TWC: Small: XCap: Practical Capabilities and Least Authority for Virtualized Environments

TWC：小型：XCap：虚拟化环境的实用功能和最小权限

• 批准号: 1319076
• 负责人: John Regehr
• 金额: $ 49.99万
• 依托单位: University of Utah
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2013
• 资助国家: 美国
• 起止时间: 2013-10-01 至 2017-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1319076&HistoricalAwards=false
• 关键词: TWC; Small; XCap; Practical; Capabilities

Modern software systems inherit their architecture, software development methodology, and security model from time-sharing operating systems developed four decades ago. Desktop, server, cloud, and even industrial control systems rely on a large stack of commercial off-the-shelf software that runs on top of a monolithic operating system kernel. Each application runs with the full set of privileges of some user, has access to the entire file space of that user, and can access the complete interface of a complex operating system kernel, and a number of privileged systems components. The security model exposed by existing software systems is fundamentally too weak; it fails to provide adequate isolation between computations.XCap is a secure environment for least-authority execution of applications and system services. Unmodified, untrusted, off-the-shelf applications, running on untrusted operating systems, are isolated by a virtual machine monitor. XCap builds on two principles: strong isolation and secure collaboration. XCap's default -- a share nothing environment -- is augmented by a capability access control model: a clean and general abstraction, enabling fine-grained delegation of rights in a flexible and manageable way. In XCap, capabilities serve as a general foundation for constructing least privilege services out of existing components of the traditional operating system stack. XCap maximizes the principle of least authority: it redesigns common operating system services in such a way that the authority of individual applications and services is minimized. Each component possesses the smallest subset of rights required to accomplish its task.

现代软件系统继承了四十年前开发的分时操作系统的体系结构、软件开发方法和安全模型。桌面、服务器、云甚至工业控制系统都依赖于一大堆商业现成软件，这些软件在单片操作系统内核上运行。每个应用程序以某个用户的全套特权运行，可以访问该用户的整个文件空间，并且可以访问复杂操作系统内核的完整界面和许多特权系统组件。现有软件系统暴露的安全模型从根本上来说太弱了，它无法在计算之间提供足够的隔离。XCap是一个以最小权限执行应用程序和系统服务的安全环境。在不受信任的操作系统上运行的未经修改、不受信任的现成应用程序由虚拟机监视器隔离。XCAP建立在两个原则之上：强大的隔离和安全的协作。XCAP的默认环境--无共享环境--被一个功能访问控制模型所增强：一个干净而通用的抽象，支持以灵活和可管理的方式进行细粒度的权限委派。在XCap中，功能充当从传统操作系统堆栈的现有组件构建最低特权服务的一般基础。XCAP最大化了最小权限原则：它以最小化个别应用程序和服务的权限的方式重新设计了常见的操作系统服务。每个组件都拥有完成其任务所需的最小权限子集。