Shame on Trust in Distributed SystemsTrent Jaeger, Patrick McDaniel, Luke St. ClairPennsylvania State UniversityRam´on C´aceres, Reiner SailerIBM T. J. Watson Research Center1 IntroductionApproaches for building secure, distributed systems havefundamental limitations that prevent the construction of dy-namic, Internet-scale systems. In this paper, we propose aconcept of a shared reference monitor or Shamon that webelieve will provide a basis for overcoming these limita-tions. First, distributed systems lack a principled basis fortrust in the trusted computing bases of member machines.In most distributed systems, a trusted computing base is as-sumed. However, the fear of compromise due to miscon-figuration or vulnerable software limits the cases where thisassumption can be applied in practice. Where such trustis not assumed, current solutions are not scalable to largesystems [7, 20]. Second, current systems do not ensurethe enforcement of the flexible, distributed system secu-rity goals. Mandatory access control (MAC) policies aimto describe enforceable security goals, but flexible MACsolutions, such as SELinux, do not even provide a scal-able solution for a single machine (due to the complexity ofUNIX systems), much less a distributed system. A signifi-cant change in approach is necessary to develop a principledtrusted computing base that enforces system security goalsand scales to large distributed systems.Our proposal is to develop scalable mechanisms for com-posing a verifiable reference monitoring infrastructure thatspans Internet-wide distributed systems. We refer to aset of reference monitors that provides coherent securityguarantees across multiple physical machines as a Sha-mon1. While this may sound like a mere extension ofthe well-known reference monitor concept, we propose sev-eral key differences: (1) the credentials of secure hardware(e.g., Trusted Computing Group’s Trusted Platform Mod-ule), rather than users, are used to authenticate individualreference monitoring systems in the Shamon ; (2) trust inthe Shamon is based on attestation of reference monitoringproperties: tamperproofing, mediation, and simplicity ofdesign; (3) virtual machine monitoring is used to establishcoarse-grained domains, which results in significant sim-plification of MAC policies; (4) policy analyses verify thatthese MAC policies satisfy the Shamon application’s secu-rity goals when enforced by the Shamon; and (5) based onthis restricted definition of trust, a focused logic is definedthat enables scalable evaluation of this trust by components1The name is short for Shared Monitor and related to the word shamanmeaning “... a medium ... who practices ... control over natural events”words removed for effect, not necessarily accuracy).of the distributed system that is also resilient to dynamicchanges in the application.The Shamon approach addresses the fundamental chal-lenges described above. First, trust is built from the bottom-up via secure hardware credentials that enable attestationsof virtual machine-based enforcement for each machine.Second, the MAC policy enforced by the Shamon is usedto prove enforcement of system security goals. We de-fine a logical representation for verifying these criteria thatenables scalable management of large Shamon even underchanges in application configuration. Each of the five tasksthat convert a reference monitor into a Shamon presents sub-stantial research challenges, but we aim to demonstrate thateach has tractable solution potential and that the resultantShamon system will provide a foundation for large-scaledistributed authorization. To motivate its design, we intro-duce our prototype application of the Shamon in the follow-ing section.2 ApplicationThe Playpen is a Xen-based, virtual machine (VM) environ-ment for the students taking security courses at Pennsylva-nia State University. Each student is given their own virtualmachines in the Playpen. Over the course of the semester,students are required to configure and build security appara-tus to defend their machines against attacks from the facultyand TAs. The isolation, persistence, and mobility of the VMenvironment provides ideal conditions for pedagogy: userscan experiment with security apparatus under the controlledenvironment.The current Playpen is the prototype for a larger projectsupporting wide-area mobile and secure computing envi-ronments. The long term goal is to extend the Playpen to en-compass all aspects of university life. In this, a user wouldbe given one or more virtual machines that would migrateto the location where they are working. The central chal-lenge of this work is to support the users’ ability to movefreely within the university environment. The system mustsecurely support arbitrary migration to previously unknownhardware at a previously unknown location and share datawith previously unknown collaborators. Note that while theenvironment aims at a single university system, we are notcentrally-administered: there is different administration ateach campus, and some departments also administer theirown machines.Consider a typical day of Alice the graduate student in1this new university. She wakes up at noon and goes to class.Alice joins a live coalition of class participants by logginginto a host in her classroom. She exits the coalition at theend of class, and at lunch she surfs the Internet and ex-changes personal communication within her protected en-vironment at the local student union. After lunch, she headsto the laboratory and performs research and shares data withthe other graduate students. At the end of the day, she meetswith her advisor and shares summary data and exchangesresults. She heads home and plays a massively multiplayergame with thousands of other gamers until dawn over theInternet.Such is the nature of university life. The ”roles” ofAlice’s computing environment and the environments inwhich she interacts evolve constantly; from class partic-ipant, personal communication, researcher, advisee, andgamer. Moreover, the set of hosts to which she has an as-sociation is also changing. What is interesting here is notthat this somehow changes the way Alice lives, but that hercomputing environment follows her throughout her life.The security challenges of this environment are non-trivial. The physical machines within the open universityenvironment are largely unknown and often compromised.2The applications are as diverse as the environments in
View Full Document
Unlocking...