A System for Distributed Mandatory Access Control

We define and demonstrate an approach to securing distributed computation based on a distributed,
trusted reference monitor (DTRM) that enforces mandatory access control (MAC) policies across machines. Securing distributed computation is difficult because of the asymmetry of trust in different computing environments and the complexity of managing MAC policies across machines, when they are already complex for one machine (e.g., Fedora Core 4 SELinux policy). We leverage recent work in three areas as a basis for our solution: (1) remote attestation as a basis to establish mutual acceptance of reference monitoring function; (2) virtual machines to simplify reference monitor design and the MAC policies enforced; and (3) IPsec with MAC labels to ensure the protection and authorization of commands across machines. We define a distributed computing architecture based on these mechanisms and show how local reference monitor guarantees can be attained for a distributed reference monitor. We implement a prototype system on the Xen hypervisor with a trusted MAC VM built on Linux 2.6 whose reference monitor design requires only 13 authorization checks, only 5 of which apply to normal processing (others are for policy setup). This prototype enforces MAC between machines using IPsec extensions that label secure communication channels. We show that, through our architecture, distributed computations can be protected and controlled coherently across all the machines involved in the computation.

By: Jonathan M. McCune, Stefan Berger, Ramón Cáceres, Trent Jaeger, Reiner Sailer

Published in: RC23865 in 2006


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to reports@us.ibm.com .