Networking, Inter-Partition Communication
Communication between partitions is a key requirement for virtualized systems since there is always a need to transfer data and control from trusted partitions to non-trusted partitions. For security reasons, the hypervisor tightly controls the allowed communication and data access amongst partitions, based on the system security policy and system configuration. One mechanism for communications is Secure Inter-Process Communication (Secure IPC or SIPC).
Figure 2 shows an example of using SIPC between partitions. SIPC uses unidirectional channels (to prevent back channels) and can provide both asynchronous and synchronous message passing.
Protected communication to the outside world—either through a dedicated private network or the public Internet—is another critical requirement for smart grid devices, as these devices must transmit sensitive billing, usage, and control information back to the grid.
One approach to protecting this data is to use a high-assurance network stack that creates Multiple Single-Level (MSL) networking. This approach supports many different levels of security over the same connection, but connections at different levels of security are always kept separate. Using this approach, secure information can be kept separate from non-secure information within the smart grid device and outside in the grid communication network.
Figure 2. Secure IPC (SIPC) between partitions.
Figure 3 shows such an architecture, where a high-assurance network stack residing in a dedicated trusted partition analyzes and distributes packets to the rest of the system. Tags, such as those described by 802.1Q for virtual LANs, are used to indicate destinations of packets going in and out of the device. In this manner, secure data can be verified and isolated from general-purpose traffic.
Figure 3. High Assurance Network Stack for network communication.
Using a dedicated trusted partition for the network stack protects the rest of the system from network attacks and limits the covert channels available to would-be attackers. Since the network stack is isolated from the rest of the system it is easier to test, diagnose, verify, and validate the stack. Although the stack is still vulnerable to attacks from the outside world, isolation and thorough validation provides more secure communications.