Finished Projects
Secure Execution Environments
Generic Software Wrappers - DARPA/ITO Project Summary
| Project Title: | Generic Software Wrappers for Security and Reliability |
| Organization: | Network Associates Labs, Network Associates; formerly Trusted Information Systems, Inc. |
| AO Number: | E017 |
| Contract Number: | F30602-96-C-0333 |
| Start Date: | 29 August 1996 |
| End Date: | 30 September 2000 |
| Principal Investigators: | Lee Badger Mark Feldman Calvin Ko 3060 Washington Road (Rt. 97) Glenwood, Maryland, 21738 Phone: 443-259-2300 Fax: 301-854-4731 |
Objective:
Develop and prototype software "wrapping" technology on multiple
platforms to significantly increase the security and reliability of
large software systems composed of standardized software components.
Generic Software Wrappers will intercept component interactions and bind
them with additional functions that implement practical security (e.g.,
restricting, filtering) and reliability (e.g., redundancy, crash data
recovery) policies. They will also provide a means for tightly
integrating various intrusion detection techniques to increase intrusion
detection success and portability.
Approach:
Develop tools and techniques for constructing software wrappers that
enhance the security and reliability of software systems by augmenting
interactions between COTS software (application programs and daemons)
and COTS operating systems. Demonstrate through concrete worked examples
that the wrapping technology is portable to multiple popular operating
environments, thereby facilitating technology transfer to mainstream
systems and enabling significant real-world increases in security and
reliability. Implement intrusion detection techniques using wrappers
that are both more tightly integrated and more portable than previously
possible. The six phases of Network Associates Labs' research follow:
Phase 1: Formulate a Wrapper Definition Language (WDL) for specifying security and reliability functionality and properties of lightweight, portable software wrappers that can be applied to generic software components. Formulate a Wrapper Support Interface (WSI) that provides all operating system services required by wrappers and that is suitable for inclusion by systems designed both as kernelized operating systems and as interpreters. Prototype the WDL compiler, develop a simulator of the WSI, and demonstrate WDL parsing and compositions of WDL wrappers. Demonstrate wrapper-conducted filtering and processing based on the WSI simulator.
Phase 2: Develop a Wrapper Support Subsystem (WSS) that implements the WSI and is suitable for inclusion in mainstream kernelized UNIX systems. Structure the WSS subsystem to be easily integrated with multiple UNIX platforms while minimizing intrusive changes to UNIX system internals. Integrate the WSS subsystem into a widely available kernelized UNIX for which source code licenses are free or of modest cost. Develop WDL wrappers for several security and reliability policies and demonstrate enhanced security and reliability for (unchanged) software components running on the UNIX wrapper-supporting prototype system.
Phase 3: Develop both a Sun Solaris wrappers prototype and a limited-functionality Windows NT wrappers prototype. Network Associates Labs will augment WDL as needed for application in the Solaris and NT environments and develop new WDL features as required. Network Associates Labs will demonstrate enhanced security and reliability policies for applications running on both Solaris and NT. By developing an NT wrapper supporting system, this task will ensure that wrapper concepts formulated by this project are not specific to UNIX-like operating systems.
Phase 4: Develop and test a suite of CIDF-compliant Intrusion Detection Wrappers (IDWs). At a minimum, the suite will include IDWs for C. Ko's specification-based technique, P. Porras's state-transition analysis technique, and S. Forrest's sequence-based technique. Demonstrate Intrusion Detection (ID) performance for classes of intrusions that cannot be detected using current technology. To take full advantage of wrapper capabilities, partition ID techniques, as needed, into front-end and back-end parts: the front-end processing will occur synchronously with the system calls of monitored (i.e., wrapped) programs allowing some detections to occur before an attack sequence completes. The back-end parts will perform more resource-intensive processing in the background and provide feedback to front-end parts. Employ software wrappers' ability to access, filter, and dynamically probe a running system's state to provide ID techniques with significantly more expressive input data sets (e.g., perhaps including content-selected read/write events) than are available in operating system audit trails. Taking advantage of a wrapper's ability to efficiently select from vast quantities of information flowing through an interface, significantly increase the quality of information made available to ID techniques.
Phase 5: Develop a proof-of-concept IDW prototype on Windows NT 4.0 using Software Fault Isolation (SFI) techniques to confine unmodified Windows applications running on an unmodified Windows NT base. Explore the extent to which SFI techniques can bring non-bypassable wrappers to NT and make wrappers and IDWs more generally available.
Phase 6: Extend the IDW framework to enable generation of specialized IDW probes/sensors for system or network services, and extend IDWs to distributed systems by using SNMPv3 to coordinate distributed IDW configuration, activation, detection, and intrusion response management. Produce a distributed IDW prototype with customizable IDW sensors.
Recent Accomplishments:
Network Associates Labs ported the Generic Software Wrappers prototype,
implemented originally under FreeBSD and previously ported to Solaris
and Windows NT, to Linux, at the same time increasing the robustness of
the system and adding functionality. Network Associates Labs released
new versions of the prototype on the Internet. Several Intrusion
Detection strategies were successfully implemented using wrappers.
Software Fault Isolation (SFI) and alternative isolation mechanisms have
been investigated. Network Associates Labs is leveraging its wrappers
research by working with with other DARPA-funded projects on the
integration and testing of wrappers with their technologies. Finally,
Network Associates Labs staff have demonstrated and presented papers and
talks on various aspects of the wrappers technology.
Linux: With the increased use and importance of Linux, both as a server and client platform, Network Associates Labs ported the Generic Software Wrappers Toolkit to Linux under Internal Research and Development funding. This work has quickly become the basis for additional research.
