0 Penn State, NSRC Industry Day, Trent Jaeger – Past Projects and Results Linux Security –Aim to Build Measurable, High Integrity Linux Systems Linux Security Modules –Verify Complete Mediation of the Reference Monitor Interface –Found and fixed six bugs [USENIX Sec 2002][ACM CCS 2002][ACM TISSEC 2004] SELinux Policy Analysis –Identify Low Integrity Flows to High Integrity Subjects –Prove Integrity Protection of Apache, SSH, vsftp, and Linux TCB services [USENIX Sec 2003][ACM TISSEC 2003][NDSS 2006] Labeled IPsec –Integration of IPsec and SELinux for Mandatory Network Control –Accepted into mainline Linux kernel in [SecureComm 2006] Lessons Learned –Comprehensive Mandatory Access Control for Linux –But Comprehensive MAC policies are complex –And MAC is expanding to distributed systems Can We Provide Practical Integrity in Distributed Systems?

1 Penn State, NSRC Industry Day, Shared Reference Monitor (Shamon) Virtual Machine Monitor Virtual Machine Appl (Jif) Virtual Machine Appl Virtual Machine Bad Virtual Machine Monitor Virtual Machine Appl (Jif) Virtual Machine Appl Virtual Machine Bad Use remote attestation of enforcement to ensure goals TPM

2 Penn State, NSRC Industry Day, Shamon Motivation Reference Monitor Goals –Can be extended to distributed systems Tamperproofing: Remote Attestation –Hardware-based integrity measurement –Prove integrity to remote parties [USENIX Sec 2004][ACM CCS 2004][SACMAT 2006] Complete Mediation: Virtual Machine Systems –Coarse-grained Mandatory Access Control (Xen sHype) –Simplify MAC policies [ACSAC 2005] [ACSAC 2006] Comprehensive Verification: Information Flow Aware Software Development –Build client and server applications that enforce system information flow policies –Comprehensive MAC enforcement [submitted to NDSS 2007] Retrofitting Legacy Code –Add specific security functions to existing code –Enable transition from legacy to comprehensive MAC enforcement [ACM CCS 2005][IEEE S&P 2006][ICSE 2006] A Number of Emerging Technologies Motivate the Construction of Distributed Mandatory Access Control

3 Penn State, NSRC Industry Day, Shamon Applications Grid Applications Distributed Service Level Agreements Internet Suspend/Resume Remote Medicine Common Thread: All are trying to prove that they are doing the right thing

4 Penn State, NSRC Industry Day, Shamon Challenges Build up Trust from Secure Hardware –Secure Hardware is basis for system integrity –Can it also be a basis for trust in credentials? Usable Attestations –Verification must be practical, robust, private –Can we express integrity in simple, scalable terms? User Authentication –User authenticates system and vice versa –How does a user know which secure hardware goes with which system? Security Policy and Goals –Obtain policy and labeling –How do we identify security goals and prove compliance scalably? Maintain Trust –Logic representation –How do we show that all machines in a coalition are trustworthy?

5 Penn State, NSRC Industry Day, Summary Mandatory Access Control Is Becoming Ubiquitous –E.g., Linux Security Modules Virtual Machines Are Becoming Ubiquitous –Intel VM Systems Other Technologies Are Emerging –Remote Attestation, Information Flow Aware Applications, Legacy Code Retrofitting Shamon: Architecture for Distributed MAC Enforcement –Attestation enables the expansion of reference monitor guarantees to distributed systems –Initial prototype [ACSAC 2006] Leadership in MAC Architectures –NSF-Funded project –High Assurance Platform –Virtual Machine Security –Collaborate with Industry