CSA Projects

Center for Systems Assurance

Projects

Agent Based Intrusion Detection:
Attacks against computing systems are becoming more intelligent and strategic. An agent-based intrusion detection system has the potential to provide distributed sensing and analysis such that the computing environment can recognize such organized and coordinated attacks. We are examining techniques to implement scalable and resilient agent-based intrusion detection systems. Our agent-based approach will combat stealth coordinated attacks and will provide fully distributed agent management.

Automated Buffer Overflow Detection:
Buffer overflows continue to be the #1 class of security flaw in networked systems. We are investigating a combination of static and dynamic analysis and techniques to detect, contain, or eliminate buffer overflows in C programs. Our dynamic approach involves type-assisted bounds checking, and we are investigating how we can integrate this with static analysis to improve efficiency.

Bandwidth Management Points:
Quality of service (QoS) will be critically important to the next generation Internet. Past QoS techniques have relied on non-scalable mechanisms or those that are incompatible with the TCP/IP protocol suite. We are investigating QoS guarantees in Differentiated Services (DiffServ) networks, in conjunction with Multi-Protocol Label Switching (MPLS). Our mechanism for providing this service includes Bandwidth Management Points, which act as brokers for communication across network domains, factoring in available resources and economic models of scheduling.

Computational Resiliency:
Many fault-tolerant distributed systems have sought to use replication of system resources to provide graceful degradation in the presence of failure or attack. This is clearly not sufficient in the event that attacks are never detected or insiders undermine system operation. We propose to investigate an alternative approach --computational resiliency -- which combines real-time attack assessment with on-the-fly replication, camouflage, and process reconfiguration to maintain and improve system capabilities. We expect the associated technology to be applicable to a wide range of command and control applications involving the distributed acquisition, dissemination, and analysis of information.

To understand how these concepts might operate, consider a distributed system as an apartment inhabited by a new strain of roach (process/thread). The roaches\footnote{We would like to thank Cathy McCullum at DARPA for the computational roach analogy.} are highly resilient: you can stamp on them, spray them, strike them with a broom, but you never kill them all or prevent them from their goal of finding food (resources). To foil your eradication efforts, they use several techniques: they are highly mobile moving from one place in the apartment (network) to another with speed and agility. They continually replicate to ensure that it is not possible to kill them all. They sense (attack assessment) their environment to obtain clues that mobility is necessary: if a light is turned on, they scurry away in all directions to hide behind cupboards in places of known safety (secure network zones). If a new roach killer is invented they learn from it, and adapt their behavior to compensate. However, this new strain is particularly aggressive and seeks to live in the daylight (wide-area operation): thus it adopts techniques for camouflage as a form of protection and disinformation.

There are several significant technical challenges involved in developing systems based on these concepts. Techniques must be developed for providing policy driven, on-the-fly computation replication, camouflage, and mobility. To address these problems we investigated the basic component technologies and developed application-level library technologies intended to provide a concurrent programming framework for resilient computing.

This work was accompanied by proof-of-concept experiments intended to exercise the ideas using three distributed applications: - Sonar imaging using a towed sonar array
- Image processing using the Principal Component Transform (PCT)
- Heat diffusion

This project completed in 2002 after implementation of the basic library technology to support group communication with fuzzy agreement, replication, and migration; the camouflage investigation became the Protocol Steganography project.

Covert Data Recognition and Recovery:
Funded by the Air Force Research Lab, we are developing the functional and operational specifications for remote covert data recognition and recovery. With the potential of dual-use application for law enforcement as well as military intelligence, this project looks into remote disk forensics, data recognition, data classification and data recovery.

Dynamic Honeypots and Honeynets:
Honeynets are a tool for studying and researching blackhat techniques. A Honeynet is a collection of networked machines, running stock operating systems, protected by a firewall. The firewall logs all traffic to and from the machines, which are used for no other purpose than to be attacked and probed. We are seeking to build automated honeynets that respond to attack by changing the configuration of the system(s) on the network, thus presenting attackers with a more difficult challenge and potentially allowing us to gauge the skill, knowledge, and commitment of the blackhats.

High-Confidence Design for Security:
The widespread use of networks makes information security a major concern where the underlying network (e.g., the Internet) is assumed to be insecure. Systems with security requirements typically must operate with a high degree of confidence -- they must be highly assured. The task of designing and building secure systems raises a fundamental question: How do we know with confidence that our designs will behave securely? Having confidence in a secure system requires having confidence in the following:
1) the strength of the cryptographic algorithms
2) the correctness of the hardware and software implementations
3) knowledge that the implementation supports a security model.

Our research focuses on items 1 and 2. The specific problems we are looking at are:
-Formal specification and verification of security properties using higher-order logic and theorem proving
-Composition of specifications and implementations using algebraic techniques, refinements, and category theory
-Concept demonstrations that produce working integrated circuits and actual implementations of protocols in languages such as C++

We can use the proposed network to the formal models against actual protocols and implementations. For example, when reasoning about the security features of IPV6 it would be quite valuable to observe its actual behavior in a controlled fashion.

