• About ISSO
• Research Areas
• Projects
• Finished Projects and Archive
• Opensource Projects

Wrappers

Generic Software Wrappers for Security and Reliability

The Generic Software Wrappers Toolkit prototype provides software "wrapping" technology to significantly increase the security and reliability of large software systems composed of standardized software components. The toolkit provides the tools required for administrators and users to create and manage "wrappers" - software modules that conceptually surround standard software components (such as shell, browser, and server applications) to observe, augment, and/or control their interactions with other components. By adding new functionality to inter-component interactions, wrappers can be used to increase the security and reliability of systems built from standard software components, without modifying the components themselves.

Description

Large-scale information systems increasingly are built by combining independently developed Commercial off-the-shelf (COTS) software components such as programs, linkable code libraries, and network applets (e.g., CORBA or Java). Conventional software composition mechanisms (e.g., network protocols, dynamic libraries, system APIs) supply the required "glue" for building large systems, but provide very weak inter-component boundaries. Consequently, an entire critical system may be vulnerable to failures or security compromises within a single component: as the number of components increases, the risk of system failure also increases. In principle, security might be improved by basing critical systems only on high-assurance trusted components, but in practice, such components rarely are available.

This research seeks to develop and prototype software "wrapping" technology to significantly increase the security and reliability of large software systems composed of standardized software components. These generic software wrappers intercept component interactions and bind them with additional functions to implement practical security (e.g., restricting, filtering), reliability (e.g., redundancy, crash data recovery), and intrusion detection policies.

Our research is focusing on two fundamental challenges for practically deploying non-bypassable wrappers:

• How to cost-effectively specify security policies as event interceptions; and
• How to support wrappers using COTS operating systems and network execution environments (e.g., UNIX, Windows NT)

To specify security policies as event interceptions, our research has formulated a Wrapper Definition Language (WDL) to specify lightweight, portable software wrappers that can be used to provide security and reliability to generic software components. The goal of WDL is to make the specification of wrappers as easy and concise as possible. To support wrappers, our research has developed a Wrapper Support Interface (WSI) and a Wrapper Support Subsystem (WSS). The WSI specifies all operating system services required by wrappers; the WSS implements the WSI. The WSI and WSS have been developed for inclusion in both mainstream, kernelized UNIX systems (currently FreeBSD 3, 4, and 5, Sun Solaris 2.6, Linux Kernel 2.2.x) and the Windows NT 4/2000 runtime environment.

Current Status

The Generic Software Wrappers for Security and Reliability contract - the project's original source of DARPA funding - has ended. However, research and development are continuing under a new DARPA contract, Enterprise Wrappers for Information Assurance.

License

The Generic Software Wrappers Toolkit is Free software, available under the GNU General Public License version 2.

Downloads

Our prototype implementation, the Generic Software Wrappers Toolkit, has now been ported to four platforms: FreeBSD, Solaris, Linux, and Windows NT/2000. The latest release of the toolkit is available below:

• gswtk-1.6.3.tar.gz [Enterprise Wrappers]

Documentation

Our research and prototype implementation demonstrate the ease with which an abstract event interception mechanism, including an object-oriented lifecycle and in-kernel, memory-resident database for information collection and sharing, implemented using loadable kernel modules, can add useful security mechanisms and policies in COTS environments. In addition to the basic interception mechanisms, we have implemented, studied, and reported on wrappers that implement access control, new functionality for legacy programs (e.g., encryption), and several intrusion detection techniques. The following technical reports and published papers describing our research are available:

Timothy Fraser, Lee Badger, Mark Feldman, "Hardening COTS Software with Generic Software Wrappers," in the proceedings of the 1999 IEEE Symposium on Security and Privacy, Oakland, California, May 9-12, 1999.

This paper presents a good overview of our wrappers system. [ PostScript, PDF ]

Calvin Ko, Timothy Fraser, Lee Badger, Douglas Kilpatrick, "Detecting and Countering System Intrusions Using Software Wrappers," in the proceedings of the 9th Usenix Security Symposium, Denver, Colorado, August 14-17, 2000.

This paper discusses our use of wrappers to implement various intrusion detection techniques. [ PostScript, PDF ]

Calvin Ko, "Logic Induction of Valid Behavior Specifications for Intrusion Detection," in the proceedings of the 2000 IEEE Symposium on Security and Privacy, Oakland, California, 14-17 May, 2000.

This paper details an inductive anomaly detection technique we implemented using wrappers. [ PostScript, PDF ]

Point of Contact

To contact the developers of this project, please e-mail ISSO-wrappers-info@sparta.com.