Jonathan McCune
Carnegie Mellon University
USA

Stefan Berger
IBM
USA

Ramon Caceres
IBM
USA

Trent Jaeger
Pennsylvania State University
USA

Reiner Sailer
IBM
USA

We define and demonstrate an approach to securing distributed
computation based on a distributed, trusted reference monitor
(DTRM) that enforces mandatory access control (MAC) policies
across machines. The DTRM enables local reference monitor guarantees
to be attained for a distributed reference monitor. We implement
a prototype system on the Xen hypervisor with a trusted
MAC virtual machine built on Linux 2.6 whose reference monitor
design requires only 13 authorization checks, only 5 of which apply
to normal processing (others are for policy setup). We show that,
through our architecture, distributed computations can be protected
and controlled coherently across all the machines involved in the
computation.

Keywords: mandatory access control (MAC), sHype, type enforcement, selinux, attestation, trusted computing, distributed systems

Read Paper (in PDF)