| NSF Org: |
CNS Division Of Computer and Network Systems |
| Recipient: |
|
| Initial Amendment Date: | August 12, 2015 |
| Latest Amendment Date: | May 3, 2016 |
| Award Number: | 1525992 |
| Award Instrument: | Standard Grant |
| Program Manager: |
Sol Greenspan
sgreensp@nsf.gov (703)292-7841 CNS Division Of Computer and Network Systems CSE Directorate for Computer and Information Science and Engineering |
| Start Date: | September 1, 2015 |
| End Date: | August 31, 2019 (Estimated) |
| Total Intended Award Amount: | $250,000.00 |
| Total Awarded Amount to Date: | $266,000.00 |
| Funds Obligated to Date: |
FY 2016 = $16,000.00 |
| History of Investigator: |
|
| Recipient Sponsored Research Office: |
1918 F ST NW WASHINGTON DC US 20052-0042 (202)994-0728 |
| Sponsor Congressional District: |
|
| Primary Place of Performance: |
2121 Eye Street NW Washington DC US 20052-0058 |
| Primary Place of
Performance Congressional District: |
|
| Unique Entity Identifier (UEI): |
|
| Parent UEI: |
|
| NSF Program(s): |
Special Projects - CNS, Secure &Trustworthy Cyberspace |
| Primary Program Source: |
01001617DB NSF RESEARCH & RELATED ACTIVIT |
| Program Reference Code(s): |
|
| Program Element Code(s): |
|
| Award Agency Code: | 4900 |
| Fund Agency Code: | 4900 |
| Assistance Listing Number(s): | 47.070 |
ABSTRACT
Today's software remains vulnerable to attack. Despite decades of advances in areas ranging from testing to static analysis and verification, all large real-world software is deployed with errors. Because this software is either written in or underpinned by unsafe languages, errors often translate to security vulnerabilities. Although techniques exist that could prevent or limit the risk of exploits, high performance overhead blocks their adoption, leaving today's systems open to attack. To address these problems, we propose a new approach: evidence-assisted detection and elimination of security vulnerabilities (EVADE). EVADE will prevent security vulnerabilities from compromising a system . The challenge, and the goal, is to make it efficient in time and space, and to make it practical for deployment. EVADE will produce detailed reports for developers to reduce the time and effort required to fix their applications. By blocking a wide range of attacks and automatically pinpointing vulnerabilities, EVADE will dramatically increase the security of application software running on servers and desktop platforms, and it will enable a new class of post-attack security analyses.
The technical approach is a novel one that spans the traditional research boundaries of runtime systems, operating systems, and virtual machines. EVADE will run unmodified applications in a coordinated framework that will perform selective forensic analysis before any output is committed, blocking exploits from compromising their host and making it possible to pinpoint errors with low overhead. The EVADE runtime system will place lightweight tripwires at random locations in memory that can be quickly validated to detect malicious behavior. Within an application, these take the form of signatures placed on the stack and in the heap, while at the hypervisor-level EVADE they may protect the system call table or other crucial data structures. The EVADE VM will divide execution into incrementally-checkpointed epochs. At each epoch boundary, before any system state is committed, the EVADE virtual machine will indicate to the EVADE runtime system which pages have been modified, letting it perform checks to identify vulnerabilities. EVADE will thus dramatically increase the security of vulnerable applications with extremely low runtime overhead, and will assist developers in locating vulnerabilities when an exploit does occur.
PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH
Note:
When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external
site maintained by the publisher. Some full text articles may not yet be available without a
charge during the embargo (administrative interval).
Some links on this page may take you to non-federal websites. Their policies may differ from
this site.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
Software will always be vulnerable to attacks. Despite decades of advances in areas ranging from testing to static analysis and verification, all large real-world software is deployed with errors. Because this software is either written in or underpinned by unsafe languages, errors often translate to security vulnerabilities. Although techniques exist that could prevent or limit the risk of exploits, high performance overhead blocks their adoption, leaving today's systems open to attack.
This project investigated evidence-assisted detection and elimination of security vulnerabilities. Our goals were to (1) prevent security vulnerabilities from compromising a system by detecting evidence of attacks, (2) be efficient in time and space, making them practical for deployment, (3) produce detailed reports for developers to reduce the time and effort required to fix their applications, (4) provide strong protection without requiring substantial application changes.
In DoubleTake, we developed the first tool for evidence-based dynamic analysis, an approach that enables a range of dynamic analyses (including buffer overflows, use-after-free errors, and memory leaks) while imposing minimal overhead (under 5%), making it practical for the first time to perform these analyses in deployed settings on unmodified applications. The key insight of evidence-based dynamic analysis is that for many types of errors, it is possible to ensure that evidence that they happened at some point in the past remains for later detection. Evidence-based dynamic analysis allows execution to proceed at nearly full speed until the end of an epoch (e.g., a heavyweight system call). It then examines program state to check for evidence that an error occurred at some time during that epoch. If so, it rolls back execution and re-executes the code with instrumentation activated to pinpoint the error. Our approach was published at ICSE 2016.
Our CRIMES project applied the concept of evidence-based analysis to entire virtual machines (VMs). By optimizing the virtual machine memory checkpointing system, CRIMES can take snapshots of a virtual machine's state tens of times per second. The checkpoint is then analyzed using VM introspection techniques to detect evidence of an attack, efficiently targeting the changed memory pages for threat analysis while retaining context of the full system. CRIMES uses the popular Volatility memory forensics tool for its analysis, transforming it from an offline tool to an automated live security scanning system. After an attack happens, CRIMES automates forensic analysis to facilitate security investigation and exploit patching. Our work on CRIMES was published at Middleware 2018.
Finally, we have sought ways to provide similar security properties for network middleboxes. Middleboxes provide in-network services like caching proxies, intrusion detection systems, etc., and must operate at speeds of 10Gbps and beyond. Such speeds are generally achieved with kernel bypass and shared memory-based IO; however, these techniques improve performance at the expense of isolation. For example, an OpenSSL-based proxy with the heartbleed bug could be exploited to observe all network traffic from other middleboxes running on the same server due to the use of shared packet memory pools. We proposed two techniques to resolve this. First, we used new Intel MPX CPU features to detect invalid memory accesses in a multi-tenant middlebox framework. As the standard MPX approach incurs too high a cost for middleboxes, in FastPaaS (published at SOSR 2018) we developed a coarse grained memory protection scheme that doubles throughput while still meeting the required security guarantees. Second, we leverage new "smart NIC" hardware to programmatically demultiplex incoming packets before they are loaded onto the host. This approach offloads sensitive work to the HW, reducing the trusted compute base and improving performance by eliminating the need to copy packets with the CPU. Our results, published in LANMAN 2019, showed employing a programmable network card can double throughput. Thus, our approach substantially improves performance, while offering better security properties than existing techniques.
Together, these projects have provided novel techniques for detecting and responding to memory-based attacks. In the past, stronger security has often come at the expense of higher performance overheads. Our work has shown that this trade-off is not a necessity and that security services can be seamlessly applied to applications, virtual machines, and network middleboxes without requiring source code modifications.
Last Modified: 09/30/2019
Modified by: Timothy Wood
Please report errors in award information by writing to: awardsearch@nsf.gov.
