Yih Huang

Efficiently tracking application interactions using lightweight virtualization

In this paper, we propose a general-purpose framework that harnesses the power of lightweight virtualization to track applications interactions in a scalable an efficient manner. Our goal is to use our framework for application auditing, intrusion detection, analysis, and system recovery from both malicious attacks and programmatic faults. In our framework, we construct each virtualized environment (VE) in a novel way that limits the scope and type of application events that need to be monitored. Our approach maintains the VE and system integrity, having as primarily focused on the interactions among VEs and system resources including the file system, memory, and network. Only events that are pertinent to the integrity of an application and its interactions with the operating system are recorded. We attempt to minimize the system overhead both in terms of system events we have to store and the resources required. Even though we cannot provide application replay, we keep enough information for a wide range of other uses including system recovery and information tracking among others. As a proof of concept, we have implemented a prototype based on OpenVZ[35], a lightweight virtualization tool. Our preliminary results show that, compared to state-of-the-art event recording systems, we can reduce the amount of event recorded per application by almost an order of magnitude.

Closing cluster attack windows through server redundancy and rotations

It is well-understood that increasing redundancy in a system generally improves the availability and dependability of the system. In server clusters, one important form of redundancy is spare servers. Cluster security, while universally recognized as an important subject in its own right, has not often been associated with the issue of redundancy. In prior work, we developed a self-cleansing intrusion tolerance (SCIT) architecture that strengthens cluster security through periodic server rotations and self-cleansing. In this work, we consider the servers in the cleansing mode as redundant, spare hardware and develop a unified control algorithm that manages the requirements of both security and service availability. We show the advantages of our algorithm in the following areas: (1) Intrusion tolerance through constant server rotations and cleansing, (2) Survivability in events of server failures, (3) Guarantee of service availability as long as the cluster has a minimum number of functioning servers, and (4) Scalability, the support of using high degrees of hardware/server redundancy to improve security and fault tolerance. We provide proofs for important properties of the proposed algorithm. The effects of varying degrees of server redundancy in reducing attack windows are investigated through simulation.

Introducing Diversity and Uncertainty to Create Moving Attack Surfaces for Web Services

Web servers are primary targets for cyber attack because of the documents they may contain, transactions they support, or the opportunity to cause brand damage or reputational embarrassment to the victim organization. Today most web services are implemented by employing a fixed software stack that includes a web server program, web application programs, an operating system, and a virtualization layer. This software mix as a whole constitutes the attack surface of the web service and a vulnerability in one of the components that make up the web service is a potential threat to the entire service. This chapter presents an approach that employs a rotational scheme for substituting different software stacks for any given request in order to create a dynamic and uncertain attack surface area of the system. In particular, our approach automatically creates a set of diverse virtual servers (VSs), each configured with a unique software mix, producing diversified attack surfaces. Our approach includes a rotational scheme with a set of diversified offline servers rotating in to replace a set of diversified online servers on either a fixed rotation schedule or an event-driven basis. Assuming N different VSs, M < N of them will serve online at a time while off-line VSs are reverted to predefined pristine state. By constantly changing the set of M online VSs and introducing randomness in their selections, attackers will face multiple, constantly changing, and unpredictable attack surfaces.

Secure, Resilient Computing Clusters: Self-Cleansing Intrusion Tolerance with Hardware Enforced Security (SCIT/HES)

The formidable difficulty in securing systems stems in large part from the increasing complexity of the systems we build but also the degree to which we now depend on information systems. Complex systems cannot be fully verified under all possible conditions. Self cleansing intrusion tolerance (SCIT) servers go through periodic cleaning. SCIT can be used to create secure and robust cluster of servers without the impossible requirement of having perfect security on each server in the cluster. In this paper, we identify six SCIT security primitives that must be satisfied. We present a SCIT hardware enhanced (SCIT/HES) implementation that guarantees the incorruptibility of SCIT operations

Incorruptible system self-cleansing for intrusion tolerance

Despite the increased focus on security, critical information systems remain vulnerable to cyber attacks. The problem stems in large part from the constant innovation and evolution of attack techniques. The trend leads importance to the concept of intrusion tolerance a critical system must fend off or at least limit the damage caused by unknown and/or undetected attacks. In prior work, we developed a self-cleansing intrusion tolerance (SCIT) architecture that achieves the above goal by constantly cleansing the servers and rotating the rule of individual servers. In this paper, we show that, with simple hardware enhancements strategically placed in a SCIT system, incorruptible intrusion containment can be realized. We then present an incorruptible SCIT design for use by one of the most critical infrastructures of the Internet, the domain name services. It is our belief that incorruptible intrusion containment as presented here constitutes a new, effective layer of system defense for critical information system

