Building Systems That Enforce Measurable Security Goals

In this talk, I will argue for an approach for building and deploying virtual machine systems that enforce measurable security goals. While the security community has developed "ideal" security models, we have found it difficult to build conventional systems to satisfy such ideals, resulting in an incomplete understanding of system security that leads to vulnerabilities. Ideal security requires heavyweight tasks, such as complete formal assurance, but conventional systems place authority in too many programs to make assurance cost-effective. As an alternative, we propose an approach where we use ideal goals as a means to gain a comprehensive understanding of which programs we depend upon for security enforcement and the risks that result from such enforcement. The result is a model that enables comprehensive evaluation of security goals and treatment of risks, once identified. In this talk, I will discuss two experiments. The first examines whether user-level processes can be automatically deployed in a manner in which correct enforcement of system policy can be verified. This experiment shows that certain programs can be configured to ensure correct security enforcement in a measurable way. The second examines whether the approach found in the first experiment can be generalized to support the myriad of security enforcement in virtual machine systems. In these experiments, we leverage the mandatory access control enforcement of the Linux and Xen, although the talk will focus on the conceptual problems in obtaining a comprehensive view of security in conventional systems. The result of these experiments is that by making security goals measurable in conventional systems a comprehensive identification of security risks is possible, enabling guidance for comprehensive resolution of risks and, eventually, some measure of confidence in system security.
Trent Jaeger is an Associate Professor in the Computer Science and Engineering Department at The Pennsylvania State University and the Co-Director of the Systems and Internet Infrastructure Security (SIIS) Lab. He joined Penn State after working for IBM Research for nine years in operating systems and system security research groups. Trent's research interests include operating systems security, access control, and source code and policy analysis tools. He has published over 80 refereed research papers on these subjects. Trent has made a variety of contributions to open source systems security, particularly to the Linux Security Modules framework, SELinux module and policy development, integrity measurement in Linux, and the Xen security architecture. Trent is the author of the book "operating Systems Security," which examines the principles and designs of secure operating systems. He is active in the security research community, having been a member of the program committees of all the major security conferences, and the program chair of the ACM CCS Government and Industry Track, ACM SACMAT, as well as chairing several workshops. He is an associate editor with ACM TOIT and has been a guest editor of ACM TISSEC. Trent has an M.S. and a Ph.D. from the University of Michigan, Ann Arbor in Computer Science and Engineering in 1993 and 1997, respectively.