A Pluggable Domain Management Approach for Building Practical Distributed Coalitions

Recently, much attention has been paid to research on distributed coalitions, as a possible mechanism to embody distributed information flow control which can apply security policies to distributed components over nodes by making the components enforce mandatory access controls for resources based on the policies. Some projects have proposed prototype systems of distributed coalitions, but they assume that each component that participates in a domain has domain management functions. This assumption is reasonable when the components are designed for a distributed coalition, but it has been an obstacle when actually building distributed coalitions in existing environments, because it is difficult for existing components in real environments that were not designed for use in distributed coalitions to update their code and add support for domain management functions while considering the influences of their environments, especially for commercial components. In this paper, we propose a Domain Management Agent (DMA) for building practical distributed coalitions, which performs domain management on behalf of a component and emphasizes minimizing the influence on existing environments. We implement a prototype system on Microsoft Windows platform for broad use by many people, evaluate its performance overhead, and show that our approach is feasible.