Functionality and Robustness: NAI has made several new releases of the Generic Software Wrappers Toolkit available with improved functionality. New libraries supporting enhanced activation criteria and regular expression handling have been added. An event file system (file-system-like interface a la /proc) has been added to enhance administration of and interaction with the wrappers system. The toolkit is more stable on all supported platforms, is now compatible with Sun's Basic Security Model under Solaris 2.6, and is able to wrap large, complex programs under Windows NT (e.g., Word).
Intrusion Detection Wrappers (IDWs): Additional IDWs representing a number of intrusion detection techniques have been designed and implemented with positive results. NAI developed software to automatically translate C. Ko's Parallel Event Grammars (PEGs) into effective specification-based wrappers and demonstrated the efficacy with PEGs for several UNIX daemons. The success of this approach led to the development of a method for generating wrappers based on logical inferences over the system calls of a well-behaved program. NAI has started the design and development of a framework for distributed IDWs.
Software Fault Isolations and alternative mechanisms: Network Associates Labs has continued its SFI research, developing code to dynamically insert bounding code at runtime. Difficulties with this approach in the WINTEL environment have led NAI to look for alternatives. While NAI believes that, in theory, dynamic SFI in a binary-only environment could provide the needed separation between wrappers and the programs they wrap in the same process address space, the combination of the x86 instruction set, which had been built upon many times, and the method Windows NT uses to load programs makes it an intractable engineering problem. NAI's research in this area has led to the possibility of using unused rings in the x86's built-in protection mechanism to provide the necessary isolation.
Integration and Experimentation: Network Associates Labs is actively working with other DARPA-funded projects, under this contract, other contracts, and Internal Research and Development funding, to integrate wrappers with these projects' technologies and test the improvements in security. NAI has successfully worked with Secure Computing Corporation (SCC) to develop a data-driven wrapper that enforces access control based on policies produced by SCC's Napoleon GUI RBAC tool. NAI has also worked with SRI International to develop a wrapper under Linux that will generate output similar to Sun's Basic Security Module (BSM), allowing SRI's Emerald IDS to run under Linux. Network Associates Labs staff participated in a successful whiteboard experiment at DARPA's Technology Integration Center in conjunction with BBN, USC ISI, and Sandia National Labs to determine if wrappers can raise the security bar in terms of protecting access to a cryptographic device and to PIN entry when using the device. The success of this whiteboard experiment has led to a real experiment that is under way.
Papers and Presentations: Network Associates Labs Staff have written papers and given talks on various aspects of their Generic Software Wrappers research. In addition to presentations to various DARPA PMs and members of the community at DARPA's Technology Integration Center and elsewhere, NAI has presented papers and talks at the IEEE Security and Privacy Symposium and DISCEX.
Current Plan:
Network Associates Labs will complete development of Intrusion Detection
Wrappers (IDWs) and the software isolation prototype, making changes to
the Generic Software Wrappers prototype as necessary to add
functionality and robustness. Network Associates Labs will document its
research, continue to make newer versions of the Generic Software
Wrappers Toolkit available on the Internet, and continue to provide
information on wrappers to others interested in the technology through
demonstrations, presentations, and integration experiments through the
end of this contact.
Technology Transition:
Technology transfer has included review, integration experiments,
papers, presentations, and use of Generic Software Wrappers by other
DARPA projects and for projects funded under Internal Research and
Development.
Review: NAI presented Generic Software Wrappers as their first technology to be peer-reviewed at the first peer review of the Security Research Alliance. Network Associates Labs staff provided information for Sandia National Labs as they prepared a report on Generic Software Wrappers for DARPA. Their conclusion:
"The Sandia Wrappers Assessment Team believes that the wrappers technology being developed by Network Associates Labs delivers viable computer security functionality to today's complex computing environments. Generic Software Wrappers appear to be a promising technique for protecting critical processes on a given computing platform. Noteworthy progress has been demonstrated in the development life cycle of the software wrappers analyzed in this report. The Wrappers Assessment Team believes that this technology warrants further development for both UNIX and NT based systems."
Integration and Experimentation: NAI has been collaborating with Secure Computing Corporation, SRI International, BBN, USC ISI, Sandia National Labs, and other projects within NAI this year and will continue with these efforts. NAI demonstrated the integration of Generic Software Wrappers and Secure Computing Corporations Napoleon GUI RBAC tool at a DARPA Technology Integration Center Science Fair. NAI continued to develop wrappers to provide detection, prevention, and response capabilities for IDIP under both internal and contract funding. Wrappers were first written for Solaris and then for Windows NT.
Papers and Presentations: NAI's 1999 IEEE Symposium on Security and Privacy paper, Hardening COTS Software with Generic Software Wrappers, was presented at DISCEX. NAI presented the following paper and talks on various technical aspects of the research at the 2000 IEEE Symposium on Security and Privacy:
- Calvin Ko presented his paper, Logic Induction of Valid Behavior Specifications for Intrusion Detection, describing a new method to generate specifications for correct program behavior, and wrappers to enforce those specifications, using logical induction of the system calls of an executable known to be behaving correctly.
- Doug Kilpatrick presented a talk on the design and development of the data-driven wrapper that implements access control based on the output of Secure Computing Corporation's Napoleon GUI RBAC tool.
- Lee Badger presented a talk on the design and development of the wrapper designed to provide SRI International's Emerald IDS with sufficient information to run under Linux.
Future Research: NAI has been awarded a new DARPA contract, Enterprise Wrappers for Information Assurance, to research and develop ways to extend wrappers from a single desktop system to an entire enterprise. This work will build the infrastructure necessary to make wrappers a key security-enabling technology in large, heterogeneous computing environments. NAI will be releasing all code under the GNU General Public license -- the same license as Linux -- in order to achieve the widest possible adoption of the technology.