|
Our research goals are two-fold. First create algorithms that maintain connectivity and small diameter in a distributed network even when the network is under attack. Second, to create algorithms that will allow a network to collate inputs from many sensor nodes and disseminate an alarm only when a certain threshold of those sensors are alarmed. We propose to accomplish both of these tasks without using any centralized point of control, and to design algorithms that are provably robust to repeated adversarial attack. Our approach will use several mathematical tools from graph theory, probability, and algorithmic game theory. The part our results will play in the Helix architecture will be to allow for distributed detection of attack and adaptive response to attack. Related Publications
|
|
|
Automatic State Regeneration |
 |
 |
 |
|
The Web browser is evolving into a mini-OS. With the popularity of AJAX applications and Web mashups, Web applications began to store persistent data in the browsers. This introduces the vulnerability where a malicious Web application may harm another application by sabotaging its persistent data in the browser, even if the two applications do not run at the same time.
Based on our experience in automatic state regeneration for file systems, we are building a recovery mechanism for persistent data in browsers. Our goal is to allow the Web user to try arbitrary, potentially malicious Web applications freely, and to be able to recover from the damages of the malicious ones reliably and automatically. Compared to file system recovery, we are studying a unique challenge for Web application recovery, as we must ensure that the recovered persistent data in the browser synchronize with the data on their servers.
This project extends the Automatic State Regeneration component of Helix for Web applications. |
|
Current artificial diversity techniques focus primarily on low-level components of computer systems such as instruction sets and memory layouts. Low-level diversity techniques can thwart most memory corruption and code injection attacks, including those exploiting buffer overflows. It is crucial to protect this layer first, as higher-level processes rely on the run-time environment to be secure. However, there are limits to what can be achieved by low-level diversity techniques. In particular, they provide no defense against attacks that exploit higher-level properties of application not altered by low-level transformations.
We will investigate novel diversity techniques for thwarting high-level attacks, e.g., attacks against protocols, algorithms, and databases. Sophisticated attackers may be able to observe the results of attack attempts to learn enough to craft attacks targeted to a diversified system. We propose to develop a metamorphic shield to thwart these adaptive attacks. In particular we will explore combinatorial diversity and dynamic diversity to present attackers with an ever shifting attack surface. The former refers to the composition of different diversity techniques to produce a large number of variants. The latter refers to the ability of generating variants at run-time, even while the program is executing. Their combination will provide a bounded window of time in which attackers can learn or infer information about an application. Not only does this improve the effectiveness of existing diversity techniques, it enables low-entropy diversity techniques that can transform high-level properties in a small (but dynamically changing) number of ways. |
|
Helix Application Information Repository |
|
|
|
|
Much of the power of the Helix system derives from its unique Application Information Repository (AIR), a comprehensive and pervasive repository holding information gathered and used during all phases of application construction and operation. An application running in Helix is treated in a holistic way, with information being shared across development, deployment, execution, and response phases in ways that are not possible with traditional architectures. We envision a novel restructuring of the standard program development and execution tool chain. Instead of viewing the tool chain as just a series of steps to transform an application from source code to executable form, we take a more comprehensive view in which program metadata can be deposited in the Application Information Repository (AIR), and subsequently manipulated and enhanced at all phases of a program’s lifecycle, to enable the development of novel and accurate self-regeneration algorithms. |
|
Removal of Vulnerabilities |
|
|
|
|
Once a vulnerability has been detected the system must be able to repair the application so it cannot be exploited. This involves changing the program so that it becomes immune to that attack and possibly to similar attacks as well. As a simple example, a program with a buffer-overflow vulnerability might be changed to limit the number of characters read. Repairing a program is different from using diversity to protect it; the latter might only change a code injection attack that exploits the vulnerability into a detectable crash. Repairing a program is also different from generating a signature; the latter might only filter out any network packet that appears to be exploiting the vulnerability. We will use information and capabilities from the AIR, Strata, and our signature generation analyses towards the goal of repairing programs to remove underlying vulnerabilities.
Traditionally programs are repaired by presenting a description of the problem to the software vendor, waiting for a patch to be released, shutting down the program, installing the patch, and restarting the program. This process is too slow for critical, enterprise software and untenable in situations where restarting the program is not an option. In Helix, we will fix certain classes of problems automatically by transforming programs. Most program transformations, such as compiler optimizations or the low-level diversity transformations performed by Strata, are designed to preserve the original program semantics. A successful repair is adaptive and necessarily changes the program’s behavior, especially with respect to the vulnerability. However, it is also critically important that a repair not interfere with other aspects of a program’s behavior. Related Publications
|
|
|
|
|
|
|
Page 1 of 2 |
Research