Incorruptible Self-Cleansing Intrusion Tolerance and Its Application to DNS Security

Despite the increased focus on security, critical information systems remain vulnerable to cyber attacks. The trend lends importance to the concept of intrusion tolerance: there is a high probability that systems will be successfully attacked and a critical system must fend off or at least limit the damage caused by unknown and/or undetected attacks. In prior work, we developed a Self -Cleansing Intrusion Tolerance (SCIT) architecture that achieves the above goal by constantly cleansing the servers and rotating the role of individual servers. In this paper1, we show that SCIT operations can be incorruptibly enforced with hardware enhancements. We then present an incorruptible SCIT design for use by one of the most critical infrastructures of the Internet, the domain name systems. We will show the advantages of our designs in the following areas: (1) incorruptible intrusion tolerance, (2) high availability, (3) scalability, the support for using high degrees of hardware/server redundancy to improve both system security and service dependability, and (4) in the case of SCIT-based DNSSEC, protection of the DNS master file and cryptographic keys. It is our belief that incorruptible intrusion tolerance as presented here constitutes a new, effective layer of system defense for critical information systems.

SafeFox: A Safe Lightweight Virtual Browsing Environment

The browser has become a popular attack vector for implanting code on computer operating systems. Equally critical, important sessions, such as online banking, must be protected from cross-site attacks from other concurrent sessions. In this work we describe an approach using lightweight virtualization to create a safe browsing environment, called SafeFox, to protect both the host and important browsing sessions from malicious Web content. With SafeFox, the browser runs in its own virtual environment (VE) in its own process namespace, file system, and IP address; furthermore, when browsing to a secure bookmarked site SafeFox automatically creates a new isolated lightweight virtual environment (VE) for the secure bookmarked site. In this paper, we present the architecture for SafeFox and demonstrate its low-overhead approach while analyzing its security properties. While the native platform of SafeFox is Linux, we have created a SafeFox virtual appliance to run on multiple platforms, including Windows.

Automating Intrusion Response via Virtualization for Realizing Uninterruptible Web Services

We present a virtualization-based web server system, a prototype, and experimental results for providing uninterrupted web services in the presence of intrusion attacks and software faults. The proposed system utilizes replicated virtual servers managed by a closed-loop feedback controller. Using anomaly and intrusion sensor outputs, the controller calculates cost-weighted actions against threats to ensure web service continuity. We will show that the system can handle broad classes of attacks. Experiment results show that our prototype retains 60% of its peak throughput under 8 DoS attacks per second over extended periods.

Securing DNS services through system self cleansing and hardware enhancements

Domain name systems (DNS) provide the mapping between easily-remembered host names and their IP addresses. Popular DNS implementations however contain vulnerabilities that are exploited by frequent, targeted attacks. The software vulnerabilities of DNS together with the constant innovation and morphing of cyber attack techniques necessitate the consideration of the worst case scenarios: there will be successful but undetected attacks against DNS servers. In this work, we develop a secure DNS architecture that contains the damage of successful, undetected attacks. This formidable end is achieved by constantly cleansing the servers and rotating the role of individual servers. Moreover, the server rotation process itself is protected against corruption by hardware. We will show the advantages of our design in the following areas: (1) protection of the DNS master file and cryptographic keys, (2) incorruptible intrusion tolerance, (3) high availability, and (4) scalability, the support of using of high degrees of hardware/server redundancy to improve both system security and service dependability. Due to the critical importance of DNS, such a dependable and intrusion-resilient design contributes significantly to the overall security of the Internet.

A security evaluation of a novel resilient web serving architecture: Lessons learned through industry/academia collaboration

We have previously developed a virtualization-based web serving architecture and a prototype to enhance web service resilience under cyber attack. The proposed system utilizes replicated virtual servers managed by a closed-loop feedback controller without humans in the loop. We have replicated the prototype at the Raytheon Company, which conducted a thorough penetration test and security examination. In this paper, we present the Resilient Web Service (RWS) and describe its security evaluation by Raytheon of a prototype implementation. We then present new research directions that address previous weaknesses and discuss the ongoing efforts of designing the next generation RWS architecture.