Bridging Mandatory Access Control Across Machines

We define and demonstrate an approach to securing distributed computation based on a distributed reference monitor that enforces mandatory access control (MAC) policy across machines. Securing distributed computation is difficult because of the asymmetry of trust in different computing environments and the complexity of managing MAC policies across machines, when they are already complex for one machine (e.g., Fedora Core 4 SELinux policy). We leverage recent work in three areas as a basis for our solution: (1) remote attestation as a basis to establish mutual acceptance of reference monitoring function; (2) IPsec with MAC labels to ensure the protection and authorization of commands across machines; and (3) virtual machines for isolation and to simplify the MAC policies. We define a distributed computing architecture based on these mechanisms and show how local reference monitor guarantees can be attained for a distributed reference monitor. We implement a prototype system on the Xen hypervisor with a trusted MAC VM built on Linux 2.6. This prototype enforces MAC between machines using IPsec extensions to SELinux that label secure communication channels. We show that through our architecture distributed SETI@HOME computations can be protected and controlled coherently across all the machines involved in the computation.