Information Security Requirements for IP-Based Data Collection Serial Interface Units:
Joint Sensis-CSA-CASE SAID-SUPRIA project for 2002-03. We propose to develop a set of information security requirements for IP-based remote data collection serial interface units. The proposed effort will look at the trade-offs of converting ubiquitous leased telephone line units into IP-based systems, outline the potential cost savings both in initial deployment and recurring charges, and set forth a set of requirements to ensure system assurance on a public network. We propose to explore the end-to-end use of IPv6-based protocols for remote data systems. Replacing leased-telephone lines eliminates the recurring line lease charges, and allows connecting the new generation of IP-based sensors directly to the Internet.

Information Security Requirements for Remote Data Processing Systems:
This collaborative project with Sensis Corporation deals with specifying the information security requirements for the client-server model of radar remote data sensing system. Beyond specifying the requirements to ensure the confidentiality, integrity and availability of the data, we anticipate carrying out penetration testing on the implementation, including red team and blue team attacks.

Interface-Based Intrusion Detection:
A companion to Computational Resiliency is the Interface-Based Intrusion Detection (IBID) project, which will examine purely-local intrusion detection and network filtering. The two dominant modes of intrusion detection are host-based and network-based. Host-based intrusion detection monitors the state of processes and files on the host, and raises an alarm if an erroneous condition is noted. Network-based intrusion detection relies on the ability to monitor all of the traffic on a network or through a router. For example, a host-based ID system might compile digital signatures for ``known-good'' executable files and save those digital signatures in write-once-read-many storage. The ID system then periodically recomputes the digital signatures and compares them to the stored values. A change in signature indicates that the file has changed, possibly as the result of an intrusion, and an alarm is raised. A network-based intrusion detection system captures packets as they flow across the network, and analyzes the captured packets to determine if an attack is underway. Interface-Based Intrusion Detection complements host-based and network-based ID, and adds additional functionality such as intrusion prevention. IBID will have access both to local host memory and to the network data stream, giving it some of the best features of both host and network-based ID systems. A network-based system can only detect certain attacks, such as protocol based attacks (e.g., Ping of Death, port scans, or TearDrop attacks); in contrast, IBID will be able to prevent such attacks by trapping them before they ever reach the operating system. With host-based ID systems, IBID shares the desirable property of a purely local defense, allowing each user or administrator to customize the level of security desired. We are examining common intrusions and building a rule-based system suitable for embedding in a secure Network Interface Card. To test our ideas, we will use dual-processor Pentium boxes, with one processor dedicated to network I/O and intrusion detection. Data comes into the NIC and is directly transferred to main memory where either processor may manipulate it. To test our ideas for IBID, we borrow an idea from the Intel Paragon (et al.), that of the communications co-processor. We will adapt Linux so that the real NIC, the second processor, and a reserved portion of memory simulate an intelligent NIC. Data is transferred from the NIC to a reserved area of memory, where the second processor checks it against its intrusion detection rules, and then places packets judged to be safe into the portion of memory available to the first processor. We are discussing collaborations with researchers at the University of New Mexico and Sandia National Labs, with the goal being to develop an FPGA-based intelligent NIC based on the results of this work.

Models for Systems Assurance:
Assuring the correctness of systems requires a sound scientific basis for analyzing the system and for understanding how it behaves subject to different constraints. For example, computational resiliency requires dynamic replication with associated resource-allocation strategies and mechanisms for load balancing and reconfiguration. These systems must guarantee a variety of safety properties (e.g., integrity of process state is maintained), liveness properties (e.g., every message is eventually delivered), security properties (e.g., no rogue process can bring the system down), and real-time and quality-of-service properties. Assuring that the resulting system satisfies these properties requires mathematical models constructed at appropriate levels of abstraction.

At present, we are focusing on building a framework that supports reasoning about a system's behavior subject to resource constraints and resource-allocation policies. At the core of this work is the construction of a resource-sensitive, location-aware calculus based on mobile calculi. These calculi provide foundations for modeling the behavior of distributed systems in which processes or threads may migrate, agents may communicate via message passing, and communication topologies may change dynamically. Such calculi therefore seem well suited for modeling the mechanisms that underlie computational resiliency and other mobile-code systems.

Protocol Steganography:
Steganography (``stego'') is the art of hiding information within information. Classic stego involves embedding a message within an image. The Protocol Steganogrpahy project is investigating the hiding of information within network protocols, ranging from the physical layer up to application-layer protocols. We are examining techniques with a variety of detection probabilities and a range of usability, such as sending messages in the unused bits in a protocol header or embedding messages in HTML cookies.

System Auditing and Penetration Testing:
We have a variety of ongoing activities helping students learn how to evaluate the security of a device or system. In the past, we have done a ``red team'' analysis of a network monitoring system, and are currently evaluating a suite of Personal Digital Assistants for security flaws (including those running Linux, Windows PocketPC, and PalmOS).

Trusted Time:

Home | Research | Education | Technology Transfer | Current Center Faculty