IBM Research Report DeuTeRiuM - A System for Distributed Mandatory Access Control

We define and demonstrate an approach to securing distribute d computation based on a distributed, trusted reference monitor (DTRM) that enforces mandatory access control (MAC) polici es across machines. Securing distributed computation is difficult be cause of the asymmetry of trust in different computing environments and the complexity of managing MAC p olicies across machines, when they are already complex for one machine (e.g., Fedora Core 4 SELinux policy). We leverage recent work in three areas as a basis for our solution: (1) remote att est tion as a basis to establish mutual acceptance of reference monitoring function; (2) virtual m achines to simplify reference monitor design and the MAC policies enforced; and (3) IPsec with MAC l abels to ensure the protection and authorization of commands across machines. We define a di stributed computing architecture based on these mechanisms and show how local reference monit or guarantees can be attained for a distributed reference monitor. We implement a prototype s ystem on the Xen hypervisor with a trusted MAC VM built on Linux 2.6 whose reference monitor des ign requires only 13 authorization checks, only 5 of which apply to normal processing (others ar e fo policy setup). This prototype enforces MAC between machines using IPsec extensions that l abel secure communication channels. We show that, through our architecture, distributed comput ations can be protected and controlled coherently across all the machines involved in the computat ion.

[1]  Stefan Berger,et al.  Building a MAC-based security architecture for the Xen open-source hypervisor , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[2]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[3]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[4]  Joan Feigenbaum,et al.  Delegation logic: A logic-based approach to distributed authorization , 2003, TSEC.

[5]  Ian T. Foster,et al.  The anatomy of the grid: enabling scalable virtual organizations , 2001, Proceedings First IEEE/ACM International Symposium on Cluster Computing and the Grid.

[6]  David P. Anderson,et al.  BOINC: a system for public-resource computing and storage , 2004, Fifth IEEE/ACM International Workshop on Grid Computing.

[7]  Elaine Shi,et al.  Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems , 2005, SOSP '05.

[8]  Ira S. Moskowitz,et al.  An architecture for multilevel secure interoperability , 1997, Proceedings 13th Annual Computer Security Applications Conference.

[9]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[10]  Wayne Salamon,et al.  Implementing SELinux as a Linux Security Module , 2003 .

[11]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[12]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[13]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[14]  Jim Reeds Secure IX Network , 1989, Distributed Computing And Cryptography.

[15]  Ian T. Foster,et al.  Security for Grid services , 2003, High Performance Distributed Computing, 2003. Proceedings. 12th IEEE International Symposium on.

[16]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[17]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[18]  Heng Yin,et al.  Building an Application-Aware IPsec Policy System , 2005, IEEE/ACM Transactions on Networking.

[19]  Sean W. Smith Outbound authentication for programmable secure coprocessors , 2004, International Journal of Information Security.

[20]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[21]  Randall J. Atkinson,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[22]  Trent Jaeger Leveraging IPsec for Mandatory Access Control of Linux Network Communications , 2005 .

[23]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System Version 2 , 1999, RFC.

[24]  David P. Anderson,et al.  SETI@home: an experiment in public-resource computing , 2002, CACM.

[25]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[26]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[27]  Ninghui Li,et al.  Understanding SPKI/SDSI using first-order logic , 2005, International Journal of Information Security.

[28]  Ira S. Moskowitz,et al.  A Network Pump , 1996, IEEE Trans. Software Eng..