• About ISSO
• Research Areas
• Projects
• Finished Projects and Archive
• Opensource Projects

Finished Projects

Secure Execution Environments

Generic Software Wrappers for Security and Reliability

Problem
Today's large-scale information systems increasingly combine an array of independently developed Commercial Off-The-Shelf (COTS) software components such as programs, linkable code libraries, and network applets (e.g., CORBA or Java). Unfortunately, however, although conventional software composition mechanisms (e.g., network protocols, dynamic libraries, system APIs) supply the required "glue" for combining such components into large systems, they provide very weak inter-component boundaries. Consequently, an entire critical system may be vulnerable to failures or security compromises within a single component. One solution might be to base critical systems only on high-assurance trusted components, but such components rarely are available. SPARTA ISSO is investigating a very promising and practical potential security solution for large-scale systems comprising numerous individual COTS components.

Solution
Under DARPA funding, SPARTA ISSO is developing software "wrapping" technology to significantly increase the security and reliability of large software systems composed of standardized software components. These generic software wrappers intercept and augment component interactions to implement practical security (e.g., restricting, filtering) and reliability (e.g., redundancy, crash data recovery) policies.

Details
The figure below illustrates the architecture of a wrapper-enforcing system. Programs running "unwrapped" perform as usual; any system requests go directly to the operating environment. However, selected system requests from a wrapped program (step 1) are intercepted by a wrapper that understands the system API (step 2). This concrete wrapper may in turn generate events intercepted by a more abstract wrapper (step 3). If the event has not been denied, it passes down to the system's internal API (step 4).

A central feature of our approach is that highly abstract wrappers may directly express security policies of interest (e.g., Biba, Clark/Wilson) and that more concrete wrappers may translate a particular system's API or use by abstract wrappers. By placing wrapper logic primarily in abstract wrappers, our research seeks to make wrappers relatively reusable and portable between execution environments. Furthermore, by showing WDL wrappers that run in the UNIX and Windows prototype systems, our research seeks to demonstrate that WDL wrappers are not specific to a single system or architecture, but are suitable for increasing the security and reliability of large-scale heterogeneous software systems in general.

The figure below graphically depicts a wrapper written in WDL and traces its key behaviors. The wrapper specifies interception criteria that determine the events to be intercepted by the wrapper. For each event intercepted, an action is performed; for example, the event is denied, parameters are transformed, the event's functionality is supplemented (e.g., data is encrypted), or a new event is generated for a possible consumption by another wrapper.

Additionally, we have been focusing research on using wrappers to implement intrusion detection techniques. Wrappers provide better access to system data, including all system call parameters, for intrusion detection and the ability to respond faster, stopping attacks at the first system call at which they are detected. We have written wrappers that successfully implement specification-based and sequence-based intrusion detection concisely and with low overhead.