Welcome Tom Donohue HB Gary


Published on

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Welcome Tom Donohue HB Gary

  1. 1. Autonomic Recovery of Enterprise-wide Systems After Attack or Failure with Forward Correction Anup Ghosh & Sushil Jajodia Center for Secure Information Systems George Mason University and Peng Liu Penn State University and Angelos Keromytis, Sal Stolfo, Jason Nieh Columbia University
  2. 2. Team <ul><li>George Mason University </li></ul><ul><li>Dr. Anup K. Ghosh, GMU </li></ul><ul><li>Dr. Sushil Jajodia, GMU </li></ul><ul><li>Dr. Angelos Stavrou, GMU </li></ul><ul><li>Dr. Yih Huang, GMU </li></ul><ul><li>4 PhD students </li></ul><ul><li>Penn State University </li></ul><ul><li>Dr. Peng Liu, PSU </li></ul><ul><li>4 PhD students </li></ul><ul><li>Columbia University </li></ul><ul><li>Dr. Angelos Keromytis, Columbia University </li></ul><ul><li>Dr. Salvatore Stolfo, Columbia University </li></ul><ul><li>Dr. Jason Nieh, Columbia University </li></ul><ul><ul><li>4 PhD & 1 MSc students supported by MURI </li></ul></ul>
  3. 3. Scientific Objective <ul><li>Objective </li></ul><ul><li>Develop self-regenerative enterprise networks that recover and re-constitute themselves after attacks and failures </li></ul><ul><ul><li>Develop uninterruptible server systems that provide service through attack </li></ul></ul><ul><ul><li>Automatically recover corrupted systems & databases after attack </li></ul></ul><ul><ul><li>Automatically regenerate software patches to make systems more robust after attack. </li></ul></ul><ul><li>Technical Approach: </li></ul><ul><li>Develop a layered approach to self-regenerative systems: </li></ul><ul><ul><li>application-level resilience using error virtualization and rescue points </li></ul></ul><ul><ul><li>system-level resilience using virtualization and transaction semantics for programs to roll back system state to the last known good continuation point </li></ul></ul><ul><ul><li>dynamic patching of applications to improve resiliency after attack </li></ul></ul><ul><ul><li>roll forward with correction to quarantine tainted processes and files & back-out changes </li></ul></ul>
  4. 4. Scientific Foundation <ul><li>Challenges </li></ul><ul><li>Software complexity makes perfection unattainable </li></ul><ul><li>As a result buggy software is deployed in mission-critical systems </li></ul><ul><li>When software flaws are triggered, systems crash or are exploited for malicious gain </li></ul><ul><li>Foundational Principles </li></ul><ul><li>Build secure, reliable systems from imperfect components </li></ul><ul><li>Develop mechanisms that allow software to learn from attacks and adapt stronger variants </li></ul><ul><li>Provide recovery mechanisms that will auto-recover corrupted systems & data </li></ul>
  5. 5. Enterprise-Wide Attack Resilience <ul><li>Document-centric active content protection </li></ul><ul><li>Efficient Online recovery after infection </li></ul>Content Anomaly Detection Attack Resilient dB Web services Application service processes DBMS service Database Files ASSURE Uninterruptible Server
  6. 6. Enterprise-Wide Components <ul><li>Application-level resilience using error virtualization and rescue points (Columbia U) </li></ul><ul><li>Uninterruptible server resilience using virtualization and automatic feedback control (GMU) </li></ul><ul><li>Server Damage Assessment (PSU) </li></ul><ul><li>Self-healing database to track damage, quarantine tainted records, and repair damage (PSU/GMU) </li></ul><ul><li>Document-centric active content protection for users (GMU) </li></ul><ul><li>Efficient online recovery of infected systems after attack (GMU) </li></ul>
  7. 7. The Risk of Active Content <ul><li>Active content appears like data often from untrusted sources, but executes like programs, usually unbeknownst to the user </li></ul><ul><li>Active content is used in Web browsers, Adobe PDF and Flash players, Apple Quicktime videos, Microsoft Office documents </li></ul><ul><ul><li>Vulnerabilities in any of these host applications can be exploited by active content to run commands on the host </li></ul></ul><ul><li>Active content can compromise other related documents </li></ul>
