• About ISSO
• Research Areas
• Projects
• Finished Projects and Archive
• Opensource Projects

Finished Projects

Secure Execution Environments

Generic Software Wrappers for Security and Reliability

Large-scale information systems increasingly are built by combining independently developed Commercial off-the-shelf (COTS) software components such as programs, linkable code libraries, and network applets (e.g., CORBA or Java). Conventional software composition mechanisms (e.g., network protocols, dynamic libraries, system APIs) supply the required "glue" for building large systems, but provide very weak inter-component boundaries. Consequently, an entire critical system may be vulnerable to failures or security compromises within a single component: as the number of components increases, the risk of system failure also increases. In principle, security might be improved by basing critical systems only on high-assurance trusted components, but in practice, such components rarely are available.

This research seeks to develop and prototype software "wrapping" technology to significantly increase the security and reliability of large software systems composed of standardized software components. These generic software wrappers intercept component interactions and bind them with additional functions to implement practical security (e.g., restricting, filtering), reliability (e.g., redundancy, crash data recovery), and intrusion detection policies.

Two Fundamental Challenges Our research is focusing on two fundamental challenges for practically deploying non-bypassable wrappers:

• How to cost-effectively specify security policies as event interceptions; and
• How to support wrappers using COTS operating systems and network execution environments (e.g., UNIX, Windows NT)

To specify security policies as event interceptions, our research has formulated a Wrapper Definition Language (WDL) to specify lightweight, portable software wrappers that can be used to provide security and reliability to generic software components. The goal of WDL is to make the specification of wrappers as easy and concise as possible.

To support wrappers, our research has developed a Wrapper Support Interface (WSI) and a Wrapper Support Subsystem (WSS). The WSI specifies all operating system services required by wrappers; the WSS implements the WSI. The WSI and WSS have been developed for inclusion in both mainstream, kernelized UNIX systems (currently FreeBSD 3, 4, and 5, Sun Solaris 2.6, Linux Kernel 2.2.x) and the Windows NT 4 runtime environment.

• Technical Overview
• Current Status

For more information:

The 2000 DARPA/ITO Project Summary provides more information on recent accomplishments and plans for this project.