Trusted Passages

Enabling Security Guarantees In Service Oriented Architectures


The complexity of today's large scale distributed systems makes it extremely challenging for open systems to provide trustworthy services to end-users. In this research project, we are developing an approach that integrates modern system virtualization techniques as well as new methods for runtime trust monitoring and assessment. This approach dynamically creates and maintains what we term trusted passages across distributed and potentially untrusted execution platforms.

The ultimate goal of this project is to allow critical distributed applications to use open systems; enabling them to produce, process, and distribute information in a timely fashion. Our work will benefit a wide range of applications:

  • remote surveillance,
  • operational information systems used in government and commercial settings,
  • typical e-commerce web services,
  • and other similar information processing tasks.

Attacks on such applications and their infrastructure addressed by our work include compromised systems through rootkits, viruses, or other malicious tampering, and degradation caused by temporary system overloads or failures.

Two scenarios showing how trusted passages can mitigate the effects of serious attacks on a distributed service oriented architecture. Click on each scenario for a larger version.

Trust management software runs in isolated trust controllers, which continually carry out the monitoring and assessment tasks needed to detect attacks and/or compromised systems, and which can repair or work around them upon detection. Multiple trust controllers located on different machines cooperate to actively manage sets of trusted applications running on virtual and physical machines, creating a trusted passage. Applications can take advantage of trusted passages through advanced middleware like the platform-aware overlays developed in our own research and/or through explicit management APIs provided by trust controllers.

By continually assessing the trust placed on applications and the distributed systems on which they run, we make it possible to create trusted passages across potentially untrusted sets of machines. New online monitoring techniques run by trust controllers can operate without requiring applications or operating systems to be instrumented. New methods for dynamic trust management utilize novel trust models for distributed systems and applications. System level support leverages both the virtualization and isolation capabilities of modern platforms, strongly integrating trust and trust management into the basic infrastructure used by applications and systems.

The full text of the proposal can be accessed here.

Completed Work

Protected Data Path

The ability to share sensitive information is a key necessity for today's distributed enterprise applications. This paper presents a kernel-level mechanism for controlling the exchanges of sensitive data, termed Protected Data Paths. The mechanism permits only machines with suitable credentials to cache and manipulate protected data, and it gives protection domains access to such data only as per their rights specified in the capabilities they possess. Our implementation of Protected Data Paths in Linux operates by creating protected communication channels between participating machines. Path establishment requires such machines' kernel domains to have suitable credentials. Data transferred via such paths is made available to application-level domains only as per their current data access capabilities, guaranteed by kernel-level supervision of such data accesses. (link to pdf)


The monitoring of virtual machines has many applications in areas such as security and systems management. XenAccess is a monitoring library for operating systems running on Xen. XenAccess incorporates virtual memory introspection and virtual disk monitoring capabilities, allowing monitor applications to safely and efficiently access the memory state and high-level disk activity of a target operating system. Our testing has shown that XenAccess has a low overhead, showing that these techniques are viable for a wide variety of monitoring applications. XenAccess is available as an open source project at

Ongoing Work

Trusted Data Path

The ability to share sensitive information is a key necessity for today's distributed enterprise applications. This paper presents a Virtualization-based mechanism for controlling the exchanges of sensitive data. The mechanism utilizes path controllers that reside in every node along the communication path. The path controllers can plug additional monitoring and action services into the communication path, turning it into a trusted data path. Both the controller and the services are running in separate domains from the guest operation system, thus totally isolated from possible compromised applications and systems. The data transferred on the trusted data path is under control of the path controllers. The path controller on each node collects information from the applications and the system using monitoring services, and evaluates the trust level of the node. Then it generates a derived copy of the data using action services and grants the access to the users. The extensibility of our model allows various services to be linked into the communication path thus supports flexible data protection policies.

Monitoring Using Runtime Hooks

Introspection techniques, such as those implemented in XenAccess, provide a valuable tool for monitoring a system. However, these techniques are not able to interrupt the control flow of a process to perform monitoring at a critical point in execution (e.g., prior to executing a file that may contain malicious code). We are investigating techniques to address this problem with a complimentary monitoring technique capable of installing runtime hooks at critical points in the execution path of a system.