  8. 8. Active Data Frequently Used Web Contents are active for embedded javascripts Office documents often include visual basic macros Many multimedia formats support scripting too We don’t use good old-fashioned text files frequently now.
  9. 9. Approach: Isolation for Active Content Documents <ul><li>A fundamental principle in traditional OS security: Isolation . </li></ul><ul><ul><li>Each process resides in isolated virtual memory space </li></ul></ul><ul><ul><li>Inter-process communications, if necessary, must be explicitly setup by programmers </li></ul></ul><ul><li>Since active content documents can take actions on its own host processes and documents, we develop a technique to isolate them from each other and the rest of the system . </li></ul>
  10. 10. Active Content Isolation Requirements <ul><li>Each active content document must be processed in its own Virtual Execution Environment (VEE). </li></ul><ul><ul><li>If three Office documents are currently opened, there must be three VEEs for each of them, each running its own Office instance </li></ul></ul><ul><li>If interactions between active contents are necessary, they must be explicitly granted and setup by users/administrators. </li></ul><ul><li>Must be done with minimal additional performance overhead </li></ul>
  11. 11. Containment via Lightweight Virtualization for Active Content Documents <ul><li>Implement lightweight virtualization on a document-centric basis to isolate documents in separate process namespaces </li></ul><ul><ul><li>Low overhead approach because of single kernel </li></ul></ul><ul><ul><li>Each lightweight VEE, or Container , has its own process, user, IPC namespaces, just like a VM. </li></ul></ul><ul><ul><li>Containers are resource efficient --- We are able to launch 100 Firefox containers without causing swapping on a 4GB desktop. </li></ul></ul><ul><ul><li>Examples: OpenVZ and VServer on Linux, Solaris Zone, BSD Jail (We use OpenVZ) </li></ul></ul>
  12. 12. Seamless User Experience FFX Container Per document Office Container Per video clip mplayer container Entire desktop is in a Home Container Common utilities and passive files processed by the Home Container
  13. 13. Properties of Solution <ul><li>Document-centric view for virtualization, rather than OS or application-centric. </li></ul><ul><li>Versioning and recovery are provided for local documents </li></ul><ul><li>Online active content (e.g., web pages) </li></ul><ul><ul><li>Isolated from the rest of the system but not from each other. </li></ul></ul><ul><ul><li>Isolating web content from each other is a separate research branch. </li></ul></ul>
  14. 14. Document Containers <ul><li>Created on demand based on a template </li></ul><ul><li>Creation time is approximately 1 second. </li></ul><ul><li>A Container sees only the files the user wants it to see. </li></ul><ul><ul><li>Clicking on an office document, a new container is created. </li></ul></ul><ul><ul><li>The container sees only the given file </li></ul></ul><ul><ul><li>Unless explicitly set up, containers cannot communicate with each other. </li></ul></ul><ul><ul><li>Actually, they don’t even know the existence of others. </li></ul></ul>
  15. 15. Prototype Progress <ul><li>Created a home container running gnome desktop </li></ul><ul><ul><li>The X server runs on the host and is considered trusted </li></ul></ul><ul><ul><li>Clicking on an active document in the home container will automatically launch a new container granted access to that file only </li></ul></ul><ul><ul><li>Internet applications are all executed in separated containers </li></ul></ul><ul><li>Firefox, OpenOffice, Thunderbird, Adobe, mplayer containers created. </li></ul><ul><li>Opening OpenOffice and PDF files automatically redirect to new containers </li></ul><ul><li>Current limit: only one container can use the audio device at a time. </li></ul><ul><ul><li>May move to a sound server solution later. </li></ul></ul>
  16. 16. Discussion [email_address]