A Layered Approach to Simplified Access Control in Virtualized Systems

In this paper, the authors show how the abstraction layer created by a hypervisor, or virtual machine monitor, can be leveraged to reduce the complexity of mandatory access control policies throughout the system. Policies governing access control decisions in today's systems are complex and monolithic. Achieving strong security guarantees often means restricting usability across the entire system, which is a primary reason why mandatory access controls are rarely deployed. Their architecture uses a hypervisor and multiple virtual machines to decompose policies into multiple layers.