Virtual Machines


This research explores:

  1. Enforcing coherent mandatory access control (MAC) policies across a distributed system composed of virtual machines
  2. Leveraging secure hardware to build trust in a distributed, shared reference monitor that implements the MAC enforcement across the distributed system
  3. Enable scalable, efficient, and practical management of this trust across systems of Internet scale

Mandatory access control (MAC) has the desirable feature that it cannot be circumvented by users or their programs, so it is possible to verify that specific security goals will be enforced. MAC policies are enforced by reference monitors that mediate all security-sensitive accesses and authorize those accesses based on the MAC policy. Current approaches to MAC enforcement are limited in scope, either by flexibility (e.g., MLS only) or breadth (e.g., SELinux focuses on one machine), and lack a basis for trust in the reference monitoring across a distributed system. This project investigates the development of a distributed, shared reference monitor that enforces MAC policies across a set of machines, leveraging virtual machine systems and secure hardware foundations. Two key insights are: (1) MAC enforcement at the virtual machine (VM) level results in much simpler enforcement mechanisms and policies than at the OS level and (2) the development of trust in MAC enforcement (i.e., the reference monitor and policies) based on secure hardware (e.g., Trusted Computing Group's Trusted Platform Module) is possible across all systems.

Further, we believe that trust must be composed in a scalable manner across the distributed system and be maintained under common changes (e.g., VM migration). We are developing a logic specific to developing and maintaining trust across a distributed system which leverages different layers of knowledge (VM, machine, distributed system) to enable efficient reasoning and maintenance of trust. A way to express trust and prove properties of trust efficiently will be vital to the ability to build secure, distributed systems of Internet scale.

As a first step to address the issue of maintaining trust across different systems we have developed the "Root of Trust Installer" (ROTI). The ROTI installs a high integrity system and enables a third party to verify that the system was in fact installed from the trusted ROTI and to verify the integrity of the system. The ROTI is used as a base for the individual nodes of a distributed system that enforce a common MAC policy. Our ROTI is based on a popular Linux distribution installer, to which we added several custom packages and scripts to ensure the necessary integrity guarantees are preserved.

The installer for the individual nodes is based on the standard Ubuntu Linux Server installation image. To this image, we add a new kernel that leverages the TPM during the install process. The installer also includes application packages some of which we rebuilt to utilize the TPM. There is also a post installation script that handles several functions, such as hardware initialization (the TPM) and taking system measurements, deemed necessary for the root of trust installation. The installation has been completely automated to prevent tampering during the installation.

Related Publications

Luke St.Clair, Joshua Schiffman, Trent Jaeger, and Patrick McDaniel. Establishing and Sustaining System Integrity via Root of Trust Installation. 23rd Annual Computer Security Applications Conference (ACSAC), December 2007.

Trent Jaeger, Reiner Sailer, and Yogesh Sreenivasan. Managing the Risk of Covert Information Flows in Virtual Machine Systems. ACM Symposium on Access Control Models and Technologies (SACMAT), June 2007.

Jonathon McCune, Stefan Berger, Ramon Caceres, Trent Jaeger, and Reiner Sailer. Shamon: A system for distributed mandatory access control. Proceedings of the 2006 Annual Computer Security Applications Conference, December 2006.

Trent Jaeger, Patrick McDaniel, Luke St.Clair, Ramon Caceres, and Reiner Sailer. Shame on Trust in Distributed Systems. Proceedings of the First Workshop on Hot Topics in Security (HotSec '06), July 2006. [Full Paper: pdf]

J. Linwood Griffin, Trent Jaeger, R. Perez , Reiner Sailer, L. van Doorn, and Ramon Caceres. Trusted Virtual Domains: Toward secure distributed services. Proceedings of the First Workshop on Hot Topics in Systems Dependability, June 2005.