sHype is a hypervisor security architecture developed by IBM Research over the last two years. It is available as an integral part of the Xen open-source hypervisor and is being integrated into IBM Power Hypervisors. sHype originally builds on the advantages of the emerging and broadly available hardware support for virtualization by providing simple system-independent and robust security policies for distributed workloads. It controls the use of virtual resources and communication across multiple platforms and provides a secure foundation for server platforms, such as strong isolation, mediated sharing between virtual machines, attestation and integrity guarantees for the hypervisor and its virtual machines, resource control, and secure services.
In this talk, I will briefly introduce the sHype access control framework and its implementation in the Xen hypervisor. The main part of the talk will focus on layering operating system security policies on top sHype to achieve finer-grained security, e.g., bridge peer sHype systems to build distributed reference monitors or leverage sHype to offer multi-level security policies to virtual domains. If desired, I can offer a small demonstration of how quickly and easily sHype workload protection policies can be created in Xen.
Gates 4B (opposite 490)