CT-IS: Shamon: Systems Approaches for Constructing Distributed Trust

Award #: 0627551
Amount Awarded: $400,000
Sponsoring Organization: NSF (CNS)
Grant Period: 2006-2010
Primary Investigator(s): Trent Jaeger (Co-PI) and Patrick McDaniel (Co-PI)


Existing distributed authorization systems focus on the formulation of policy, but enforcement remains a per-host issue. Failure of any component to faithfully enforce policy can lead to vulnerabilities, and in the extreme, renders authorization impotent. Without greater assurance in the integrity of authorization enforcement, that scales to Internet-wide applications, reliable, distributed authorization cannot be built.

The Shared Reference Monitor (Shamon) project leverages advances in integrity measurement and virtual machines to compose a coherent authorization system for distributed applications. A Shamon consists of a set of reference monitors on multiple, physical machines that are integrity-verified to enforce a consistent security policy across virtual machines that define an application. The use of virtual machines provides coarse-grained isolation that simplifies security policy for large-scale distributed systems, and the integrity measurement ensures that each member of the Shamon can verify that the others are enforcing this policy.

The Shamon project focuses on building the services to compose and maintain such shared reference monitors. First, a logic-based approach is defined that enables composition of trust in the enforcement of a consistent policy by the Shamon reference monitors. Such trust composition will be robust in the presence of system dynamics including the joining, leaving and migration of virtual machines. Second, the Xen hypervisor system is augmented with these trust composition services. In this way, monitored applications will only communicate with systems whose regulation is consistent with its Shamon policy.

Related Research Projects

Virtual Machines

Related Publications

Trent Jaeger, Reiner Sailer, and Yogesh Sreenivasan, Managing the Risk of Covert Information Flows in Virtual Machine Systems. ACM Symposium on Access Control Models and Technologies (SACMAT), June 2007.

Jonathon McCune, Stefan Berger, Ramon Caceres, Trent Jaeger, and Reiner Sailer. Shamon: A system for distributed mandatory access control. In Proceedings of the 2006 Annual Computer Security Applications Conference, December 2006.

Trent Jaeger, Patrick McDaniel, Luke St.Clair, Ramon Caceres, and Reiner Sailer, Shame on Trust in Distributed Systems. Proceedings of the First Workshop on Hot Topics in Security (HotSec '06), July 2006. [Full Paper: pdf]