Shame on Trust in Distributed Systems

Approaches for building secure, distributed systems have fundamental limitations that prevent the construction of dynamic, Internet-scale systems. In this paper, we propose a concept of a shared reference monitor or Shamon that we believe will provide a basis for overcoming these limitations. First, distributed systems lack a principled basis for trust in the trusted computing bases of member machines. In most distributed systems, a trusted computing base is assumed. However, the fear of compromise due to misconfiguration or vulnerable software limits the cases where this assumption can be applied in practice. Where such trust is not assumed, current solutions are not scalable to large systems [7, 20]. Second, current systems do not ensure the enforcement of the flexible, distributed system security goals. Mandatory access control (MAC) policies aim to describe enforceable security goals, but flexible MAC solutions, such as SELinux, do not even provide a scalable solution for a single machine (due to the complexity of UNIX systems), much less a distributed system. A significant change in approach is necessary to develop a principled trusted computing base that enforces system security goals and scales to large distributed systems.

Our proposal is to develop scalable mechanisms for composing a verifiable reference monitoring infrastructure that spans Internet-wide distributed systems. We refer to a set of reference monitors that provides coherent security guarantees across multiple physical machines as a Shamon 1. While this may sound like a mere extension of the well-known reference monitor concept, we propose several key differences: (1) the credentials of secure hardware (e.g., Trusted Computing Group’s Trusted Platform Module), rather than users, are used to authenticate individual reference monitoring systems in the Shamon ; (2) trust in the Shamon is based on attestation of reference monitoring properties: tamperproofing, mediation, and simplicity of design; (3) virtual machine monitoring is used to establish coarse-grained domains, which results in significant simplification of MAC policies; (4) policy analyses verify that these MAC policies satisfy the Shamon application’s security goals when enforced by the Shamon; and (5) based on this restricted definition of trust, a focused logic is defined that enables scalable evaluation of this trust by components of the distributed system that is also resilient to dynamic changes in the application.

The Shamon approach addresses the fundamental challenges described above. First, trust is built from the bottomup via secure hardware credentials that enable attestations of virtual machine-based enforcement for each machine. Second, the MAC policy enforced by the Shamon is used to prove enforcement of system security goals. We define a logical representation for verifying these criteria that enables scalable management of large Shamon even under changes in application configuration. Each of the five tasks that convert a reference monitor into a Shamon presents substantial research challenges, but we aim to demonstrate that each has tractable solution potential and that the resultant Shamon system will provide a foundation for large-scale distributed authorization. To motivate its design, we introduce our prototype application of the Shamon in the following section.

By: Trent Jaeger; Patrick McDaniel; Luke St. Clair; Reiner Sailer; Ramón Cáceres

Published in: RC23964 in 2006


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to .