Building Shared Reference Monitor Systems

Abstract

In this talk, I will describe an architecture for building secure distributed systems based on a Shared Reference Monitor (Shamon). A Shamon consists of distributed security components that collaborate to provide a single, coherent mechanism for enforcing mandatory access control (MAC), achieving the function of a local reference monitor.

The challenge is to ensure the guarantees required of a reference monitor: complete mediation over security sensitive operations; tamper-protection of the Shamon mechanism and state; and verifiability of correct enforcement of security goals. I will begin the talk by discussing the vision of future Shamon distributed systems and motivating why the recent emergence of ubiquitous virtual machine systems and trusted computing hardware is necessary to achieve the Shamon goals. I will then discuss our prototype Shamon system, highlighting the design decisions required to satisfy the reference monitor guarantees.

Bio

Trent Jaeger is an Associate Professor in the Computer Science and Engineering Department at The Pennsylvania State University. Trent's research interests include operating systems security, access control, and source code and policy analysis tools. He has published over 50 refereed research papers on these subjects. Trent has made a variety of contributions to Linux security, particularly to the Linux Security Modules framework, the SELinux module and policy development, integrity measurement in Linux, and the Xen security architecture.

Also, he has been a member of the program committee, including as general and program chair, for several major security conferences. Trent has an M.S. and a Ph.D. from the University of Michigan, Ann Arbor in Computer Science and Engineering in 1993 and 1997, respectively.