In Helix, anomaly and intrusion detectors are sensors that can trigger the innate and adaptive response. For example, automated repair relies on such detectors. A current area of research is to determine whether we can design automated repair techniques that are resilient to false positives signals originating from these detectors. 

Related Publications

• The Evolution of System-Call Monitoring. This paper reviews system-call monitoring and its application to anomaly intrusion detection and response.

Once a vulnerability has been detected the system must be able to repair the application so it cannot be exploited. This involves changing the program so that it becomes immune to that attack and possibly to similar attacks as well. As a simple example, a program with a buffer-overflow vulnerability might be changed to limit the number of characters read. Repairing a program is different from using diversity to protect it; the latter might only change a code injection attack that exploits the vulnerability into a detectable crash. Repairing a program is also different from generating a signature; the latter might only filter out any network packet that appears to be exploiting the vulnerability. We will use information and capabilities from the AIR, Strata, and our signature generation analyses towards the goal of repairing programs to remove underlying vulnerabilities.

Traditionally programs are repaired by presenting a description of the problem to the software vendor, waiting for a patch to be released, shutting down the program, installing the patch, and restarting the program. This process is too slow for critical, enterprise software and untenable in situations where restarting the program is not an option. In Helix, we will fix certain classes of problems automatically by transforming programs. Most program transformations, such as compiler optimizations or the low-level diversity transformations performed by Strata, are designed to preserve the original program semantics. A successful repair is adaptive and necessarily changes the program's behavior, especially with respect to the vulnerability. However, it is also critically important that a repair not interfere with other aspects of a program's behavior.

Related Publications

• A Genetic Programming Approach to Automated Software Repair
• Automatically Finding Patches Using Genetic Programming
• Using Execution Paths to Evolve Software Patches
• Automatic Documentation Inference for Exceptions
• A Metric for Software Readability
• Modeling Bug Report Quality

The Web browser is evolving into a mini-OS. With the popularity of AJAX applications and Web mashups, Web applications began to store persistent data in the browsers. This introduces the vulnerability where a malicious Web application may harm another application by sabotaging its persistent data in the browser, even if the two applications do not run at the same time.

Based on our experience in automatic state regeneration for file systems, we are building a recovery mechanism for persistent data in browsers. Our goal is to allow the Web user to try arbitrary, potentially malicious Web applications freely, and to be able to recover from the damages of the malicious ones reliably and automatically. Compared to file system recovery, we are studying a unique challenge for Web application recovery, as we must ensure that the recovered persistent data in the browser synchronize with the data on their servers.

This project extends the Automatic State Regeneration component of Helix for Web applications.

Current artificial diversity techniques focus primarily on low-level components of computer systems such as instruction sets and memory layouts. Low-level diversity techniques can thwart most memory corruption and code injection attacks, including those exploiting buffer overflows. It is crucial to protect this layer first, as higher-level processes rely on the run-time environment to be secure. However, there are limits to what can be achieved by low-level diversity techniques. In particular, they provide no defense against attacks that exploit higher-level properties of application not altered by low-level transformations.

We will investigate novel diversity techniques for thwarting high-level attacks, e.g., attacks against protocols, algorithms, and databases. Sophisticated attackers may be able to observe the results of attack attempts to learn enough to craft attacks targeted to a diversified system. We propose to develop a metamorphic shield to thwart these adaptive attacks. In particular we will explore combinatorial diversity and dynamic diversity to present attackers with an ever shifting attack surface. The former refers to the composition of different diversity techniques to produce a large number of variants. The latter refers to the ability of generating variants at run-time, even while the program is executing. Their combination will provide a bounded window of time in which attackers can learn or infer information about an application. Not only does this improve the effectiveness of existing diversity techniques, it enables low-entropy diversity techniques that can transform high-level properties in a small (but dynamically changing) number of ways.

Related Publications

• Security through Diversity: Leveraging Virtual Machine Technology