Existing distributed authorization systems focus on the formulation of policy, but enforcement remains a per-host issue. Failure of any component to faithfully enforce policy can lead to vulnerabilities, and in the extreme, renders authorization impotent. Without greater assurance in the integrity of authorization enforcement, that scales to Internet-wide applications, reliable, distributed authorization cannot be built.
The Shared Reference Monitor (Shamon) project leverages advances in integrity measurement and virtual machines to compose a coherent authorization system for distributed applications. A Shamon consists of a set of reference monitors on multiple, physical machines that are integrity-verified to enforce a consistent security policy across virtual machines that define an application. The use of virtual machines provides coarse-grained isolation that simplifies security policy for large-scale distributed systems, and the integrity measurement ensures that each member of the Shamon can verify that the others are enforcing this policy.
The Shamon project focuses on building the services to compose and maintain such shared reference monitors. First, a logic-based approach is defined that enables composition of trust in the enforcement of a consistent policy by the Shamon reference monitors. Such trust composition will be robust in the presence of system dynamics including the joining, leaving and migration of virtual machines. Second, the Xen hypervisor system is augmented with these trust composition services. In this way, monitored applications will only communicate with systems whose regulation is consistent with its Shamon policy.