DeuTeRiuM - A System for Distributed Mandatory Access Control

LIMITED DISTRIBUTION NOTICE: This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g. , payment of royalties). Copies may be requested from IBM T. J. Abstract We define and demonstrate an approach to securing distributed computation based on a distributed, trusted reference monitor (DTRM) that enforces mandatory access control (MAC) policies across machines. Securing distributed computation is difficult because of the asymmetry of trust in different computing environments and the complexity of managing MAC policies across machines, when they are already complex for one machine (e.g., Fedora Core 4 SELinux policy). We leverage recent work in three areas as a basis for our solution: (1) remote attestation as a basis to establish mutual acceptance of reference monitoring function; (2) virtual machines to simplify reference monitor design and the MAC policies enforced; and (3) IPsec with MAC labels to ensure the protection and authorization of commands across machines. We define a distributed computing architecture based on these mechanisms and show how local reference monitor guarantees can be attained for a distributed reference monitor. We implement a prototype system on the Xen hypervisor with a trusted MAC VM built on Linux 2.6 whose reference monitor design requires only 13 authorization checks, only 5 of which apply to normal processing (others are for policy setup). This prototype enforces MAC between machines using IPsec extensions that label secure communication channels. We show that, through our architecture, distributed computations can be protected and controlled coherently across all the machines involved in the computation.