Finished Projects
Secure Execution Environments
Agility - DARPA/ITO Project Summary
| ARPA Order Number: | F267 |
| Principle Investigators: | Lee Badger Mike Petkac |
| Contractor: | Trusted Information Systems, Inc. 3060 Washington Road Glenwood, Maryland 21738 Phone: 443-259-2300 Fax: 301-854-4731 |
| Title of Effort: | Security Agility for Dynamic Execution Environments |
Objective:
Develop and prototype practical but powerful security agility technology
applicable to components in a dynamic distributed environment. Security
agile components will be cognizant of the changing security environment
and be able to adapt to it and negotiate tradeoffs between security and
functionality.
Approach:
Develop tools and techniques for constructing security agile components
that operate effectively in a dynamic security environment. Explore
through worked examples the benefits and limitations of security agile
components, specifically in the context of a globally networked system.
This research will be conducted in three phases:
Phase 1: Characterize security responsibilities of representative system components and formulate requirements for engineering new versions of such components that dynamically adapt to security policy changes. Based on these requirements, formulate criteria for security agility. Using Domain and Type Enforcement (DTE) technology (a UNIX kernel-based access control mechanism that supports dynamic policy updates) as a system base, develop a security agility prototype system by embedding knowledge of security policies in selected representative system components (e.g., one or more firewall proxies, HTTP servers, system logging daemons). Provide internal mechanisms by which the components can respond to dynamic updates in the security policy generated by a human administrator or by other automatic means. The prototype system will demonstrate that agile components respond robustly to dynamic changes in their security environment thus reducing negative side effects that occur with dynamic policy change (e.g., programs crashes, processes continuing in violation of new policy, etc.).
Phase 2: Develop a security agility toolkit that encapsulates security agility functionality in reusable code and security specification libraries and that provides a specification-independent representation framework for security rules. Extend component internal interfaces to support dynamic code extensions, thereby enabling dynamic security behavior adaptation to conform with the overall security posture of the system (e.g., terminate rather than suspend processes in violation of a new security policy). Although the initial toolkit will be built on a DTE base, the specification-independent framework will provide the means for extensions for inter-operability with other security policy specification techniques. Additionally, the toolkit will be structured to maximize its portability to execution environments other than the BSD/OS UNIX variant that DTE is based on. Investigate limitations of security agility and characterize degrees of agility that can be practically prepackaged in toolkits. Provide worked examples for use by other researchers in their exploration of security agility.
Phase 3: Develop a distributed security agility toolkit that provides mechanisms required to update distributed collections of system components in a coordinated manner, including synchronization, communications, and concurrency control techniques. Extend the security specification libraries and general toolkit techniques for scalability to networked systems. Demonstrate distributed security agility through toolkit-enhanced components running in a network consisting of UNIX-based (DTE and non-DTE) hosts.
Recent Accomplishments:
During the past year, Network Associates Labs continued to work on the
third phase of the project. Phase-two development produced an initial
security agility toolkit based on the DTE policy model to integrate
security awareness and adaptability into components on a single host.
Using the phase-two toolkit as the basis of phase-three development,
Network Associates Labs personnel:
- Developed significant portions of a portable distributed agility toolkit to produce agile software components without modification of original software.
- Examined strategies and proposed a method to integrate the distributed agility toolkit in an intrusion detection and response framework to help coordinate host-based intrusion detection response.
The distributed toolkit offers a low-cost method of retrofitting legacy software or designing new components with the security awareness and adaptation necessary to operate effectively in dynamic security environments. Like its phase-two counterpart, the distributed toolkit consists of three primary components: an "agile" policy, an agility subsystem, and a policy notification service. However, these components were redesigned and extended for scalability to a distributed environment by increasing integration and run-time transparency, furnishing more prepackaged functionality, and developing a more formal and intuitive agile policy. The distributed toolkit unobtrusively integrates into a host's environment and, without modification to system or process source code, its agility subsystem provides prepackaged functionality that is dynamically grafted onto components at run time. A component's agile functionality is specified by the system's agile policy and conveyed to the agile component through a policy notification service. Prepackaged toolkit functionality includes fine-grained auditing, process-level access control, resource re-evaluation on security policy change, default adaptation to policy change, and an interface to provide custom survival responses that different mission critical systems might require.
Reactive flexibility with regard to security policy is critical for survival against the automated techniques many adversaries employ. The distributed toolkit facilitates security-posture changes through its policy notification service that modifies behavior during run-time by allowing dynamic updates of the agile policy that the agility subsystem will enforce. This toolkit feature provides a means to realize much more flexible intrusion-tolerant systems without requiring human intervention at the critical period when attacks are taking place. This can be accomplished by integrating the distributed agility toolkit with a framework for intrusion detection and response information exchange, such as that demonstrated by the Intrusion Detection and Isolation Protocol (IDIP) research.
The distributed toolkit is hosted on the FreeBSD operating system, rather than the now outdated BSD/OS 2.1 UNIX-based operating system that hosted the DTE prototype as well as the phase-two agility toolkit. Since the distributed toolkit requires no source code modifications, makes use of interposition-based support for dynamic functionality extensions at the standard system-library level, and uses common programming methods to implement its techniques, it can be easily ported to other UNIX variants, including Linux and Solaris. Without modification the toolkit is compatible with previous and future ELF-based FreeBSD versions (and other UNIX variants the toolkit may be ported to). Additionally, Network Associates Labs personnel used parallel interposition-based techniques developed by our sister project, Generic Software Wrappers, to experiment with implementing agility on the Windows NT platform, though the Windows toolkit has not been fully developed. The distributed toolkit's agility subsystem also provides templates to support extensions for embedding additional policy models. In the near future, Network Associates Labs personnel anticipate releasing a FreeBSD version of the DTE prototype, which the distributed toolkit will support.
Current Plan:
During the reminder of the contract, which concludes September 30, 2000,
Network Associates Labs will continue to develop and refine the
distributed security agility toolkit and demonstrate its capabilities.
To support this plan, Network Associates Labs personnel will:
- Construct a testbed consisting of UNIX-based (DTE and non-DTE) hosts and demonstrate distributed security agility through toolkit enhanced components.
- Demonstrate how the distributed toolkit can be used to respond to intrusion detection events using a simplified simulation of the Common Intrusion Detection Framework (CIDF).
- Document and analyze the distributed security agility toolkit in a final evaluation report.