Efficient and Scalable Verification of Distributed System Integrity using SHIMA

Open Access
Schiffman, Joshua Serratelli
Graduate Program:
Computer Science and Engineering
Master of Science
Document Type:
Master Thesis
Date of Defense:
April 08, 2009
Committee Members:
  • Trent Ray Jaeger, Thesis Advisor
  • trusted computing
  • distributed systems
  • integrity measurement
Many users obtain critical information from distributed systems. As more Internet services leverage distributed computing approaches, like mashups and service-oriented architectures, the need for users to verify the authenticity of data from distributed systems will increase. While a variety of mechanisms are broadly used to authenticate principals in distributed systems, mechanisms to verify the integrity of the distributed computation are only used in limited cases. Hardware-based attestation is still the most promising approach for integrity verification of remote systems, but current attestation mechanisms only verify a single node or only apply to limited distributed systems. In this paper, we propose a Shamon Integrity Monitoring Approach (SHIMA) for integrity verification in distributed systems. SHIMA prescribes that specialized services, called Virtual Machine Verifier, on each distributed node enforce an integrity criteria over the execution of system VMs and collaborate to maintain the integrity of the distributed system. This approach enables any system node to build a global integrity proof that the entire distributed system satisfies that integrity criteria. SHIMA is based on two insights: (1) that having a specialized component whose long-term integrity can be verified using traditional attestation provides a foundation for distributed system verification and (2) that the specialized component can be entrusted with the task of enforcing integrity and reporting enforcement status to others via attestations. We deploy a SHIMA prototype to verify that a Tor anonymity system runs only Tor servers that satisfy an integrity criteria. The resultant Tor system detects malware and policy misconfigurations that would enable compromise of a Tor server while adding negligible overhead to request processing. Thus, with SHIMA, we provide a low overhead mechanism for integrity verification of distributed systems that ensures a meaningful integrity criteria is being enforced among its members nodes.