| NSF Org: |
CNS Division Of Computer and Network Systems |
| Recipient: |
|
| Initial Amendment Date: | April 30, 2018 |
| Latest Amendment Date: | August 6, 2019 |
| Award Number: | 1834216 |
| Award Instrument: | Continuing Grant |
| Program Manager: |
Karen Karavanic
kkaravan@nsf.gov (703)292-2594 CNS Division Of Computer and Network Systems CSE Directorate for Computer and Information Science and Engineering |
| Start Date: | January 1, 2018 |
| End Date: | August 31, 2022 (Estimated) |
| Total Intended Award Amount: | $393,440.00 |
| Total Awarded Amount to Date: | $400,000.00 |
| Funds Obligated to Date: |
FY 2019 = $138,942.00 |
| History of Investigator: |
|
| Recipient Sponsored Research Office: |
1960 KENNY RD COLUMBUS OH US 43210-1016 (614)688-8735 |
| Sponsor Congressional District: |
|
| Primary Place of Performance: |
2036 Neil Avenue Columbus OH US 43210-1226 |
| Primary Place of
Performance Congressional District: |
|
| Unique Entity Identifier (UEI): |
|
| Parent UEI: |
|
| NSF Program(s): |
Information Technology Researc, Special Projects - CNS |
| Primary Program Source: |
01001920DB NSF RESEARCH & RELATED ACTIVIT |
| Program Reference Code(s): |
|
| Program Element Code(s): |
|
| Award Agency Code: | 4900 |
| Fund Agency Code: | 4900 |
| Assistance Listing Number(s): | 47.070 |
ABSTRACT
Traditionally, many of our critical systems have been developed with security as a reactive add-on, rather than a by default design. As a result, existing security mechanisms are often fragmented, hard to configure or verify, which makes it difficult to defend against various cyber attacks. This project will build the "holy grail" for enterprise/cloud/data-center security management with software-defined infrastructure (SDI): a unified framework for security and management of disparate resources, ranging from processes to storage to networking. Cloud computing is now an essential part of our national cyberinfrastructure; the proposed work will lower the total cost of ownership for clouds - further unlocking economic and environmental benefits - as well as improving the security of today's clouds.
This project proposes S2OS (SDI-defined Security Operating System), which abstracts security capabilities and primitives at both the host Operating System (OS) and network levels and offers an easy-to-use and programmable security model for monitoring and dynamically securing applications. This project will explore new techniques to transparently compose software into a unified enterprise, even if the individual pieces were never explicitly designed to inter-operate, similar in a way a traditional operating system managing various hardware resources for upper-layer user applications. Further, this project will contribute new ways to leverage global information for making effective local security management decisions. Finally, this project enables new innovations in programming dynamic, host-network coordinated, and intelligent security applications to protect the entire infrastructure.
This project will make significant contributions to how enterprise, data centers and cloud computing are securely built and managed. The project's PIs will engage in educational and outreach activities to train the next generation talent. In particular, the PIs plan to integrate the interdisciplinary research ideas into courses spanning networking, systems and security. The project will also actively encourage participation from underrepresented groups and transfer technology to industry partners.
PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH
Note:
When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external
site maintained by the publisher. Some full text articles may not yet be available without a
charge during the embargo (administrative interval).
Some links on this page may take you to non-federal websites. Their policies may differ from
this site.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
The goal of this project was to study the unified abstractions and management of software security at data-center scale. We prototyped and evaluated S2OS, a security OS for managing software-defined infrastructure. S2OS contributes techniques for virtualizing hardware and software, including components that predate S2OS, such as trusted execution environment (TEE) hardware. This project demonstrates the potential for leveraging global information, such as using machine learning on network data to identify and defend against malware. This project has also contributed additional system management and security data, tools, and techniques.
Intellectual Merit: One set of contributions from this project are in the area of techniques to virtualize, or abstract and integrate, hardware and software that is not designed for software-defined security management. Examples include vSGX, a virtualized environment for running code designed for Intel's SGX on AMD's SEV both are trusted execution environments with different requirements and restrictions, facilitating more flexible code deployments. Similarly, the project has contributed techniques for refactoring code to deploy in a TEE, and has demonstrated that, unlike CPU hardware, the most efficient layer for virtualizing accelerators, such as GPUs, is at the software API level.
A second set of contributions from the project come from studying how to program management software across these hardware and software resources in a data center. For instance, the Toccoa sub-project supports programmable network packet analysis at the rate of tens of millions of packets per second, while also scaling out to more nodes linearly. Similarly, the SysFlow sub-project is a programming framework for modeling and controlling software activities across the entire infrastructure, providing a data-center-scale data plane and control plane separation.
Finally, S2OS contributes novel security defense and mitigation techniques that are only possible with data collected, analyzed, and applied at scale. For instance, the IMap sub-project shows how to implement network-level defenses that leverage data collected at scale, yet are deployed in individual switches. The xNIDS sub-project further applies machine learning to characterize network traffic, troubleshoot issues, and automatically generate defenses. Similarly, our study of ransomware defense shows that network-level monitoring for a command-and-control channel can be more effective than tracking file access behavior on a single system. Other examples of novel security management applications enabled by S2OS include 1) risk-aware micro-segmentation for micro-services, which confines file accesses within a container's scope and isolates potentially compromised containers from one another; 2) Fine-grained and Context-aware Access Control (FCAC) in Web Applications, which offers context-aware, fine-grained access control within web servers, and 3) Virtual Patching, a security policy enforcement layer that prevents the exploitation of a known vulnerability in a timely manner, even if a patch is not yet available.
Broader Impacts: Data-center scale computing is rapidly becoming the norm for modern computing, yet security and administrative tools are struggling to scale up from a single machine to a rack or data-center. The S2OS project shows how to leverage and extend software-defined infrastructure to build security management solutions at scale. The project has supported the training and research of seventeen students. Key software components of S2OS have been released as open source.
Last Modified: 10/21/2022
Modified by: Zhiqiang Lin
Please report errors in award information by writing to: awardsearch@nsf.gov.
