Shamon: A System for Distributed Mandatory Access Control

Author

McCune, Jonathan M. ; Jaeger, Trent ; Berger, Stefan ; Cáceres, Ramón ; Sailer, Reiner

Author_Institution

Carnegie Mellon Univ., San Diego, CA

fYear

2006

fDate

Dec. 2006

Firstpage

23

Lastpage

32

Abstract

We define and demonstrate an approach to securing distributed computation based on a shared reference monitor (Shamon) that enforces mandatory access control (MAC) policies across a distributed set of machines. The Shamon enables local reference monitor guarantees to be attained for a set of reference monitors on these machines. We implement a prototype system on the Xen hypervisor with a trusted MAC virtual machine built on Linux 2.6 whose reference monitor design requires only 13 authorization checks, only 5 of which apply to normal processing (others are for policy setup). We show that, through our architecture, distributed computations can be protected and controlled coherently across all the machines involved in the computation

Keywords

Linux; authorisation; distributed processing; virtual machines; Linux 2.6; Shamon system; Xen hypervisor; authorization; distributed computation security; distributed computations; distributed machines; distributed mandatory access control; mandatory access control policies; prototype system; reference monitor design; shared reference monitor; trusted MAC virtual machine; Access control; Authorization; Computer architecture; Condition monitoring; Distributed computing; Linux; Protection; Virtual machine monitors; Virtual machining; Virtual prototyping;

fLanguage

English

Publisher

ieee

Conference_Titel

Computer Security Applications Conference, 2006. ACSAC '06. 22nd Annual

Conference_Location

Miami Beach, FL

ISSN

1063-9527

Print_ISBN

0-7695-2716-7

Type

conf

DOI

10.1109/ACSAC.2006.47

Filename

4041151