NSF Award Search: Award # 1408880

Award Abstract # 1408880

TWC: Medium: Collaborative: Retrofitting Software for Defense-in-Depth

NSF Org:	CNS Division Of Computer and Network Systems
Recipient:	THE PENNSYLVANIA STATE UNIVERSITY
Initial Amendment Date:	August 20, 2014
Latest Amendment Date:	August 20, 2014
Award Number:	1408880
Award Instrument:	Standard Grant
Program Manager:	Sol Greenspan sgreensp@nsf.gov (703)292-7841 CNS Division Of Computer and Network Systems CSE Directorate for Computer and Information Science and Engineering
Start Date:	September 1, 2014
End Date:	August 31, 2019 (Estimated)
Total Intended Award Amount:	$300,000.00
Total Awarded Amount to Date:	$300,000.00
Funds Obligated to Date:	FY 2014 = $300,000.00
History of Investigator:	Trent Jaeger (Principal Investigator)
Recipient Sponsored Research Office:	Pennsylvania State Univ University Park 201 OLD MAIN UNIVERSITY PARK PA US 16802-1503 (814)865-1372
Sponsor Congressional District:	15
Primary Place of Performance:	Pennsylvania State Univ University Park 346A IST Bldg University Park PA US 16802-7000
Primary Place of Performance Congressional District:
Unique Entity Identifier (UEI):	NPM2J7MSCF61
Parent UEI:
NSF Program(s):	Secure &Trustworthy Cyberspace
Primary Program Source:	01001415DB NSF RESEARCH & RELATED ACTIVIT
Program Reference Code(s):	7434, 7924
Program Element Code(s):	806000
Award Agency Code:	4900
Fund Agency Code:	4900
Assistance Listing Number(s):	47.070

ABSTRACT

The computer security community has long advocated the concept of building multiple layers of defense to protect a system. Unfortunately, it has been difficult to realize this vision in the practice of software development, and software often ships with inadequate defenses, typically developed in an ad hoc fashion.

Developers face a number of challenges when protecting a software system with multiple layers of defense. They lack holistic frameworks in which to express policies and mechanisms for different software layers, automated tools to add these defenses, and tools to prove that software enhanced with defenses has an advertised level of assurance.

This project develops new techniques to retrofit software for defense in depth. It takes a comprehensive view of the problem, with an emphasis on automated, interactive tools that developers can use to identify site-level security goals, explore the design space of adding security mechanisms, and retrofit legacy code to enforce security policies in a manner that can be machine-verified for assurance. The project develops theory and tools for formal policy language design and validation, static and dynamic code analyses, interactive tools for developers to explore the design space of security, functionality and performance tradeoffs, and methods to formally verify the correctness of program transformations to introduce defenses such as authorization, attacker containment, and auditing mechanisms.

The broader impact stems from the improved security of systems and the reduced cost of achieving better security, also education activities in the form of summer schools for graduate, undergraduate and high-school students. The tools developed will be released to the public domain, benefiting software developers in the field.

PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH

Note: When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher. Some full text articles may not yet be available without a charge during the embargo (administrative interval).

Some links on this page may take you to non-federal websites. Their policies may differ from this site.

(Showing: 1 - 10 of 11)

Show All

Adam Bates, Dave (Jing) Tian, Grant Hernandez, Kevin Butler, Trent Jaeger, and Thomas Moyer "Taming the Costs of Trustworthy Provenance through Policy Reduction" ACM Transactions on Internet Technology , v.17 , 2017 , p.Article 3 10.1145/3062180

Archer Batcheller, Summer Craze Fowler, Robert Cunningham, Dinara Doyle, Trent Jaeger, and Ulf Lindqvist "Building on the Success of Building Security In" IEEE Security & Privacy , v.15 , 2017 , p.85 10.1109/MSP.2017.3151336

Divya Muthukumaran, Nirupama Talele, Trent Jaeger, Gang Tan "Producing Hook Placements to Enforce Expected Access Control Policies" 2015 International Symposium on Engineering Secure Software and Systems (ESSoS) , 2015

Frank Capobianco, Christian Skalka, Trent Jaeger "AccessProv: Tracking the Provenance of Access Control Decisions" 9th International Workshop on Theory and Practice of Provenance (TaPP) , 2017

Giuseppe Petracca, Frank Capobianco, Christian Skalka, Trent Jaeger "On Risk in Access Control Enforcement" 22nd ACM Symposium on Access Control Models and Technologies (SACMAT) , 2017

