Aim to Build Measurable, High Integrity Linux Systems. Linu

1
Trent Jaeger Past Projects and Results

• Linux Security
• Aim to Build Measurable, High Integrity Linux
  Systems
• Linux Security Modules
• Verify Complete Mediation of the Reference
  Monitor Interface
• Found and fixed six bugs USENIX Sec 2002ACM
  CCS 2002ACM TISSEC 2004
• SELinux Policy Analysis
• Identify Low Integrity Flows to High Integrity
  Subjects
• Prove Integrity Protection of Apache, SSH, vsftp,
  and Linux TCB services USENIX Sec 2003ACM
  TISSEC 2003NDSS 2006
• Labeled IPsec
• Integration of IPsec and SELinux for Mandatory
  Network Control
• Accepted into mainline Linux kernel in 2.6.16
  SecureComm 2006
• Lessons Learned
• Comprehensive Mandatory Access Control for Linux
• But Comprehensive MAC policies are complex
• And MAC is expanding to distributed systems
• Can We Provide Practical Integrity in Distributed
  Systems?

2
Shared Reference Monitor (Shamon)
Shared Reference Monitor (Shamon)
TPM
TPM
Use remote attestation of enforcement to ensure
goals
3
Shamon Motivation

• Reference Monitor Goals
• Can be extended to distributed systems
• Tamperproofing Remote Attestation
• Hardware-based integrity measurement
• Prove integrity to remote parties USENIX Sec
  2004ACM CCS 2004SACMAT 2006
• Complete Mediation Virtual Machine Systems
• Coarse-grained Mandatory Access Control (Xen
  sHype)
• Simplify MAC policies ACSAC 2005 ACSAC 2006
• Comprehensive Verification Information Flow
  Aware Software Development
• Build client and server applications that enforce
  system information flow policies
• Comprehensive MAC enforcement submitted to NDSS
  2007
• Retrofitting Legacy Code
• Add specific security functions to existing code
• Enable transition from legacy to comprehensive
  MAC enforcement ACM CCS 2005IEEE SP
  2006ICSE 2006
• A Number of Emerging Technologies Motivate the
  Construction of Distributed Mandatory Access
  Control

4
Shamon Applications

• Grid Applications
• Distributed Service Level Agreements
• Internet Suspend/Resume
• Remote Medicine
• Common Thread All are trying to prove that they
  are doing the right thing

5
Shamon Challenges

• Build up Trust from Secure Hardware
• Secure Hardware is basis for system integrity
• Can it also be a basis for trust in credentials?
• Usable Attestations
• Verification must be practical, robust, private
• Can we express integrity in simple, scalable
  terms?
• User Authentication
• User authenticates system and vice versa
• How does a user know which secure hardware goes
  with which system?
• Security Policy and Goals
• Obtain policy and labeling
• How do we identify security goals and prove
  compliance scalably?
• Maintain Trust
• Logic representation
• How do we show that all machines in a coalition
  are trustworthy?

6
Summary

• Mandatory Access Control Is Becoming Ubiquitous
• E.g., Linux Security Modules
• Virtual Machines Are Becoming Ubiquitous
• Intel VM Systems
• Other Technologies Are Emerging
• Remote Attestation, Information Flow Aware
  Applications, Legacy Code Retrofitting
• Shamon Architecture for Distributed MAC
  Enforcement
• Attestation enables the expansion of reference
  monitor guarantees to distributed systems
• Initial prototype ACSAC 2006
• Leadership in MAC Architectures
• NSF-Funded project
• High Assurance Platform
• Virtual Machine Security
• Collaborate with Industry