At present,there are few security models which control the communication between virtual machines (VMs).Moreover,these models are not applicable to multi-level security (MLS).In order to implement mandatory access con...At present,there are few security models which control the communication between virtual machines (VMs).Moreover,these models are not applicable to multi-level security (MLS).In order to implement mandatory access control (MAC) and MLS in virtual machine system,this paper designs Virt-BLP model,which is based on BLP model.For the distinction between virtual machine system and non-virtualized system,we build elements and security axioms of Virt-BLP model by modifying those of BLP.Moreover,comparing with BLP,the number of state transition rules of Virt-BLP is reduced accordingly and some rules can only be enforced by trusted subject.As a result,Virt-BLP model supports MAC and partial discretionary access control (DAC),well satisfying the requirement of MLS in virtual machine system.As space is limited,the implementation of our MAC framework will be shown in a continuation.展开更多
Certificate Authority (CA) is the core of public key infrastructure. However, the traditional structure of CA is either hierarchical or reticular, and none of them is suitable for security require-nients come from the...Certificate Authority (CA) is the core of public key infrastructure. However, the traditional structure of CA is either hierarchical or reticular, and none of them is suitable for security require-nients come from the new trend in enterprise cooperation, namely virtual enterprise (VE). In this paper a new idea - virtual certificate authority (VCA), is proposed, as well as its implemen-tation. The goal of VCA is to provide global certificate service over vital enterprise while keeping CA of each participant intact as much as possible. Unlike PEM, PGP, and BCA, by using secret sharing scheme, virtual CA avoids the need for TTP and supports virtual enterprise's feature of dynamical construction and destruction.展开更多
The network services today require extremely agile and mobile, however, the traditional IP infrastructures are so rigid that cannot fit services well. A way should be put forward to automate the network to improve res...The network services today require extremely agile and mobile, however, the traditional IP infrastructures are so rigid that cannot fit services well. A way should be put forward to automate the network to improve responsiveness to change. SDN and network virtualization(NV) are two hottest approaches to make networking more automated and scalable to support virtualized and cloud environments. Network virtualization combines hardware and software network resources and network functionality into a single virtual network. SDN is created to simplify traffic management and achieve operational efficiencies by establish and exercising central control over packet forwarding. In this paper, we focus on the situation where SDN controller needs to connect two virtual networks temporarily. We put forward three algorithms to try to make this connection more effective and evaluate these three algorithms.展开更多
基金Acknowledgements This work was supported by National Key Basic Research and Development Plan (973 Plan) of China (No. 2007CB310900) and National Natural Science Foundation of China (No. 90612018, 90715030 and 60970008).
文摘At present,there are few security models which control the communication between virtual machines (VMs).Moreover,these models are not applicable to multi-level security (MLS).In order to implement mandatory access control (MAC) and MLS in virtual machine system,this paper designs Virt-BLP model,which is based on BLP model.For the distinction between virtual machine system and non-virtualized system,we build elements and security axioms of Virt-BLP model by modifying those of BLP.Moreover,comparing with BLP,the number of state transition rules of Virt-BLP is reduced accordingly and some rules can only be enforced by trusted subject.As a result,Virt-BLP model supports MAC and partial discretionary access control (DAC),well satisfying the requirement of MLS in virtual machine system.As space is limited,the implementation of our MAC framework will be shown in a continuation.
基金the High Technoeogy Research and Debelopment Program of China
文摘Certificate Authority (CA) is the core of public key infrastructure. However, the traditional structure of CA is either hierarchical or reticular, and none of them is suitable for security require-nients come from the new trend in enterprise cooperation, namely virtual enterprise (VE). In this paper a new idea - virtual certificate authority (VCA), is proposed, as well as its implemen-tation. The goal of VCA is to provide global certificate service over vital enterprise while keeping CA of each participant intact as much as possible. Unlike PEM, PGP, and BCA, by using secret sharing scheme, virtual CA avoids the need for TTP and supports virtual enterprise's feature of dynamical construction and destruction.
基金supported under the National High Technology Research and Development Program(863)of China(No.2015AA016101)the National Natural Science Funds(No.61300184+1 种基金61302089)Beijing Nova Program(No.Z151100000315078)
文摘The network services today require extremely agile and mobile, however, the traditional IP infrastructures are so rigid that cannot fit services well. A way should be put forward to automate the network to improve responsiveness to change. SDN and network virtualization(NV) are two hottest approaches to make networking more automated and scalable to support virtualized and cloud environments. Network virtualization combines hardware and software network resources and network functionality into a single virtual network. SDN is created to simplify traffic management and achieve operational efficiencies by establish and exercising central control over packet forwarding. In this paper, we focus on the situation where SDN controller needs to connect two virtual networks temporarily. We put forward three algorithms to try to make this connection more effective and evaluate these three algorithms.
