <                     /simpletypeenforcementtypes> <ChineseWallTypes> <Type>A-Bank</Type> <Type>A-Bank.MarketAnalysis</Type> </ChineseWallTypes> &lt                ;/virtualmachinelabel> <VirtualMachineLabel> <Name>B-Bank</Name> <SimpleTypeEnforcementTypes> <Type>B-Bank</Type> </simpletypee    Nforcementtypes>            <ChineseWallTypes> <Type>B-Bank</Type> </chinesewalltyp es> </VirtualMachineLabel> <VirtualMachineLabel> <name>autocorp&                Lt;/name> <SimpleTypeEnforcementTypes> <Type>AutoCorp</Type> </SimpleTypeEnforcementTypes> <ChineseWallTypes> <type>autoco rp</type> </ChineseWallTypes> </VirtualMachineLabel> </subjectlabels                 > <ObjectLabels> <ResourceLabel> <Name>SystemManagement</Name>                <SimpleTypeEnforcementTypes> <Type>SystemManagement</Type>                </SimpleTypeEnforcementTypes> </ResourceLabel> <ResourceLabel> <name>__unlabeled__</name> <SimpleTypeEnforcementTypes> <type>__unlabeled__</type&gt                ; </SimpleTypeEnforcementTypes> </ResourceLabel> <ResourceLabel> < Name>a-bank</name> <SimpleTypeEnforcementTypes> <type>a-bank</ty pe> </SimpleTypeEnforcementTypes> </ResourceLabel> &LT;RESOURCELABEL&G                T                    <Name>A-Bank.SecurityUnderwriting</Name> <SimpleTypeEnforcementTypes> <Type>A-Bank.SecurityUnderwriting</Type> </SimpleTypeEnforcementTypes> </re                Sourcelabel> <ResourceLabel> <Name>A-Bank.MarketAnalysis</Name>       <SimpleTypeEnforcementTypes> <Type>A-Bank.MarketAnalysis</Type>         </SimpleTypeEnforcementTypes> </ResourceLabel> <ResourceLabel> <Name>B-Bank</Name> <SimpleTypeEnforcementTypes> <type>b-ba nk</type> </SimpleTypeEnforcementTypes> </ResourceLabel> <resour                    Celabel> <Name>AutoCorp</Name> <SimpleTypeEnforcementTypes> <Type>AutoCorp</Type> </SimpleTypeEnforcementTypes> </resourcelabel > </ObjectLabels> </SecurityLabelTemplate></SecurityPolicyDefinition>

Next, close all the virtual machines and execute the following command at the command line to make the policy you just edited take effect.

XM RESETPOLICYXM setpolicy ACM mytest

Below, the labels for domain1 and domain2 are set separately for A-bank and B-bank:

XM AddLabel A-bank Dom domain1.xmxm AddLabel B-bank Dom Domain2.xm

Next, set the A-bank and B-bank tags for the virtual disk file:

XM AddLabel A-bank Res tap:aio:/root/vm1diskxm addlabel B-bank Res tap:aio:/root/vm2disk

Set the results. This will ensure that the virtual machine domain1 can access the disk file Vm1disk, the virtual machine domain1 can access the disk file Vm1disk, the virtual machine will be created successfully, thus verifying the Ste policy.



Then create the domain1 virtual machine, keep the domain1 open, and then start the domain2 virtual machine:

XM Create DOMAIN2.XMXM Create Domain2.xm


At this point we will find that the domain2 virtual machine creation failed, as shown in the prompt Error:domain Inconflict set with running Domain?




This is because in the Chinesewall strategy, the virtual Machine domain1 label is A-bank, the virtual machine domain2 is labeled B-bank, and A-bank and B-bank in the same conflict of interest class (Run-time exclustion Rules), so it cannot be run on the same host at the same time.


3rd. Errors encountered and solutions
1. Failed to compile tools, prompting Check_python_devel function check failed, is a bug

Solution: Modify the/xen/tools/check/check_python_devel file to remove the validation inside

2. Failed while compiling tools, prompting undefinedreference to symbol ' [email protected] @GLIBC_2.3.3

Solution: Follow the instructions in http://stackoverflow.com/questions/18286738/undefined-reference-to-symbol-timer-settimeglibc-2-3-3, Change the LIBS+=-LM in/xen/tools/ioemu-remote/makefile.target to LIBS+=-LZ-LRT–LM


3. Failed while compiling tools, hint Xg_main.c:181:52:error: ' ULONG ' undeclared

function

Solution: Refer to Http://lists.xen.org/archives/html/xen-devel/2012-12/msg00429.html

Modify/XEN/TOOLS/DEBUGGER/GDBSX/XG/XG_MAIN.C, add # include <sys/types.h> at the beginning of the file


4. Failed while compiling tools, prompting Ocamlfind:command not found

Solution: Apt-getinstall Ocaml-findlib


5. Failed while compiling tools, prompting Error:unbound module Xenbus

Solution: Modify the line:118 in/xen/tools/ocaml/xenstored/connection.ml, comment out the three lines, add let Is_backend_mmap con =false


6. How to make video recording in Ubuntu

Solution: Use Kazam for video recording using the following methods:

Apt-get Install Kazamapt-get Install Pulseaudiopulseaudio//Open PulseAudio Server Kazam//Run video recording software

4th Chapter References

[1] List of Ubuntu releases. Http://en.wikipedia.org/wiki/List_of_Ubuntu_releases#Table_of_versions

[2] Ubuntu12.04 installation XEN4. Http://www.cppblog.com/LIULIANG/archive/2012/09/21/191481.html

[3] XEND. Http://wiki.xen.org/wiki/XEND

[4] Ubuntu 10.04 (with grub2) installs Xen 4.0.1. Http://www.codesky.net/article/201107/174124.html

[5] How to install Ubuntu with U disk. Http://jingyan.baidu.com/article/a3761b2b66fe141577f9aa51.html

Xen Security Architecture SHYPE/ACM policy Configuration Graphics tutorial

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.