Applying Netlabel to Network Access Control in a Virtualized Environment

Open Access
Kamath, Radhesh Muralidhara
Graduate Program:
Computer Science and Engineering
Master of Science
Document Type:
Master Thesis
Date of Defense:
April 28, 2008
Committee Members:
  • Trent Ray Jaeger, Thesis Advisor
  • network security
  • virtualization
  • security
  • system security
We consider the problem of transmitting authorization data in a distributed environment comprised of applications hosted on paravirtualized Virtual Machines. The current mechanism, called Labeled IPSec, relies upon IPSec to provide secure communication channels to applications, while implicitly transferring authorization data between communication endpoints. But, Labeled IPSec incurs heavy performance penalties and hinders the scalability of Mandatory Access Control of Network Communication, because it does not leverage the underlying mechanisms offered by the hypervisor and Virtual Machine kernels to provide secure communication channels. We exploit the Netlabel mechanism provided by the Linux Kernel to transmit authorization data in packets, while leveraging the Trusted Computing Base comprised of the Xen hypervisor, paravirtualized guest kernels, and the Dom-0 to isolate and protect network communication. In order to test our claim that the Netlabel mechanism is more efficient than Labeled IPSec, we build a prototype that consists of modified guest kernels and Dom-0 kernel, along with user space tools in the Dom-0 which enable monitoring and dynamic control of the packet labeling state on guests. Using micro benchmarks that measure the impact of labeling on performance measures such as latency and bandwidth, we provide a quantitative comparison of Labeled IPSec and Netlabel in various communication scenarios. We find that Netlabel consistently outperforms Labeled IPSec on all performance measures, validating our claim that authorization data can be transmitted at lesser cost using Netlabel, and relying on the TCB to protect network traffic in transit. As a result, while we conclude that Netlabel can be applied successfully to provide Mandatory Access Control of Network Communication, we also believe that more extensive performance analyses, better support for security-aware applications and a standardized policy management interface will go a long way toward securing applications.