Le Guan, Peng Liu, Xinyu Xing, Xinyang Ge, Shengzhi Zhang, Meng Yu, and Trent Jaeger "Building a Trustworthy Execution Environment to Defeat Exploits from both Cyber Space and Physical Space for ARM" IEEE Transactions on Dependable and Secure Computing (IEEE TDSC) , v.16 , 2019 , p.438 10.1109/TDSC.2018.2861756

Le Guan, Peng Liu, Xinyu Xing, Xinyang Ge, Shengzhi Zhang, Meng Yu, Trent Jaeger "TrustShadow: Secure Execution of Unmodified Applications with ARM TrustZone" 15th ACM International Conference on Mobile Systems, Applications, and Services (MobiSys) , 2017

Stephen Chong, Christian Skalka, and Jeffrey A. Vaughan "Self-Identifying Data for Fair Use" ACM Journal of Data and Information Quality , v.5 , 2014 , p.Article 1 10.1145/2687422

Xinyang Ge, Mathias Payer, Trent Jaeger "An Evil Copy: How the Loader Betrays You" 2017 Network and Distributed System Security Symposium (NDSS) , 2017

Xinyang Ge, Nirupama Talele, Mathias Payer, Trent Jaeger "Fine-Grained Control-Flow Integrity for Kernel Software." 1st European Symposium on Security and Privacy (IEEE EuroS&P) , 2016

Xinyang Ge, Weidong Cui, Trent Jaeger "GRIFFIN: Guarding Control Flows Using Intel Processor Trace" 22nd ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS) , 2017

(Showing: 1 - 10 of 11)

Show All

PROJECT OUTCOMES REPORT

Disclaimer

This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

In this project, we developed methods that programmers can use to retrofit their programs with security controls for containment, authorization, and auditing to satisfy explicit security goals. This project has included major activities on automating key tasks in retrofitting programs via privilege separation for containment, retrofitting programs with authorization hook placements to enforce desired policies, retrofitting programs automatically with auditing code, and retrofitting programs to enforce finer-grained control-flow integrity policies. Through this research, we have also explored methods to unify defenses to improve overall security, developed open-source mechanisms to enforce security that have been widely used, and discovered and fixed flaws in commercial systems. Many of our results have been published in top conferences in computer security and related domains.

The main objectives met during the project include the following. First, we developed new methods to automate key challenges in privilege separating programs to enable confinement, by handling general pointers (PtrSplit, ACM CCS 2017) and by balancing performance and security (PrograMander, ACM CCS 2019). Second, we developed new methods to automate retrofitting of programs with authorization hooks to minimize a hook placement necessary to enforce any access control policy that satisfied prescribed constraints (ESSoS 2015) and to provide a security namespace abstraction for Linux container systems (USENIX Security 2018). Third, we developed foundational theories for auditing based on information algebra, which combines elements of both access control and auditing to enable a uniform method to express break-the-glass policies (POST 2016), and developed new methods to retrofit programs for authorization by leveraging dynamic taint analysis (PLAS 2016). Fourth, we invented a technique to compute control-flow integrity policies statically that is finer-grained than prior techniques and could be implemented more efficiently (IEEE Euro S&P 2016) and adapted a recent Intel PT hardware feature to enforce control-flow integrity without program modification (ASPLOS 2017). In the course of this CFI work, we discovered a latent flaw in Linux compiler toolchains that allows extensive modification of various types of read-only data and proposed detailed countermeasures (NDSS 2017).

The key outcomes of this project include the novel techniques (described above), new open-source systems, repairs and extensions for the Linux kernel, and several student theses. The methods for privilege separation and Linux kernel support for efficient use of the Intel PT hardware (Linux Griffin) feature have been open sourced. The privilege separation work has led to two collaborations, one on the DARPA GAPS program, and the Linux Griffin kernel has been used by several research groups. Through our efforts, the Linux compiler toolchain flaw we discovered has been fixed in both GCC and LLVM toolchains, and the Linux security namespace is under consideration for upstreaming into the mainline kernel. This project has resulted in five theses, include three Ph.D. theses (one to be held in January 2020) and two M.S. theses. The project was inspired by the Ph.D. thesis of a female student, and one of the M.S. theses was completed by a female student. The materials developed in this project were applied to the creation of a new Software Security course at Penn State, which is a key component of the new Cybersecurity Foundations minor.

Last Modified: 11/26/2019
Modified by: Trent Jaeger

Please report errors in award information by writing to: awardsearch@nsf.gov.